When the General Data Protection Regulation (GDPR) came into force more than four years ago, the introduction of fines as a penalty for data protection violations caused quite a stir. For the most part, the horrendous fines feared at the time did not materialize. This may now change as a result of the recent decision of the European Data Protection Board (EDPB), a body that promotes the consistent application of data protection regulations.
Imposition of fines by supervisory authorities
The GDPR provides that fines may be imposed for data protection violations. The supervisory authorities are responsible for this. They can impose fines of up to EUR 20,000,000 or, in the case of a company, up to four percent of its total annual international sales for the previous fiscal year. The decisive factor here is which of the two amounts is higher.
Moreover, repeated violations will result in higher fines. How high these are in a specific individual case is determined by the respective responsible supervisory authorities.
As a result of this assessment, the amount of the imposed fines differs significantly in the European member states. For example, a large number of fine cases are based on the processing of personal data due to insufficient legal basis. While, for example, Hungary places this type of violation by companies within a fine range of EUR 560 to 97,150, fines in Spain for such violations by companies range from EUR 4,000 to 3,000,000.
New calculation model for fines
On May 12, 2022, the EDSA adopted a new fine model. The model is aimed at national supervisory authorities and sets binding rules for them on how fines must be calculated in the future. This is intended to realign the fines imposed for GDPR violations and prevent further divergence in the fining practices followed in the individual Member States.
Higher fines as a result
The application of the new fine model suggests higher fines, particularly for companies that generate high turnover. The background here is that the model encourages the supervisory authorities to make greater use of the sales of the offending company when determining the basis for calculation.
After assessing the relevant circumstances of the individual case, which influence the amount of the fine, the supervisory authorities shall also consider whether the amount they calculate is effective, proportionate and dissuasive. The latter may also have an adverse effect on the amount of the fine. This is because the higher the fine, the more deterrent its effect is.
Your advisors on the subject of GDPR fines
We will not only provide general advice in the area of data protection compliance in order to avoid the imposition of fines, but will also represent you in pending fine proceedings before the supervisory authorities. If there is any doubt about the amount of a fine imposed, we will pursue a review in court on your behalf. Our experts in data protection law can easily be reached by e-mail (firstname.lastname@example.org) or by phone (+49 69 76 75 77 80).