Data Protection Law: New General Data Protection Regulation (GDPR) Fine Model

On October 14, 2019, the German data protection authorities published their concept for calculating fines for breaches by companies of the General Data Protection Regulation (GDPR).

Background

The background to this is that in the past the practice of the various state data protection authorities in imposing fines was inconsistent and the various calculation models were not published. While the amount of a fine used to depend largely on the domicile of the company concerned, the new procedure is now intended to guarantee a comprehensible, transparent and case-by-case method of setting fines and thus provide greater legal certainty for those affected.

Functionality

According to the new model, the fine is allocated in five steps:

• First, the company in question is assigned to one of four size categories, which is determined on the basis of the total worldwide sales achieved in the previous year. The size classes are divided into micro-enterprises, small and medium-sized enterprises and large enterprises.
• The average annual turnover of the subgroup in which the company concerned is classified is then determined.
• The calculated value is divided by 360 (days), resulting in a daily fine rate.
• Then the seriousness of the infringement is classified as "light", "medium", "serious" or "very serious". Depending on the severity of the offence, a factor between 1 and 12 (in individual cases even higher) is assigned to the offence to be sanctioned by which the previously determined daily rate is multiplied.

Finally, as part of an overall assessment, the previously calculated amount is adjusted on the basis of all the other factors in favor of or against the undertaking concerned. It will also essentially be taken into account whether and how the company cooperates with the authorities.

The concept explicitly does not apply to associations or natural persons. Courts are not bound by it.

Notes

On this basis, fines for violations of the GDPR will be significantly higher in Germany than in the past. The new concept is designed to make full use of the possibilities offered by the GDPR. Millions in fines in the two- or three-figure range, such as those already imposed by British and French authorities, will also play a role in Germany in the future. In fact, the Berlin data protection authority has already announced that it will soon impose a fine.

It is true that the new approach makes it easier to identify and calculate the risks of fines. Nevertheless, uncertainties remain, in particular with regard to the determination of the seriousness of the infringement and in the context of the overall assessment, which will make it impossible to quantify the fine in euros in the future. In addition, the fine model for dealing with several simultaneous infringements is not discussed. It is unclear whether this will result in a kind of overall penalty accumulation or in a simple adding-together.

Against this background, it is now particularly important to pursue whether and to what extent the judicial decision-making practice will follow the model of the data protection authorities when reviewing fixed fines. In addition, the own setup must be controlled, as it can no longer be assumed that penalties will be applied cautiously.