The European Data Protection Board (EDPB) released Guidelines 04/2022 on the calculation of administrative fines under the GDPR, submitting them for public consultation until June 27, 2022.
Fines apply with respect to controllers and, where applicable, data processors, whether in the form of legal entities or natural persons acting as undertakings. The imposition of such fines against public bodies, on the other hand, is left to the decision of each Member State, with reference to both the “whether” and the “extent” of the fine imposed (Article 83.7, GDPR). The Italian Privacy Code, for example, extends the application of administrative fines to public entities as well, with the exclusion of processing carried out in a judicial context (Articles 166.4 and 10 Privacy Code).
The GDPR gives member states flexibility in adopting fines in addition to those in Article 83 of the regulation (Art. 84, GDPR). The Italian legislator made use of this option by introducing new fines through Article 166 of the Privacy Code.
Guidelines 04/2022, follow and complement its counterparts wp253 on the application of fines, adopted by EDPB’s predecessor, the Article 29 Working Party, and endorsed by the Board in 2018. The two guidelines, therefore, should be read in conjunction with each other.
Guidelines: general considerations
Methodology for calculating the amount of the fine
Guidelines 04/2022 propose a methodology for calculating the fine divided into successive steps. The recommended method should not be interpreted as a mathematical automatism since the determination of the specific fine still depends on the human assessment of the relevant circumstances of the case.