Skip to content

Calculation of administrative fines under the GDPR -1

The House of Data Imperiali bulletins are excerpts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Calculation of administrative fines under the GDPR -1

The European Data Protection Board (EDPB) released Guidelines 04/2022 on the calculation of administrative fines under the GDPR, submitting them for public consultation until June 27, 2022.

The General Regulation made significant changes in the area of administrative fines that Directive 95/46/EC, on the other hand, left to each Member State, with regard to both their calculation and the methodology of application.

Summary

The GDPR states that certain violations of its principles and rules are subject to administrative fines, determined only in maximum amounts. National supervisory authorities, with the exception of Denmark and Estonia, are authorized to issue administrative fines, which are binding if not appealed, according to national law (Art. 78 GDPR and 152 Italian Privacy Code).

Fines apply with respect to controllers and, where applicable, data processors, whether in the form of legal entities or natural persons acting as undertakings. The imposition of such fines against public bodies, on the other hand, is left to the decision of each Member State, with reference to both the “whether” and the “extent” of the fine imposed (Article 83.7, GDPR). The Italian Privacy Code, for example, extends the application of administrative fines to public entities as well, with the exclusion of processing carried out in a judicial context (Articles 166.4 and 10 Privacy Code).

The GDPR gives member states flexibility in adopting fines in addition to those in Article 83 of the regulation (Art. 84, GDPR). The Italian legislator made use of this option by introducing new fines through Article 166 of the Privacy Code.

Guidelines 04/2022, follow and complement its counterparts wp253 on the application of fines, adopted by EDPB’s predecessor, the Article 29 Working Party, and endorsed by the Board in 2018. The two guidelines, therefore, should be read in conjunction with each other.

Guidelines: general considerations

Guidelines 04/2022 aim to harmonize the methodology for the calculation of administrative fines by national supervisory authorities: in fact, they are intended for the latter even though they offer guidance of interest to data controllers and processors. Without prejudice to the harmonization purpose of the guidelines, however, the authority’s discretion in determining the fine, based on an analysis of the specific circumstances of the case, remains unaffected, as long as the decision is adequately reasoned. In this process, the authority must take into account the evaluation criteria set by the GDPR (Art. 83).

The 04/2022 guidelines follow up on the Article 29 Working Party’s (WPArt29) document wp253, which was endorsed by the EDPB on May 25, 2018. The wp253 guidelines mainly provided interpretation of the determinative criteria of Article 83 of the GDPR, while the EDPB’s 04/2022 addresses the methodology to be followed in calculating fines. As explicitly stated, the two sets of guidelines are applicable simultaneously and should be seen as complementary. (Guidelines 04/2022, para. 3).
Guidelines 04/2022 cannot be considered exhaustive and will be subjected to regular review in correspondence with the development of practical experiences in the EU, aimed at assessing whether their implementation actually achieves the objectives called for by the GDPR. For these reasons, the EDPB highlights the possibility of “discontinuing, changing, limiting, amending or replacing these guidelines at any given time with effect for the future” ( para. 146).

Methodology for calculating the amount of the fine

Guidelines 04/2022 propose a methodology for calculating the fine divided into successive steps. The recommended method should not be interpreted as a mathematical automatism since the determination of the specific fine still depends on the human assessment of the relevant circumstances of the case.

EDPB_calculating_methodology_fines
Figure – Infographic taken from EDPB – Guidelines 04/2022.