On 14 October 2019, the Conference of the Independent Data Protection Authorities of the Federation and the Länder (DSK) published a concept for the assessment of fines in proceedings against companies. It is now finally clear what fines website operators can expect in the event of data protection violations.
Basic information on the fine concept of the DSK
It is generally known that violations of the GDPR can result in a fine of up to ten million euros or two percent of the annual turnover achieved worldwide. In the case of more serious violations, the penalty can even be double that amount. However, it was previously unclear what the amount of a fine could be in a specific individual case. The DSK's concept now changes this and provides the German data protection supervisory authorities with a uniform and concrete basis for calculation. In addition, the concept is clearly intended to have a general preventive effect on companies and to make it clear that high fines are to be expected if the requirements of GDPR are not complied with.
As the concept is only a model and not a law, it only concerns fine proceedings against companies initiated by German data protection supervisory authorities. It has no binding effect on the determination of fines by courts.
Moreover, the concept can be revoked, amended or extended by the DPA at any time. Furthermore, it is only an interim solution until the final adoption of the Guidelines on the Methodology for setting fines by the European Data Protection Board. It therefore remains to be seen how the situation with fines will develop.
How is the fine calculated?
The DSK's concept provides for a five-step procedure for calculating the specific fine:
The company is allocated to one of four size classes (A to D) on the basis of its total worldwide turnover in the previous year, each of which is subdivided into three subgroups (A.I to A.III, B.I to B.III, etc.) for more specific classification.
Classification according to annual turnover:
Group A: up to EUR 2 million
Group B: EUR 2 to 10 million
Group C: EUR 10 to 50 million
GroupD: over EUR 50 million
The average annual turnover of the subgroup in which the company was classified is determined.
The basic economic value is determined. This is the basis for the further determination of the fine and corresponds to the average annual turnover of the subgroup in which the company was classified, divided by 360 (days) and rounded up to the pre-decimal place.
A multiplier is derived from the severity of the data protection breach. In this respect, the degree of severity is classified as light, medium, severe or very severe on the basis of the specific circumstances of the individual case.
The catalogue of criteria describing these possible circumstances can be found in Art. 83 (2) GDPR . These include, for example, the type and duration of the breach, the number of persons affected, the extent of the damage, the manner of cooperation with the supervisory authority and also whether direct financial benefits were obtained through the breach.
In addition, a distinction is made between "formal" (Art. 83(4) GDPR ) and "material" (Art. 83 ABs. 5 and 6 GDPR ) infringements. Depending on the type and severity of the data protection breach, the factor for formal breaches is between 1 and 6, for material breaches between 1 and 12; for very serious breaches, the factor may be even higher.
The basic value is finally adjusted on the basis of all other circumstances that speak for and against the person concerned. These include, in particular, circumstances relating to the offender and other circumstances, such as a long duration of proceedings or an imminent insolvency of the company.
GDPR -Fine - An example of calculation
In the end, the five-step process described is not as complicated as it first sounds. Here is a concrete example:
Let us assume that a self-employed person had a turnover of €80,000 in the previous year. This puts him in the (lowest) subgroup A.I (annual turnover from €0 to 700,000; level 1), the average annual turnover is therefore €350,000 (level 2) and the basic economic value is €972 (level 3).
Let us further assume that it is an incorrect data protection declaration on the website of the self-employed person. This constitutes a breach of Article 83(5)(b) GDPR . Since the severity of the breach is to be classified as "light", the factor may be "only" 2 (level 4) in the view of the data protection supervisory authority; an adjustment would not be appropriate in the view of the data protection supervisory authority (level 5).
The fine would thus amount to €1,944.
With the DSK's fine concept, it is now clear that even relatively insignificant data protection violations will result in relevant fines. Therefore, all companies should check or have checked as soon as possible whether they properly comply with all data protection requirements, such as a correct cookie banner. This is because the data protection authorities do not become active by chance, but primarily when data protection violations are reported to them. And these reports often come in practice from dissatisfied customers or competitors who want to do some damage to their competitors in this way.