GDPR fine calculator – fine calculation for GDPR violations

The concept has been around since September 2019, but for many companies the question still arises as to how a possible fine is calculated. We explain the calculation of the GDPR fine in detail in the following blog article.

The easiest way to get an overview is with our GDPR fine calculator. You can find it here.

The general conditions for the imposition of fines are regulated in Art. 83 GDPR. Each supervisory authority should therefore ensure that the imposition of fines is effective, proportionate and dissuasive in each individual case. In addition, when deciding on the imposition of a fine and its amount, the following points in particular should be given due consideration:

• the type, severity and duration of the violation
• the willfulness or negligence of the violation
• the measures taken to reduce damage
• the categories of personal data concerned
• the way how the violation became known.

The calculation of the fine according to the new concept of the data protection conference is based on the following formula:

Fine = basic economic value x multipliers.

1. Classification of the company in a size class

The first step is to classify the company in a size class on the basis of the total worldwide sales of the previous year. A distinction must be made between micro-enterprises (annual sales up to € 2 million), small and medium-sized enterprises (annual sales between € 2 and 50 million) and large companies (annual sales over € 50 million).

2. Determination of the company’s mean annual turnover

In the next step, the company’s mean annual turnover is determined using the following table. This is based on the specifications of the data protection conference. The mean value of the sales range of the respective group of companies always applies. In our GDPR fine calculator you will find out which category your company belongs to immediately after entering your annual turnover.

 

Unterkategorie		A Kleinstunternehmen ≤ 2 Mio. €	B Kleine Unternehmen ≤ 10 Mio. €	C Mittlere Unternehmen ≤ 50 Mio. €	D Groß-unternehmen > 50 Mio. €
I	Jahresumsatz	≤ 700.000 €	≤ 5 Mio. €	≤ 12,5 Mio. €	≤ 75 Mio. €
	Mittlerer Jahresumsatz	350.000 €	3,5 Mio. €	11,25 Mio. €	62,5 Mio. €
II	Jahresumsatz	≤1,4 Mio. €	≤ 7,5 Mio. €	≤ 15 Mio. €	≤ 100 Mio. €
	Mittlerer Jahresumsatz	1.050.000 €	6,25 Mio. €	13,75 Mio. €	87,5 Mio. €
III	Jahresumsatz	≤ 2 Mio. €	≤ 10 Mio. €	≤ 20 Mio. €	≤ 200 Mio. €
	Mittlerer Jahresumsatz	1,7 Mio. €	8,75 Mio. €	17,5 Mio. €	150 Mio. €
IV	Jahresumsatz			≤ 25 Mio. €	≤ 300 Mio. €
	Mittlerer Jahresumsatz			22,5 Mio. €	250 Mio. €
V	Jahresumsatz			≤ 30 Mio. €	≤ 400 Mio. €
	Mittlerer Jahresumsatz			27,5 Mio. €	350 Mio. €
VI	Jahresumsatz			≤ 40 Mio. €	≤ 500 Mio. €
	Mittlerer Jahresumsatz			35 Mio. €	450 Mio. €
VII	Jahresumsatz			≤ 50 Mio. €	> 500 Mio. €
	Mittlerer Jahresumsatz			45 Mio. €	Konkreter Jahresumsatz

 

 

 

3. Determination of the basic economic value

After assigning the company’s average annual turnover, the basic economic value is determined using the following formula:

Economic base value = mean annual turnover: 360 (days)

4. Multiplication of the basic economic value according to the degree of severity (circumstances related to the offense)

Finally, the basic economic value is multiplied by a factor which, depending on the severity of the violation, can be between 1-12.

SCHWEREGRAD	FAKTOR FÜR FORMELLE VERSTÖSSE GEMÄSS ART. 83 ABS. 4 DSG	FAKTOR FÜR MATERIELLE VERSTÖSSE GEMÄSS ART. 83 ABS. 5, 6 DSG
Leicht	1 bis 2	1 bis 4
Mittel	2 bis 4	4 bis 8
Schwer	4 bis 6	8 bis 12
Sehr Schwer	6
Umsatz über 500 Mio	2 %	4 %

From an annual turnover of over 500 million euros, a flat rate of 2% for formal violations according to Art. 83 Para. 4 GDPR and 4% for material violations according to Art. 83 Para. 5 and 6 GDPR are applied, so that a calculation is based on the respective company of the actual turnover.

Not sure which category your violation falls into? Read directly in the GDPR.

5. Adjustment of the basic economic value (perpetrator-related circumstances)

Finally, circumstances that have not yet been taken into account, which speak for and against the company concerned (e.g. negligence, intent, cooperation of the company), are assessed at the discretion of the supervisory authority.

In summary, it can be said that calculating the fine according to the concept of the data protection conference appears to be quite simple at first glance. Determining the individual components is the actual effort. In addition, the amounts cannot be finally determined by the adjustment of the respective supervisory authority, which is why online GDPR fine calculators can only output an approximate amount.

Also read our other blog articles on the subject of fines! You can find these in the overview for the keyword GDPR fine.

As mentioned above, you will also find an online GDPR fine calculator on our website, which you can use to calculate the range of fines that may apply to your company.

As an external data protection officer or as a project-based data protection consultant, we will be happy to help you make your company GDPR-compliant.

We are at your disposal for all topics relating to data protection and information security. Feel free to contact us using our contact form or by phone at +49 (0) 8505 – 91927-0.