Skip to content

EDPB adopts draft guidelines on the calculation of administrative fines under the GDPR

On 16 May 2022, the European Data Protection Board (EDPB) published the draft Guidelines on the calculation of administrative fines under the GDPR (the Guidelines). The Guidelines are subject to public consultation until 27 June 2022.

The draft Guidelines aim to harmonize the approach to establishing the amounts of administrative fines for violations of the GDPR throughout the EU. The EDPB proposes a five-step methodology for calculating a fine:

  1. The processing operations in the case must be identified and the application of Art. 83(3) GDPR evaluated, eg to establish whether there are one or multiple instances of sanctionable conduct. In the case of a single sanctionable conduct, the supervisory authority should establish whether it gives rise to one or more infringements. If a single sanctionable conduct gives rise to multiple infringements, the supervisory authority will need to examine whether attribution of one infringement precludes the attribution of another infringement or whether they can be attributed alongside each other. The Guidelines provide detailed examples for each possible scenario.
  2. Identifying a starting point for a further calculation of the amount of the fine, based on three key starting points:
       a) the classification of the infringement in the GDPR according to their nature, gravity or duration (Art. 83(4)-(6)). The first category of infringements is punishable by a fine maximum of EUR10 million or 2% of the undertaking’s annual turnover, whichever is higher, whereas the second category is punishable by a fine maximum of EUR20 million or 4% of the undertaking’s annual turnover, whichever is higher;
       b) the seriousness of the infringement in light of the circumstances of the case (Art. 83(2)(a), (b) and (g)), suggesting the categories of infringements with high, medium and low level of seriousness; and
       c) the turnover of the undertaking, as one relevant element to take into consideration “with a view to imposing an effective, dissuasive and proportionate fine, pursuant to Article 83(1) GDPR”.
  3. Evaluation of aggravating or mitigating circumstances related to past or present behaviour of the controller/processor, and increasing or decreasing the amount of the fine accordingly.
  4. Determining the relevant legal maximums established in the GDPR for the different infringements, looking into “static maximum amounts” (eg EUR 10 million or 20 million) and “dynamic maximum amounts” (as 2% or 4% of the undertaking’s total annual turnover of the previous financial year). Increases applied in the previous or next steps cannot exceed this maximum amount. For this step, the EDPB looks in detail into the meaning of corporate liability, EU law on the concept of “undertaking” and ”single economic unit” (SEU) for the purposes of calculating fines. The EDPB provides several examples of various corporate structures and lists various factors to consider from the CJEU case law, eg on the level of influence exercised by a parent company and organisational, economic and legal links between the subsidiary and parent company.
  5. Analysing whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality (required by Article 83(1) GDPR). The amount of the fine can still be adjusted, where necessary, but may not exceed the relevel legal maximum under the GDPR.

Detailed clarifications and interpretation of the GDPR provisions are given the Guidelines for each step.

These guidelines are subject to public consultation until 27 June 2022.

Read the EDPB press release and the draft Guidelines.

Related expertise