New German model for the calculation of GDPR fines
A blueprint for Europe?
21 October 2019
The detailed German model leads to greater transparency but also higher fines, particularly for companies with a large turnover.
In recent months, European data protection authorities have made clear use of the high fines which are available to them under the General Data Protection Regulation (GDPR). Notices from the British data protection authority (ICO) to fine both British Airways (GBP 183.4 million or 1.5% of its global turnover) and Marriott (GBP 99.2 million), as well as a sanction imposed by the French data protection supervisory authority (CNIL) on Google (EUR 50 million) have all been widely reported in the news. German data protection supervisory authorities, in contrast, have shown remarkable restraint in this regard and are yet to impose a fine exceeding EUR 195,407.
One of the likely reasons for this was the fact that the individual German data protection supervisory authorities lacked a systematic, transparent and comprehensible approach to the calculation of fines. In comparison with the UK or France, where the ICO and the CNIL are the only competent supervisory bodies, Germany has 17 independent supervisory authorities - one for each state and the Federal Commissioner for Data Protection and Freedom of Information. In June 2019, however, the German data protection conference (Datenschutzkonferenz, "DSK"), a committee consisting of representatives of all German data protection authorities, agreed (behind closed doors) on a joint model for the calculation of fines under the GDPR in Germany which should provide for a transparent process. After testing the model in practice over the last view months, details of the new model have finally been published.
In the following article, we (A) set out the details of the model and then (B) analyse the model's advantages, disadvantages and consequences for German entities, as well as address its possible impact on the European approach to fines.
A. Details of the model
Scope of the new calculation model
The new calculation model is applicable for all German data protection supervisory authorities dealing with proceedings against companies that fall within the scope of the GDPR. The model is applicable to neither private associations nor to private persons outside their professional activities. Furthermore, it does not apply to cross-border cases.
A further noteworthy aspect is the fact that the model does not bind national courts and the German data protection supervisory authorities can consequently amend, expand or disapply the model at any time.
In addition, the model shall cease to apply upon the issuance of the European Data Protection Board's guidelines on administrative fines.
The turnover of a company is the basis of the calculation model. According to the DSK, turnover is a suitable and appropriate point of reference for the determination of a fine that ensures effectiveness, proportionality and deterrence.
Against this background, the amount of the individual fine is determined by way of a five-stage procedure:
- The company is assigned to a class based on its size, as well as a subgroup relative to the size class;
- The average annual turnover of the respective subgroup is determined;
- The annual turnover is divided by 360 in order to determine a daily rate as the basic value;
- The basic value is multiplied by a factor, the amount of which depends on the seriousness of the infringement; and then
- The amount is adjusted to reflect all circumstances of the individual case which have not yet been taken into account.
i. Assignment to a size class
The company subject to the fine procedure is assigned to one of four size classes (A to D) on the basis of its worldwide annual turnover in the previous year. Subsequently, the company is allocated to a subgroup relative to the size class. The calculation model provides for the following classes and subgroups:
ii. Determination of the average annual turnover of the respective size class
The average annual turnover of the respective subgroup is then determined according to the following table:
It should be noted that for companies with an annual turnover over EUR 500 million, no average value is applied, rather the German data protection supervisory authorities use the actual annual turnover as basis of their calculation.
iii. Determination of the basic value
The average annual turnover is then divided by 360 to determine the basic value:
iv. Multiplication of the basic value according to the seriousness of the infringement
In a next step, the basic value is multiplied by a factor, the amount of which depends on the seriousness of the infringement (see the table below) and depends on whether it is categorised as a formal or material infringement. Formal infringements are those listed in Art. 83 para. 4 GDPR for which fines are limited to 2% of the worldwide annual turnover or EUR 10 million and material infringements are those listed in Art. 83 para. 5 and 6 GDPR for which the higher fines of up to 4% of the worldwide annual turnover or EUR 20 million apply.
In case of formal infringements, the factor ranges between 1 and 6 depending on the seriousness of the infringement, and higher than 6 in the case of very serious infringements; whereas for material infringements, the scale ranges from 1 to 12 and up to 14.4 in case of very serious infringements.
Examples of formal infringements are violations of predominantly administrative obligations, such as the obligation to enter into a data processing agreement with a third party where data processing is carried out on behalf of the company or the obligation to conclude a joint controllership agreement that reflects the respective roles and duties of joint controllers vis-à-vis data subjects in the case of joint controllership.
Material infringements are, for example, violations of data subjects rights, non-compliance with general data protection principles or the requirement for a legal justification for data processing.
The classification of an infringement as light, medium, serious or very serious depends on the circumstances of the individual case. This assessment shall reflect the criteria set out in Article 83 para. 2 GDPR, namely:
- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the company to mitigate the damage suffered by data subjects;
- the degree of responsibility of the company taking into account technical and organisational measures implemented by them;
- any relevant previous infringements;
- the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- the categories of personal data affected by the infringement;
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the company notified the supervisory authority of the infringement;
- where measures have previously been ordered against the company concerned with regard to the same subject-matter, compliance with those measures;
- adherence to approved codes of conduct or approved certification mechanisms; and
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
v. Adjustment on the basis of other criteria
The fine calculated based on the previous four steps can be adjusted in a last step reflecting all circumstances of the individual case that have not yet been taken into account. In addition to the criteria set out in Article 83 para. 2 GDPR and described above under iv, the respective data protection supervisory authority shall also consider further circumstances, such as the duration of the proceedings or an imminent insolvency of the company.
The new model aims to provide more transparency with regard to the calculation of fines in Germany. In our view, the model achieves this goal to a large extent. Where it was previously nearly impossible to calculate data protection risks, it will become easier and easier for companies to estimate their exposure to risk. Although this – at a first glance – is a big advantage, CEOs and the supervisory board might be required in the future to establish provisions for losses if deficiencies in data protection compliance constitute risks that are likely to materialise. Therefore, these risks should become part of a company's risk management.
The factor leading to the high transparency of the model, the fact that the model is based on revenue, also faces considerable criticism. Although the DSK itself is of the opinion that revenue is a suitable and appropriate point of reference for the determination of a fine, such aspect is criticised the most in connection with the new model. Especially with regard to companies with a large turnover, such as BMW AG (approximately 97 billion in 2018), Deutsche Telekom (approximately 76 billion in 2018) or Siemens AG (approximately 83 billion in 2017/2018), minor formal violations (such as not having a data processing agreement in place where required) could result in very high fines. The basic value, in this case to be multiplied by a factor of between 1 and 6, would already be at over EUR 1 million. Even if the additional factors to be considered in the next steps would lead to a decrease of a fine calculated on this basis, the final fine could still amount to a four or five-digit figure or higher.
Against this background, Germany can expect both an increase in fines and associated litigation in the near future. Larger companies in particular will likely opt to defend themselves against these high fines before a court. It remains to be seen whether the German courts – not bound by the calculation model – will approve of the model or reject it. The Berlin supervisory authority already announced its plan to issue a two-digit million Euro fine.
The new model does, however, not only give rise to disadvantages and criticism but allows companies to potentially influence the fine amount. Based on a fine notice that became public, a company taking measures to mitigate damages resulting from data protection violations could reduce their fine by 25%. The same applies in the case of exceptional cooperation with supervisory authorities or if a company itself notifies an authority of the violation (in comparison with a potential 10% increase if the violation becomes known to the authority due to a complaint). Companies should, however, also be aware that factors such as relevant previous violations may increase a fine by up to 300%.
Overall, it should be welcomed that data protection authorities aim to conduct their fine practice in a more transparent manner for companies. In our view, the new German model leads to greater security for companies with regard to the calculation of fines, but has some flaws nonetheless. These will likely be subject to court proceedings in the future.
As the German data protection supervisory authorities have already presented the model in the European Data Protection Board, it is not unlikely that the model, or parts of it, will be taken into account in the development of a joint European model and that the model could, therefore, be used as a blueprint for Europe.