The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Calculation of administrative fines under the GDPR -3

The European Data Protection Board (EDPB) has released Guidelines 04/2022 on the calculation of administrative fines under the GDPR, submitting them for public consultation until June 27, 2022.

The Guidelines divide the logical process of determining administrative fines into steps:

  • the first, consisting of identifying how many conducts and infringements the fine is based upon. We covered this first step in the bulletin of June 16, 2022.
  • the second step, concerning the calculation of the theoretical fine, was analyzed in the bulletin of June 30, 2022. This calculation is made:
  1. by identifying the level of legal penalty level applicable to the specific case (i.e., whether it falls within the lowest level – €10 million or 2% of Total Worldwide Annual Turnover – or the highest level – €20 million or 4% of the Total Worldwide Annual Turnover
  2. assessing the seriousness of the infringement (nature, severity and duration of the infringement, malicious or negligent character, categories of personal data involved; see Art. 83(2)(a), (b) and (g) GDPR)
  3. or by determining the Total Worldwide Annual Turnover value of the offending organization.

Once the level of the theoretical penalty has been calculated, adjustments for the specific case can be made to it in succession, which are:

  • Step 3 – the application of relevant mitigating or aggravating factors
  • Step 4 – the determination of the Legal Maximum
  • Step 5 – the appreciation of the resulting fine with regard to the principle of effectiveness, dissuasiveness, and proportionality of punitive intervention.

In this round we will focus on mitigating and aggravating factors (step 3).


Figure – EDPB Guidelines 04/2022: steps for determining the amount of administrative fine.

Mitigating and aggravating circumstances

Figure – Mitigating and aggravating circumstances of Article 83(2) in addition to those of the objective and subjective elements.

The mitigating and aggravating circumstances of Article 83(2) – after examining those related to the level of inherent seriousness of the violation [Article 83(2)(a) and (g), objective element] and the intentionality of the infringement [Article 83(2)(b), psychological or subjective element] – are used to better adjust the theoretical fine calculated in Step 2 above to the circumstances of the individual case.

Actions to mitigate the damage suffered by data subjects (Article 83(2)(c))

The list of mitigating or aggravating factors for the determination of administrative fines, as well as for the adoption of the additional measures of Article 58(2) (a) to (h) and (J), but also for deciding which of the two types to apply and whether or not to apply them, resumes by taking into consideration the measures taken by the data controller or processor (i.e., of the subject-role to which the infringement is attributable) in order to mitigate the damage suffered by the data subjects.
It is interesting to point out the difference with the obligations that the GDPR imposes on controllers and processors, consisting of the adoption of technical-organizational measures appropriate to the risk (Articles 24, 25 and 32), understood as guarantees to be implemented in the physiological phase of processing, i.e., prior to the violation, with a preventive function of possible damages that could result from infringements. Instead, as a possible factor in mitigating the fine, are taken into consideration those technical-organizational measures that the aforementioned parties put in place after the infringement was committed in order to reduce the consequential damage suffered by the data subjects; this is the typical case of data breach, where the controller’s responsiveness in countering and mitigating the damaging effects of the data breach on the affected data subjects is taken into consideration. Thus, the first technical-organizational measures aim to protect the rights of data subjects, and the second aim to mitigate the damage caused to data subjects.

In conclusion, it does not seem superfluous to reiterate that the damaging effects referred to are those suffered by the individuals involved rather than those of the offending organization.

EDPB Guidelines 04/2022 specify that this assessment should give due consideration to the following elements:

  • timeliness, i.e., the readiness with which measures are put in place,
  • effectiveness of them in achieving the goal of containment
  • spontaneous implementation by the offender, i.e., prior to the start of the authority’s investigation.