The European Data Protection Board (EDPB) has released Guidelines 04/2022 on the calculation of administrative fines under the GDPR, submitting them for public consultation until June 27, 2022.
The Guidelines divide the logical process of determining administrative fines into steps: the first, consisting of identifying how many conducts and infringements the fine is based upon. We covered this first step in the bulletin of June 16, 2022.
Today we will focus on the second step related to the identification of an harmonised starting point for the further calculation of the fine.
While step 1 has as its goal to determine the number of applicable fines, the remaining steps aim in to determine their amount. There are some general rules on determining the amount of the fines that apply to any case:
- The GDPR does not provide for a minimum fine; it is at the discretion of the supervisory authority for cases deemed to be minor infringements to replace the fine with a reprimand [Art. 58(2)(b) GDPR]; the assessment as to the negligible level of the infringement – which justifies the adoption of the reprimand instead of the fine – is made by adopting the same evaluation criteria that the GDPR requires for the determination of the fine. Article 83(2) in fact states: “2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2) [including reprimand]. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:”
- The fine imposed can never exceed the maximum legal level provided for the single infringement (i.e., €10 million or 2% of the Total Worldwide Annual Turnover or €20 million or 4% of the organization’s total worldwide annual turnover , constituting the two measures specified in the GDPR based on the gravity of the infringement).
Step 2 – Seriousness of the infringement
The purpose of Step 2 is to determine the level of seriousness of the infringement. This process is performed taking into consideration the subjective and objective elements of the conduct of the responsible party in the specific case. More specifically:
- Nature, gravity and duration of the infringement as welll as the categories of personal data affected (so-called “objective element”)
- Intentional or negligent nature of the perpetrator’s behavior (so-called “subjective element”).
The combination of the assessment of the objective and subjective element determines the seriousness of the infringement as a whole. To this initial assessment, evaluations of the mitigating and/or aggravating elements provided for in the GDPR and applied to the specific case will then be added in the following steps.