Fines are incurred in the event of a breach of the GDPR. Due to the lack of uniform regulations, these have varied widely to date. With the new guideline 04/2022, the European Data Protection Committee (EDSA) presents a possible Europe-wide model for fines.
Find out everything you need to know about EDSA's new bus fines model here.
In the event of a breach of the GDPR, fines may be imposed pursuant to Art. 83 GDPR. Guidelines already exist on the cases in which fines are to be imposed ("whether"). With regard to the amount of the fines there is disagreement throughout EuropeAs a result, the level of fines in some European countries is generally higher than in others. These considerable differences in the practice of imposing fines are in part strategically exploited by companies in their choice of location. In addition, the current practice of imposing fines is characterized by a lack of predictability and planning. The evaluation criteria used to determine the fines are usually hardly visible.
The new fine model
According to the EDSA's new calculation model, fines will be calculated in five steps in the future.
Step 1: Determination and delimitation of relevant data processing
First of all, it must be examined which data processing has specifically violated the GDPR. In doing so, it must be clarified whether one or more processing operations are involved and whether they are in competition with each other (cf. Art. 83 III GDPR).
Step 2: Determination of the initial value for fine calculation
The second step is to determine the starting amount of the fine. First, the possible range (minimum and maximum amount according to the GDPR) is considered. Within these limits, there are four criteria for determining the exact amount of the fine: the type of violation (formally Art. 83 IV GDPR or materially Art. 83 V and VI GDPR), the severity of the violation, the subjective component (intent or negligence) and the category of data affected. According to these criteria, a starting point is to be determined after an overall review and assessment. Depending on the turnover of the affected company, there is also to be a maximum percentage limit for fines.
Step 3: Assessment of aggravating and mitigating circumstances
In a third step, increasing and decreasing factors are then examined. For this purpose, the guideline provides interpretation aids for the criteria listed in Art. 83 II lit. c-k GDPR.
Step 4: Determination of maximum limits
In a fourth step, the new fine model refers to the maximum limits from Art. 83 IV-VI GDPR and the capping to certain percentage values of the turnover.
Step 5: Fine adjustment
In the last step, a fine-tuning is to be carried out to ensure effectiveness, proportionality and deterrence. The overall provision thus takes into account the objectives pursuant to Art. 83 I GDPR.
Significance of the fine model for practice
The aim of the EDSA's new fine model is to standardize fines and thus facilitate legal practice. At the same time, however, the aspect of deterrence is to be maintained. Thus, especially companies with high turnovers will have to pay higher fines under the new fine model.
According to the guideline, companies are also directly liable for the data protection misconduct of their employees. Companies should therefore always ensure that their Employees trained accordingly are to minimize risks.
The guideline is currently still in the consultation process. This means that it does not yet have legal validity, but will be adopted in almost this version in the near future.
Do you need support in the area of data protection in your company to prevent fines? Our team of experts will be happy to help you!