Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the model has not yet been finally approved. It is still only a draft, which has been shared with other European supervisory authorities in the framework of the harmonization procedure required by Art. 70 (1) lit k) GDPR, but which will need to be further developed. The DSK will discuss the model again at its next meeting on November 3 and 4, 2019, and will then also decide whether to publish it.
* * *
In June, the conference of the German Data Protection Authorities (Datenschutzkonferenz) approved a concept for the calculation of GDPR fines by a majority of 16, with only one abstention (Minutes of the meeting, cf. TOP 16 – in German). According to the Minutes, the concept was also presented at a meeting of the European Data Protection Board and was regarded as more transparent than others (apparently, the CNIL’s) by its members. The German concept was not published, but it was reportedly already applied by a number of DPAs. Now, the press obtained information about the scheme of the calculation:
In a first step, the fine is calculated in daily rates derived from the worldwide company turnover of the previous year. The daily rate is multiplied by a factor which depends on the seriousness of the breach and is determined by the application of a scoring system. The sum is then reduced or increased depending on the degree of fault and on whether there have been any previous breaches. Three or more previous breaches can lead to a surcharge of 300 per cent. Mitigating factors will also be taken into account, e.g. a swift response to a breach to protect the affected data subjects, and a company’s willingness to cooperate with the Data Protection Authority.