The data protection conference has decided on a concept for the assessment of the GDPR fine in proceedings against companies, which specifies the abstract catalog of criteria from Art. 83 GDPR. The aim is to obtain a transparent and case-by-case form of fine assessment. The concept is intended to serve as a national guideline for the calculation of fines until the European Data Protection Committee issues Union-wide harmonized guidelines.
The concept has been around since September 2019, but for many companies the question still arises as to how a possible fine is calculated. We explain the calculation of the GDPR fine in detail in the following blog article.
The easiest way to get an overview is with our GDPR fine calculator. You can find it here.
The calculation basis shown in the video/blog is as of 2019/2020 and therefore outdated. As of May 2022:
New guidelines for calculating data protection fines are currently being developed at the European level. Here are the guidelines published in 05/22:
It is important to note that a “pre-calculation” of the fine amount according to this system presented in the video/article is probably not possible. Rather, according to the EDSA, it depends decisively on all the specifics of the individual case.
The German model for calculating fines has already been challenged in court in the past (Judgment 1 & 1 ) and has now finally failed.
General conditions for the imposition of fines
The general conditions for the imposition of fines are regulated in Art. 83 GDPR. Each supervisory authority should therefore ensure that the imposition of fines is effective, proportionate and dissuasive in each individual case. In addition, when deciding on the imposition of a fine and its amount, the following points in particular should be given due consideration:
- the type, severity and duration of the violation
- the willfulness or negligence of the violation
- the measures taken to reduce damage
- the categories of personal data concerned
- the way how the violation became known.
New concept for setting fines for the data protection conference
The calculation of the fine according to the new concept of the data protection conference is based on the following formula:
Fine = basic economic value x multipliers.
How can you determine the individual components of the formula and thus the fine? We explain it to you in 5 steps:
1. Classification of the company in a size class
The first step is to classify the company in a size class on the basis of the total worldwide sales of the previous year. A distinction must be made between micro-enterprises (annual sales up to € 2 million), small and medium-sized enterprises (annual sales between € 2 and 50 million) and large companies (annual sales over € 50 million).
2. Determination of the company’s mean annual turnover
In the next step, the company’s mean annual turnover is determined using the following table. This is based on the specifications of the data protection conference. The mean value of the sales range of the respective group of companies always applies. In our GDPR fine calculator you will find out which category your company belongs to immediately after entering your annual turnover.
≤ 2 Mio. €
≤ 10 Mio. €
≤ 50 Mio. €
> 50 Mio. €
|I||Jahresumsatz||≤ 700.000 €||≤ 5 Mio. €||≤ 12,5 Mio. €||≤ 75 Mio. €|
|Mittlerer Jahresumsatz||350.000 €||3,5 Mio. €||11,25 Mio. €||62,5 Mio. €|
|II||Jahresumsatz||≤1,4 Mio. €||≤ 7,5 Mio. €||≤ 15 Mio. €||≤ 100 Mio. €|
|Mittlerer Jahresumsatz||1.050.000 €||6,25 Mio. €||13,75 Mio. €||87,5 Mio. €|
|III||Jahresumsatz||≤ 2 Mio. €||≤ 10 Mio. €||≤ 20 Mio. €||≤ 200 Mio. €|
|Mittlerer Jahresumsatz||1,7 Mio. €||8,75 Mio. €||17,5 Mio. €||150 Mio. €|
|IV||Jahresumsatz||≤ 25 Mio. €||≤ 300 Mio. €|
|Mittlerer Jahresumsatz||22,5 Mio. €||250 Mio. €|
|V||Jahresumsatz||≤ 30 Mio. €||≤ 400 Mio. €|
|Mittlerer Jahresumsatz||27,5 Mio. €||350 Mio. €|
|VI||Jahresumsatz||≤ 40 Mio. €||≤ 500 Mio. €|
|Mittlerer Jahresumsatz||35 Mio. €||450 Mio. €|
|VII||Jahresumsatz||≤ 50 Mio. €||> 500 Mio. €|
|Mittlerer Jahresumsatz||45 Mio. €||Konkreter Jahresumsatz|
3. Determination of the basic economic value
After assigning the company’s average annual turnover, the basic economic value is determined using the following formula:
Economic base value = mean annual turnover: 360 (days)
4. Multiplication of the basic economic value according to the degree of severity (circumstances related to the offense)
Finally, the basic economic value is multiplied by a factor which, depending on the severity of the violation, can be between 1-12.
|Schweregrad||Faktor für formelle Verstöße gemäß Art. 83 Abs. 4 DSGVO||Faktor für materielle Verstöße gemäß Art. 83 Abs. 5, 6 DSGVO|
|Leicht||1 bis 2||1 bis 4|
|Mittel||2 bis 4||4 bis 8|
|Schwer||4 bis 6||8 bis 12|
|Umsatz über 500 Mio||2 %||4 %|
From an annual turnover of over 500 million euros, a flat rate of 2% for formal violations according to Art. 83 Para. 4 GDPR and 4% for material violations according to Art. 83 Para. 5 and 6 GDPR are applied, so that a calculation is based on the respective company of the actual turnover.
Not sure which category your violation falls into? Read directly in the GDPR.
5. Adjustment of the basic economic value (perpetrator-related circumstances)
Finally, circumstances that have not yet been taken into account, which speak for and against the company concerned (e.g. negligence, intent, cooperation of the company), are assessed at the discretion of the supervisory authority.
In summary, it can be said that calculating the fine according to the concept of the data protection conference appears to be quite simple at first glance. Determining the individual components is the actual effort. In addition, the amounts cannot be finally determined by the adjustment of the respective supervisory authority, which is why online GDPR fine calculators can only output an approximate amount.
Would you like to find out more about GDPR fines or are you looking for an online GDPR fines calculator?
Also read our other blog articles on the subject of fines! You can find these in the overview for the keyword GDPR fine.
As mentioned above, you will also find an online GDPR fine calculator on our website, which you can use to calculate the range of fines that may apply to your company.
Is your company at risk of being fined or have you even had to pay a GDPR fine?
As an external data protection officer or as a project-based data protection consultant, we will be happy to help you make your company GDPR-compliant.
We are at your disposal for all topics relating to data protection and information security. Feel free to contact us using our contact form or by phone at +49 (0) 8505 – 91927-0.
Nadja-Maria Becke leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.
This post is also available in: German