New model of calculating GDPR fines is to increase possible penalties
Let’s face it – million-euro fines are to become a reality in Germany. German data protection authorities have agreed on a new model of calculating GDPR fines at the top end of the limits specified in Article 83. With Germany paving the way, it is highly likely that other European countries will follow. The model has been presented to the European Data Protection Board who have explicitly expressed their intention to ensure consistent fining practices across the EU. Therefore, we believe that it is only a matter of time before a harmonised fine methodology is developed based on the German model.
How does the model work?
The model devised by the German DPAs is quite complicated and accounts for a number of parameters. Let us take a closer look at it and try to get a better idea of how it works.
First of all, companies are divided into categories based on their size. The size of a company is determined by its worldwide turnover in the previous year. According to this parameter, a company falls into one of the following categories which are then further divided into sub-groups:
- very small (up to 2 million EUR),
- small (from 2 to 10 million EUR),
- medium-sized (from 10 to 50 million EUR),
- large (over 50 million EUR)
After that, the average annual turnover of the company is calculated. If the average annual turnover is less than 500 million EUR, the company is assigned a “fixed average turnover fee” based on its size and sub-group determined previously (very small, small, medium-sized or large). If the average annual turnover is over 500 million EUR, DPAs will apply the maximum percentage in accordance with Article 83, i.e. 2% or 4% depending on the violation.
Severity of infringement
The next step is calculating the “daily rate” by dividing the average annual turnover of the relevant sub-group by 360 days. The daily rate is then used to determine the regular fine corridors depending on the severity of the infringement. All infringements are categorised into four groups according to the perceived level of severity, and a certain range of multipliers is assigned to each group:
- minor infringement: multiplier range from 1 to 4;
- average infringement: multiplier range from 4 to 8;
- severe infringement: multiplier range from 8 to 12;
- very severe infringement: multiplier range from 12 to 14.4.
The severity assessment results in the determination of the regular fine corridor which is calculated by multiplying the daily rate by the multiplier range for the corresponding severity level. The DPAs will then determine the median value which is the basis for fine calculation.
Finally, the infringement is further classified on a case by case basis, and the fine is modified to account for the following criteria:
- duration of the infringement;
- nature, purpose and the extent of unlawful data processing;
- the number of data subjects involved;
- harm to data subjects
Each of these criteria will be given a score from 0 to 4 (maximum 16) which will determine whether an additional multiplier should be applied. The DPAs will also take into account other mitigating or aggravating factors. For example, cooperation with the authorities and taking measures to mitigate damages can be a beneficial factor, while the history of previous infringements can lead to a significant increase in the fine. Only after completing all the steps will the DPAs know the final amount of fine.
Company A had a worldwide turnover of 40 million EUR in 2019, therefore it is ranked as a medium-sized company, sub-group CVI with the fixed annual turnover fee of 35 million EUR. To calculate the daily rate, we’ll divide 35 million by 360 and get 97,222 EUR. Company A’s infringement has been classified as severe, so the regular fine corridor will be between 777,776 EUR and 1,166,664 EUR. The median value is 972,220 EUR. which is the basis for fine calculation. However, the total amount of fine will depend on the extent of harm, consequences to data subjects and other factors, and will be further determined by the DPAs.
Are you compliant?
As you can see, the new model is really complex. It has already come in for some criticism and we have yet to see how it will be implemented. However, one thing is for sure: this model will lead to much higher fines than German authorities have imposed so far. If you haven’t ensured full compliance yet, this is your ‘wake-up call’.
If you process sensitive data, we recommend that you examine your data protection processes to prevent potential data breaches or any other offenses within the scope of the GDPR. One of the easiest ways to comply with GDPR requirements in Jira and Confluence is to use the GDPR (DSGVO) and Security for Jira or GDPR (DSGVO) and Security for Confluence add-ons, which ensure data protection in Jira and Confluence by design and by default. These add-ons have built-in features for personal data monitoring, permission monitoring, getting consent, permanent anonymization, creating data rules for processes automation, etc.
For more information on GDPR compliance, check out more articles in this series:
- 4 easy questions to check if you are fully GDPR compliant
- 7 popular myths about GDPR
- Be GDPR compliant, Part 1: everything you need to know about getting consent in Jira and Confluence
- Be GDPR compliant, Part 2: ensure the right to erasure, find and anonymize PII in Jira