Data protection deficits are becoming extremely expensive, especially for subsidiaries of global corporations in Germany. However, any company in Germany should also take the latest publication of the Data Protection Conference of the Federal Government and the Federal States (Datenschutzkonferenz - "DSK") on the future assessment of fines as an opportunity to examine its handling of personal data thoroughly and to ensure data protection compliance.
A penalty of up to 4% of the worldwide annual turnover is a severe threat to companies for breaches of certain data protection regulations. However, there is a wide area for regulatory discretion. Almost 1.5 years after coming into force of the GDPR, which created the basis for these sensitive fines, the DSK now presents a concept on how the German data protection authorities should determine fines in the future (available only in German here).
DSK does not make it easy for itself to exercise its discretion. In future, fines will be calculated in five steps:
In the first stage, the company in question is categorized according to its annual turnover. There are four categories (micro, small, medium and large enterprises) and further subcategories exist. While a turnover of700,000 in category A.I represents the smallest annual turnover limit, companies with an annual turnover of more than500 million belong in the highest turnover category. The mean value of the respective turnover category calculated on the second level is then broken down to daily rates in order to determine a basic value, which is then multiplied at level 4 by a factor (1 to 12) dependent on the severity of the case. If groups of companies are involved that exceed the 500 million EUR turnover limit, the actual annual group turnover is used for the daily rate calculation. Finally, the fine thus determined is adjusted at level 5 on the basis of "perpetrator-related and other circumstances" which are not further defined. Although the DSK may have followed the guidelines on fines of the German Federal Cartel Office (Bundeskartellamt - "BKartA") and the European Commission in antitrust proceedings, there is a severe difference: The DSK refrained from defining a factor that reflects the extent of an infringement. While the BKartA and the European Commission's guidelines on fines provide for a calculation, which is strictly based on a fact-based annual turnover (i.e. the turnover specifically favored by a cartel infringement), DSK's...