GDPR fine calculator – fine calculation for GDPR violations

von Nadja-Maria Becke

The data protection conference has decided on a concept for the assessment of the GDPR fine in proceedings against companies, which specifies the abstract catalog of criteria from Art. 83 GDPR. The aim is to obtain a transparent and case-by-case form of fine assessment. The concept is intended to serve as a national guideline for the calculation of fines until the European Data Protection Committee issues Union-wide harmonized guidelines.

The concept has been around since September 2019, but for many companies the question still arises as to how a possible fine is calculated. We explain the calculation of the GDPR fine in detail in the following blog article.

The easiest way to get an overview is with our GDPR fine calculator. You can find it here.

General conditions for the imposition of fines

The general conditions for the imposition of fines are regulated in Art. 83 GDPR. Each supervisory authority should therefore ensure that the imposition of fines is effective, proportionate and dissuasive in each individual case. In addition, when deciding on the imposition of a fine and its amount, the following points in particular should be given due consideration:

  • the type, severity and duration of the violation
  • the willfulness or negligence of the violation
  • the measures taken to reduce damage
  • the categories of personal data concerned
  • the way how the violation became known.

New concept for setting fines for the data protection conference

The calculation of the fine according to the new concept of the data protection conference is based on the following formula:

Fine = basic economic value x multipliers.

How can you determine the individual components of the formula and thus the fine? We explain it to you in 5 steps:

1. Classification of the company in a size class

The first step is to classify the company in a size class on the basis of the total worldwide sales of the previous year. A distinction must be made between micro-enterprises (annual sales up to € 2 million), small and medium-sized enterprises (annual sales between € 2 and 50 million) and large companies (annual sales over € 50 million).

2. Determination of the company’s mean annual turnover

In the next step, the company’s mean annual turnover is determined using the following table. This is based on the specifications of the data protection conference. The mean value of the sales range of the respective group of companies always applies. In our GDPR fine calculator you will find out which category your company belongs to immediately after entering your annual turnover.

 

Unterkategorie  

A

Kleinstunternehmen

≤ 2 Mio. €

 

B

Kleine

Unternehmen

≤ 10 Mio. €

C

Mittlere Unternehmen

≤ 50 Mio. €

D

Groß-unternehmen

> 50 Mio. €

I Jahresumsatz ≤ 700.000 € ≤ 5 Mio. € ≤ 12,5 Mio. € ≤ 75 Mio. €
Mittlerer Jahresumsatz 350.000 € 3,5 Mio. € 11,25 Mio. € 62,5 Mio. €
II Jahresumsatz ≤1,4 Mio. € ≤ 7,5 Mio. € ≤ 15 Mio. € ≤ 100 Mio. €
Mittlerer Jahresumsatz 1.050.000 € 6,25 Mio. € 13,75 Mio. € 87,5 Mio. €
III Jahresumsatz ≤ 2 Mio. € ≤ 10 Mio. € ≤ 20 Mio. € ≤ 200 Mio. €
Mittlerer Jahresumsatz 1,7 Mio. € 8,75 Mio. € 17,5 Mio. € 150 Mio. €
IV Jahresumsatz     ≤ 25 Mio. € ≤ 300 Mio. €
Mittlerer Jahresumsatz     22,5 Mio. € 250 Mio. €
V Jahresumsatz     ≤ 30 Mio. € ≤ 400 Mio. €
Mittlerer Jahresumsatz     27,5 Mio. € 350 Mio. €
VI Jahresumsatz     ≤ 40 Mio. € ≤ 500 Mio. €
Mittlerer Jahresumsatz     35 Mio. € 450 Mio. €
VII Jahresumsatz     ≤ 50 Mio. € > 500 Mio. €
Mittlerer Jahresumsatz     45 Mio. € Konkreter Jahresumsatz

 

 

 

3. Determination of the basic economic value

After assigning the company’s average annual turnover, the basic economic value is determined using the following formula:

Economic base value = mean annual turnover: 360 (days)

4. Multiplication of the basic economic value according to the degree of severity (circumstances related to the offense)

Finally, the basic economic value is multiplied by a factor which, depending on the severity of the violation, can be between 1-12.

SCHWEREGRAD FAKTOR FÜR FORMELLE VERSTÖSSE GEMÄSS ART. 83 ABS. 4 DSG FAKTOR FÜR MATERIELLE VERSTÖSSE GEMÄSS ART. 83 ABS. 5, 6 DSG
Leicht 1 bis 2 1 bis 4
Mittel 2 bis 4 4 bis 8
Schwer 4 bis 6 8 bis 12
Sehr Schwer 6  
Umsatz über 500 Mio 2 % 4 %

From an annual turnover of over 500 million euros, a flat rate of 2% for formal violations according to Art. 83 Para. 4 GDPR and 4% for material violations according to Art. 83 Para. 5 and 6 GDPR are applied, so that a calculation is based on the respective company of the actual turnover.

Not sure which category your violation falls into? Read directly in the GDPR.

5. Adjustment of the basic economic value (perpetrator-related circumstances)

Finally, circumstances that have not yet been taken into account, which speak for and against the company concerned (e.g. negligence, intent, cooperation of the company), are assessed at the discretion of the supervisory authority.

In summary, it can be said that calculating the fine according to the concept of the data protection conference appears to be quite simple at first glance. Determining the individual components is the actual effort. In addition, the amounts cannot be finally determined by the adjustment of the respective supervisory authority, which is why online GDPR fine calculators can only output an approximate amount.

Would you like to find out more about GDPR fines or are you looking for an online GDPR fines calculator?

Also read our other blog articles on the subject of fines! You can find these in the overview for the keyword GDPR fine.

As mentioned above, you will also find an online GDPR fine calculator on our website, which you can use to calculate the range of fines that may apply to your company.

Is your company at risk of being fined or have you even had to pay a GDPR fine?

As an external data protection officer or as a project-based data protection consultant, we will be happy to help you make your company GDPR-compliant.

We are at your disposal for all topics relating to data protection and information security. Feel free to contact us using our contact form or by phone at +49 (0) 8505 – 91927-0.

assets/images/e/Nadja-Maria-Becke-1-e4dcbac5.jpg
Nadja-Maria Becke

Nadja-Maria Becke leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.