After a month of rumors, uncertainty, and German data protection authorities being nontransparent, the German conference of data protection authorities (Datenschutzkonferenz, DSK) published the concept for calculating administrative fines for data protection violations (Concept, available here) on October 16, 2019.
The Concept sets out a standardized approach regarding the calculation of administrative fines in accordance with article 83(4) and (5) of the General Data Protection Regulation (GDPR) and also takes into account the circumstances of the individual case as described in article 83(2) GDPR. The Concept provides a uniform determination of administrative fines under GDPR without losing the flexibility to consider the individual case and situation of the violating person or organization (Violating Entity).
The Concept is not binding on courts, non-German authorities, or the European Data Protection Board (EDPB) and shall only be used for violations in Germany that are not cross-border cases. The Concept shall only be used until the EDPB has issued its own guidelines for the determination of fines under article 83 GDPR. In addition, the Concept shall not be used for fining associations or natural person outside of their economic activity.
In this blog, we explain the five-step procedure that the DSK applies in the calculation:
Content of the Concept
The procedure for determining GDPR fines described in the Concept comprises five steps:
Step 1 - Classifying the Violating Entity
In the first step, the Violating Entity is classified into specific categories from A to D in consideration of the global annual turnover of the Violating Entity as set out in article 83(4) and (5) GDPR. In accordance with recital 150 GDPR, the DSK determines the annual turnover of the Violating Entity in consideration of articles 101 and 102 of the Treaty of the Functioning European Union (TFEU).
Category A: up to 2 million annual turnover Category B: 2 million to 10 million annual turnover Category C: 10 million to 50 million annual turnover Category D: above 50 million annual turnover The categories are also divided into more granular subgroups. The categories shall reflect all different sizes of organizations from micro businesses, to small- and medium-sized organizations, to big organizations.
Step 2 - Average annual turnover
In the second step, the average annual turnover of the category is determined in order to be able to determine the daily...