Calculation basis for GDPR fine published

“A data protection breach can become an expensive matter for companies in the future.”

We draw this conclusion clearly from the published concept of the German supervisory authorities, which provides information on how they intend to measure the GDPR fine for data protection violations in the future.

Regardless of whether it is data loss or a data breach: the GDPR fine is likely to be considerably higher in the future. You can find the concept under the following link:

Konzept der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder zur Bußgeldzumessung in Verfahren gegen Unternehmen vom 14. September 2019

How does the GDPR fine calculation work?

To put it simply, the design is as follows:
Base value: On the basis of the company’s turnover, it is determined according to size classes and subgroups, which lead to a kind of daily rate (“base value”) using tables.

Severity of the charge: The basic value is then multiplied by a factor between 1 – 12, depending on the severity of the charge (light, medium, serious) and depending on whether there is a formal or material violation. The criteria of Art. 83 (2) GDPR are taken into account (type and gravity of the violation, negligence / intent, previous violations, cooperation, etc.).

Correction: In the last step, the amount determined in this way is adjusted downwards or upwards in order to appreciate circumstances that have not yet been taken into account (perpetrator-related circumstances of Art. 83 (2) GDPR and other circumstances such as duration of the procedure or impending insolvency).

Below are a few examples of daily rates (basic values):

  • up to € 750,000 turnover: € 972.00
  • € 1 million turnover: € 2,917.00
  • € 5 million turnover: € 9,722.00
  • € 10 million turnover: € 24,306.00
  • € 100 million turnover: € 243,056.00

For companies with an annual turnover of more than € 500 million, the percentage fine of 2% or 4% of the annual turnover must be used as the maximum limit, so that for these companies a calculation is made based on the actual turnover!

Video: GDPR fine explained simply

NEW: On our YouTube channel, we always explain complex issues again in a simple and understandable way! A video on the GDPR fine with an explanation of the future calculation can be found here:

In the event of a moderate breach of material data protection regulations (e.g. processing without a legal basis), the amount will likely be multiplied by a factor of 6. For an SME with a single-digit million turnover, you can easily collect € 50,000. For a freelancer with minimal turnover, there is at least a GDPR fine of € 5,000.

Even with the smallest formal data protection breaches, such as a wrong or insufficient clause in an order processing contract, the factor is at least 1. For a larger company with e.g. 50 million annual sales are equal to 100,000 euros. One can then only hope for a downward correction in the last step of the dimensioning scheme.

The supervisory authorities always use a functional corporate term as a basis. This is not based on legal companies, but on the entire “economic unit”. I.e. that a group consisting of several legally independent subsidiaries is usually an economic unit and thus a company. The only requirement is that the parent company can exercise decisive influence on the subsidiary. According to the case law of the European Court of Justice, this is presumed if the parent company holds all or almost all of the shares in the subsidiary. A small subsidiary with a strong parent company abroad is threatened with very high fines, as the parent company’s turnover is included in the base value.

What should companies consider?

Inquiries and investigations by supervisory authorities must be dealt with with increased attention and care. In individual cases, for example if the authority’s action is based on complaints, prior inspection of the files is advisable. With a view to potentially increasing GDPR fines, it may also be advisable to check the coverage of D&O and public liability insurances of the company and its service providers (e.g. contract processors). Existing data protection structures and processes must continue to be examined intensively to determine to what extent they are suitable for avoiding or reducing fines.

 

Do you have any questions on this subject? Please call us on 08505 919 27-0 or fill out our contact form. We are happy to help!

This post is also available in: German