By adopting the Guidelines on the Calculation of Administrative Fines under the GDPR, the EDPB aims to harmonize the criteria for calculating sanctions, which are often left to the discretion of DPAs.
For this purpose, the EDPB has outlined the following five criteria aimed at supporting the National Authorities in the definition of the sanction to be imposed for violations of privacy regulations.
Identification of unlawful processing and assessment of conduct
Given that the GDPR only regulates the legal maximums of sanctions, the first step outlined by the EDPB requires the authorities to identify processing activities and assess the applicability of Article 83 (3) GDPR. The DPAs must determine whether the case in question involves one or more instances of sanctionable conduct and whether these have led to one or more violations.
Assessment of the violation and computation of the penalty based on the company’s turnover
The second step requires the Authorities to assess:
- the nature, seriousness and duration of the breach;
- the subjective element of the conduct (malicious intent or negligence);
- the kind and amount of data violated.
It follows that:
- in the event that the level of seriousness of the conduct is considered low, the sanction will range between 0-10% of the applicable edictal limit;
- in the case of medium seriousness, the sanction will range between 10-20% of the legal maximum;
- in case of high seriousness, the sanction will be calculated between 20-100% of the applicable legal maximum.
Increase or decrease of the administrative penalty on the basis of aggravating or mitigating circumstances
The third criterion requires DPAs to consider the following circumstances in the calculation of the sanction that might apply to the concrete case:
- measures adopted (especially prior to the Authority’s intervention) by the Data Controller or the Data Processor to mitigate the damage suffered by the data subjects;
- degree of accountability of the Data Controller or the Data Processor based on the technical and organisational measures adopted pursuant to Articles 25 and 32 GDPR;
- any previous unlawful action committed by the Data Controller or the Data Processor, assessing the period elapsed between breaches and the scope of application (e.g. local or international);
- the way in which the Authority became aware of the breach (in particular, whether the Data Controller or the Data Processor made the notification);
- degree of cooperation with the Authority to remedy the breach and reduce its negative effects;
- compliance with the provisions of the Authority in case of adoption of previous sanctioning measures pursuant to Article 58(2) GDPR;
- adherence to codes of conduct or certification mechanisms;
- additional aggravating or mitigating factors applicable to the case (e.g. financial benefits achieved or losses avoided).
Identification of legal maximums for different violations
The fourth step is to determine the legal limits for fines and ensure that these amounts are not exceeded.
Considering that the static cap ranges between 10 and 20 million € and the dynamic cap is 2-4% of annual worldwide turnover, there is in fact a great deal of vagueness and discretion in the authorities’ calculation of the fine. It should also be noted that in the case of corporate groups, the so-called Akzo presumption is applied to calculate the legal maximum.
Akzo presumption: unless proven otherwise, it will be presumed that the parent company directly or indirectly controls or is able to exercise decisive influence over the subsidiary’s conduct.
Assessment of the amount
The fifth criterion provides that, to “tailor” the sanction to the concrete case, the Authority assesses whether the calculated amount meets the requirements of effectiveness, deterrence and proportionality of the sanction.
Although these Guidelines are intended to be applied among the various National Authorities – so that they act in a transparent manner in determining administrative fines and according to a harmonised approach – it is believed that they are useful for Controllers and Processors to prevent sanctioning risks and to understand which methodology will be adopted by the competent Authority.
La tua opinione è importante per noi!