On 14.10.2019, the Conference of Independent Data Protection Supervisors of the Federal Government and the Länder (DSK) published a Concept for setting fines in proceedings against companies. It is now finally clear what fines website operators must expect in the event of data protection violations.
Basic information on DSK's fine concept
It is generally known that violations of the GDPR up to ten million euros or two percent of the annual turnover achieved worldwide can be imposed as a penalty. In the case of more serious infringements, the penalty may even be doubled. However, it has so far been unclear how high a fine could be in a specific individual case. DSK's concept now changes this and provides the German data protection supervisory authorities with a uniform and concrete basis for calculation. In addition, the concept is clearly intended to have a general preventive effect on companies and to make it clear that high fines are to be expected if the requirements of the data protection legislation are GDPR not complied with.
As the concept is only a model and not a law, it only concerns fine proceedings against companies initiated by German data protection supervisory authorities. It does not have a binding effect with regard to the setting of fines by courts.
In addition, the concept can be cancelled, changed or extended by DSK at any time. Furthermore, it is only an interim solution pending the final adoption of the guidelines on the methodology for setting fines by the European Data Protection Committee. It therefore remains to be seen how the situation regarding fines develops.
How is the fine calculated?
DSK's concept provides for a five-step procedure for calculating the specific fine:
The company is allocated to one of four size classes (A to D) on the basis of its total worldwide turnover in the previous year. For a more concrete classification, each size class is divided into three sub-groups (A.I to A.III, B.I to B.III, etc.).
Classification according to annual turnover:
Group A: up to EUR 2 million
Group B: EUR 2 to 10 million
Group C: EUR 10 to 50 million
Group D: over EUR 50 million
The average annual turnover of the subgroup into which the company has been placed is determined.
The basic economic value is determined. This is the basis for the further determination of the fine and corresponds to the average annual turnover of the subgroup in which the company was placed, divided by 360 (days) and rounded up to the place before the decimal point.
A multiplier is derived from the severity of the data protection violation. In this respect, the severity of the violation is classified as mild, medium, severe or very severe on the basis of the concrete factual circumstances of the individual case.
The catalogue of criteria describing these possible circumstances can be found in Art. 83 (2GDPR ). These include, for example, the nature and duration of the violation, the number of persons affected, the extent of the damage, the manner of cooperation with the supervisory authority, and also whether direct financial benefits were obtained as a result of the violation.
A distinction is also made between "formal" (Article 83(4GDPR ) ) and "material" (Article 83(5) and (6GDPR )) infringements. Depending on the type and seriousness of the data protection breach, the factor for formal breaches is between 1 and 6, for material breaches between 1 and 12; for very serious breaches the factor may be even higher in each case.
The basic value is finally adjusted on the basis of all other circumstances that speak for and against the person concerned. These include in particular circumstances relating to the perpetrator and other circumstances, such as a long period of proceedings or the threat of insolvency of the company.
GDPR -Fine - A calculation example
In the end, the five-step procedure described above is not as complicated as it sounds at first. Here is a concrete example:
Let us assume that a self-employed person had a turnover of €80,000 in the previous year. This puts him in the (lowest) subgroup A.I (annual turnover from €0 to 700,000; level 1), the average annual turnover is therefore €350,000 (level 2) and the basic economic value is €972 (level 3).
Let us further assume that it is a false privacy statement on the self-employed person's website. This is a violation of Art. 83 (5) lit. b)GDPR . Since the severity of the breach is to be classified as "minor", the factor may be "only" 2 (level 4) in the opinion of the data protection supervisory authority; an adjustment is not appropriate in the opinion of the data protection supervisory authority (level 5).
The fine would thus amount to €1,944.
The DSK's fine concept now makes it clear that even relatively minor data protection violations will result in relevant fines. Therefore, all companies should check or have checked as soon as possible whether they comply with all data protection requirements, such as a correct cookie banner, in accordance with the regulations. This is because data protection authorities do not act by chance, but mainly when data protection breaches are reported to them. And in practice, these reports often come from dissatisfied customers or competitors who want to harm their competitors in this way.