Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the model has not yet been finally approved. It is still only a draft, which has been shared with other European supervisory authorities in the framework of the harmonization procedure required by Art. 70 (1) lit k) GDPR, but which will need to be further developed. The DSK will discuss the model again at its next meeting on November 3 and 4, 2019, and will then also decide whether to publish it.

*                                 *                             *

In June, the conference of the German Data Protection Authorities (Datenschutzkonferenz) approved a concept for the calculation of GDPR fines by a majority of 16, with only one abstention (Minutes of the meeting, cf. TOP 16 – in German). According to the Minutes, the concept was also presented at a meeting of the European Data Protection Board  and was regarded as more transparent than others (apparently, the CNIL’s) by its members. The German concept was not published, but it was reportedly already applied by a number of DPAs. Now, the press obtained information about the scheme of the calculation:

In a first step, the fine is calculated in daily rates derived from the worldwide company turnover of the previous year. The daily rate is multiplied by a factor which depends on the seriousness of the breach and is determined by the application of a scoring system. The sum is then reduced or increased depending on the degree of fault and on whether there have been any previous breaches. Three or more previous breaches can lead to a surcharge of 300 per cent. Mitigating factors will also be taken into account, e.g. a swift response to a breach to protect the affected data subjects, and a company’s willingness to cooperate with the Data Protection Authority.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group as well as the Artificial Intelligence (AI) and Internet of Things (IoT) Practice Groups. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IT and data protection, among others by Best Lawyers in cooperation with Handelsblatt, Wirtschaftswoche and Legal 500.