GDPR Fines — How Are They Actually Determined?

Authors: Axel Hård af Segerstad (Associate) and Jasmin Metwally (Associate Trainee)

The risks of large administrative fines for non-compliance with data protection rules drew widespread attention especially prior to the EU General Data Protection Regulation (679/2016, the “GDPR”) coming into effect. Although the most worrying concerns may have abated since, the subject has remained topical as we continue to see more decisions, including ones imposing administrative fines, from the supervisory authorities around Europe. By way of an example, last year in Finland, the Sanctions Board of the Office of the Finnish Data Protection Ombudsman issued five administrative fines that extensively varied in amount, ranging from EUR 8,300 to EUR 750,000.

Based on these numbers alone, the types of infringements and the consequences related thereto, can vary extensively. Moreover, based on the legal praxis thus far, the mere type of an infringement, whether it is non-compliance with basic data processing principles or insufficient fulfillment of data subjects’ rights, does not in itself reveal much in terms of how the amount of an administrative fine is determined. This is because there are a number of elements and circumstances that supervisory authorities have to consider when administrative fines are imposed.

In this blog post, we will take a closer look at Article 83 of the GDPR, which lays down the general conditions for imposing administrative fines, and analyse it in the light of relevant guidelines from the European Data Protection Board (“EDPB”) and the European Art. 29 Working Party. The aim of both guidelines has been to standardise the approach used by supervisory authorities in determining the amount of an administrative fine, while also offering practical examples to assist organisations in comprehending the process of calculating the amount of fines.

This blog post will in particular focus on 1) the criteria that must be given due regard based on a case-by-case assessment and 2) the different types of infringements that, based on their nature, can either entail a lower or higher administrative fine.

Criteria to be Assessed

Firstly, it must be noted that imposing administrative fines is merely one of the many corrective powers that a supervisory authority has instead of or in addition to, for instance, issuing warnings or reprimands, ordering controllers to bring their processing operations into compliance with the GDPR or imposing temporary or definitive limitations including bans on processing. Supervisory authorities have to ensure that the imposition of administrative fines in respect of infringements must in each individual case be effective, proportionate, and dissuasive. Therefore, minor infringements may, based on the circumstances of each individual case, not necessarily always lead to the imposition of fines on a controller or processor.

Article 83(2) of the GDPR sets forth the specific criteria which must be considered by supervisory authorities when deciding whether to impose an administrative fine and the amount of the administrative fine. The GDPR itself does not stress any particular criteria over another — instead, due regard must be given to all of the eleven different criteria.

However, according to EDPB’s guidelines, the calculation of administrative fines should commence from a harmonised starting point. The seriousness of the infringement should be evaluated pursuant to Article 83(2)(a), (b), and (g). Firstly, the nature, gravity, and duration of the breach should be considered. The assessment should include, for instance, the purpose of the processing, as well as the number of data subjects affected by the breach. If the data subjects have suffered any harm, the extent and severity of the damage should also be taken into account in the assessment. The criterion (b) provides that the intentional or negligent character of the infringement should be taken into account in the assessment. In general, “intent” includes both knowledge and wilfulness in relation to the characteristics of an offence. On the other hand, “unintentional” refers to a situation where there was no intention to cause the infringement, although the controller and processor breached the duty of care which is required by the GDPR. Examples of intentional breaches may include processing data in violation of explicit authorisation from top management, disregarding advice from the data protection officer, or flouting existing policies. For instance, gathering and processing information about a competitor's employees to tarnish their reputation in the market would be an example of an intentional breach. Moreover, the categories of the personal data affected by the infringement play a role in the initial assessment pursuant to criterion (g). It can be assessed, for instance, whether the infringement concerns processing of special categories of data, such as racial or ethnic origin and data concerning health.

After the initial assessment, the remaining aggravating and mitigating criteria provided in Article 83(2) should be noted in the assessment. Firstly, the actions taken by the controller or processor to mitigate the damage suffered by data subjects should be considered. If a breach occurs, the controller should take all necessary measures to minimise the impact of the breach. Thus, this provision acts as an assessment of the degree of responsibility of the controller after the infringement has occurred. Another criterion is the level of responsibility held by the controller or processor regarding the technical and organisational measures they have implemented. This includes an evaluation of the adequacy of security and technical measures that have been put in place. Further, industry standards and codes of conduct should also be considered relevant factors in the assessment process.

Furthermore, any relevant previous infringements can have an impact on the assessment. It should be assessed whether the controller or processor has committed a similar infringement earlier. Nonetheless, any type of breach of the GDPR might be considered relevant for the assessment, even it was different in nature. Additionally, the controller or processor should cooperate with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement. Article 83(2) provides that the degree of cooperation may be acknowledged when deciding whether to impose and administrative fine and also in deciding the amount of the fine.

Yet another criterion is the way the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement to the supervisory authorities. Pursuant to the GDPR, the controller has an obligation to notify the supervisory authority of personal data breaches. Additionally, a controller or processor may already be on the supervisory authority’s radar for monitoring their compliance after a previous infringement and contacts with the DPO where they exist are likely to have been extensive. In case of a breach of one of the provisions of the GDPR, adherence to an approved code of conduct might be indicative of how comprehensive the need is to intervene with an effective, proportionate, dissuasive administrative fine or other corrective measure from the supervisory authority.

In addition to all of the above-mentioned factors, any other aggravating or mitigating factors should be acknowledged in the assessment, such as financial benefits gained or losses avoided. For instance, information on profit obtained as a result of a breach might be particularly interesting for the supervisory authorities when conducting an assessment on the administrative fine.

Different Types of Infringements

There are various types of infringements that can result in either a lower or higher administrative fine. Pursuant to Article 83(4) of the GDPR, a violation of certain provisions may incur administrative fines of up to €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This “lower” category comprises violations of the obligations of both the controller and the processor, as stipulated in Articles 8, 11, 25, 39, 42, and 43 of the GDPR. These provisions relate to, among other things, data processor obligations, notifications of personal data breaches, data protection impact assessments, and the tasks of the data protection officer.

Further, Article 83(5) defines infringements that may be subject to a higher administrative fine of up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding year, whichever is higher. Firstly, the higher administrative fines apply to infringements of the basic principles for processing, such as the lawfulness of processing, conditions for consent, and processing of special categories of personal data. In addition, infringements of the data subjects’ rights (Art. 12 to 22 of the GDPR), such as breaching information obligations, the right of access or the right to object to the processing of personal data, and infringement of transfers of personal data to a recipient in a third country or international organisation pursuant to Articles 44 to 49 are also subject to the higher administrative fine. Article 83(5) also applies to an infringement of any obligations pursuant to the national law of a Member State, such as the Finnish Data Protection Act (1050/2018, as amended).

Lastly, non-compliance with an order, a temporary or definitive limitation on processing, the suspension of data flows by the supervisory authority, or a failure to provide access can be subject to a higher fine. Similarly, non-compliance with an order by the supervisory authority will also be subject to higher administrative fines.