The German data protection authorities have agreed on a standardized system for calculating fines under the GDPR.
The background to this is that the supervisory authorities of the European Data Protection Board intend to arrive at a Europe-wide standardized fine regulation. Until the Board approves the associated guidelines for this regulation, the German supervisory authorities will align themselves to the German-language concept now published.
https://www.datenschutzkonferenz-online.de/media/ah/20191016_bu%C3%9Fgeldkonzept.pdf
In accordance with this concept, fines shall be calculated as follows:
The setting of fines against companies will be carried out in five steps.
First, the affected company will be assigned to a size class (1.), then the average annual turnover of the respective sub-category of the size class will be determined (2.), then an economic base value will be determined (3.), this base value will be multiplied by a factor based on the severity of the circumstances (4.), and finally the value determined under 4. will be adjusted on the basis of individual company-related or other circumstances not yet taken into account (5.).
In concrete terms, this means the following: The initial calculation basis will be the worldwide company turnover of the previous year. The average annual turnover of the sub-category to which the company belongs will then be determined. The economic base value will be determined by dividing this average annual turnover by 360. This will lead to the determination of an average daily rate. This will be multiplied by a factor based on the individual degree of severity of the infringement. This factor will usually lie between 1 and 14.4. (The value of 14.4 for particularly serious infringements corresponds exactly in arithmetical terms to the four per cent of the previous year’s turnover, as referred to in Art. 83 (5) and (6) of the GDPR). Finally, this amount will be adjusted in light of all mitigating or aggravating circumstances standing in favor of or against the affected company.
On the basis of this new calculation model, it can be assumed that the trend towards higher fines in Germany will continue to intensify. This was also confirmed by the German Federal Data Protection Commissioner, who, in the German-language press statement below, predicts fines running into millions:
As this calculation model is also due to apply throughout Europe, it should be borne in mind that compliance with the provisions of the GDPR has become even more important for the entire EU economic zone.