On October 14, 2019, the Conference of Independent Federal and State Data Protection Supervisory Authorities (DSK) published a concept for the assessment of fines in proceedings against companies. It is now finally clear what fines website operators can expect in the event of data protection violations.
Basic information on the DSK's fine concept
It is generally known that violations of the GDPR can result in fines of up to ten million euros or two percent of annual global turnover. For more serious violations, the fine can even be double that amount. However, it was previously unclear how high a fine could be in a specific individual case. The DSK's concept now changes this and provides the German data protection supervisory authorities with a uniform and concrete basis for calculation. In addition, the concept is clearly intended to have a general preventive effect on companies and make it clear that high fines are to be expected if the requirements of the GDPR are not met.
As the concept is merely a model and not a law, it only affects fine proceedings against companies initiated by German data protection supervisory authorities. It has no binding effect with regard to the determination of fines by courts.
In addition, the concept can be revoked, amended or extended by the DSK at any time. Furthermore, it is merely a transitional solution until the final adoption of the guidelines on the methodology for setting fines by the European Data Protection Board. It therefore remains to be seen how the situation with fines will develop.
How is the fine calculated?
The DSK's concept provides for a five-stage procedure for calculating the specific fine:
Step 1:
The company is assigned to one of four size classes (A to D) on the basis of its total global turnover in the previous year, which are divided into three subgroups (A.I to A.III, B.I to B.III, etc.) for more precise classification.
Classification according to annual turnover:
Group A: up to EUR 2 million
Group B: EUR 2 to 10 million
Group C: EUR 10 to 50 million
Group D: over EUR 50 million
Step 2:
The average annual turnover of the subgroup in which the company was classified is determined.
Step 3:
The basic economic value is determined. This is the basis for the further determination of the fine and corresponds to the average annual turnover of the subgroup in which the company was classified, divided by 360 (days) and rounded up to the first decimal place.
Step 4:
A multiplier is derived from the severity of the data protection breach. In this respect, the severity is classified as minor, moderate, serious or very serious based on the specific circumstances of the individual case.
The list of criteria describing these possible circumstances can be found in Art. 83 para. 2 GDPR. These include the type and duration of the breach, the number of data subjects affected, the extent of the damage, the manner of cooperation with the supervisory authority and also whether the breach has resulted in direct financial benefits.
A distinction is also made between "formal" (Art. 83 para. 4 GDPR) and "material" (Art. 83 paras. 5 and 6 GDPR) breaches. Depending on the type and severity of the data protection breach, the factor is between 1 and 6 for formal breaches and between 1 and 12 for material breaches; the factor can be even higher for very serious breaches.
Step 5:
The basic value is finally adjusted on the basis of all other circumstances that speak for and against the person concerned. These include, in particular, offender-related circumstances as well as other circumstances, such as a long duration of proceedings or an imminent insolvency of the company.
GDPR fine - a calculation example
In the end, the five-step process described is not as complicated as it initially sounds. Here is a concrete example:
Let's assume that a self-employed person had a turnover of €80,000 in the previous year. He therefore falls into the (lowest) subgroup A.I (annual turnover of € 0 to € 700,000; level 1), the average annual turnover is therefore € 350,000 (level 2) and the basic economic value is € 972 (level 3).
Let us also assume that the privacy policy on the self-employed person's website is incorrect. This constitutes a breach of Art. 83 para. 5 lit. b) GDPR. Since the severity of the infringement is to be classified as "minor", the factor is possibly "only" 2 (level 4) in the opinion of the data protection supervisory authority; an adjustment is not appropriate in the opinion of the data protection supervisory authority (level 5).
The fine would therefore amount to €1,944.
Conclusion
The DSK's concept for fines now makes it clear that even relatively insignificant data protection violations will result in relevant fines. Therefore, all companies should check or have checked as soon as possible whether they properly fulfill all data protection requirements, such as a correct cookie banner. This is because the data protection authorities do not become active by chance, but above all when data protection violations are reported to them. And in practice, these reports often come from dissatisfied customers or competitors who want to cause their competitors some damage in this way.