What is DeFine?
DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).
These guidelines are only guidelines and do not guarantee any outcome, and due to the public consultation, they should also not be viewed as final.
To quote the EDPB:
"The calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the rules provided for in the GDPR. In that context, the GDPR requires that the amount of the fine shall in each individual case be effective, proportionate and dissuasive (Article 83(1) GDPR). Moreover, when setting the amount of the fine, supervisory authorities shall give due regard to a list of circumstances that refer to features of the infringement (its seriousness) or of the character of the perpetrator (Article 83(2) GDPR). Lastly, the amount of the fine shall not exceed the maximum amounts provided for in Articles 83(4) (5) and (6) GDPR. The quantification of the amount of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR.
Taking the abovementioned into account, the EDPB has devised the following methodology, consisting of five steps, for calculating administrative fines for infringements of the GDPR.
Firstly, the processing operations in the case must be identified and the application of Article 83(3) GDPR needs to be evaluated (Chapter 3). Second, the starting point for further calculation of the amount of the fine needs to be identified (Chapter 4). This is done by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the undertaking. The third step is the evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly (Chapter 5). The fourth step is identifying the relevant legal maximums for the different infringements. Increases applied in previous or next steps cannot exceed this maximum amount (Chapter 6). Lastly, it needs to be analysed whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality. The fine can still be adjusted accordingly (Chapter 7), however without exceeding the relevant legal maximum.
Throughout all abovementioned steps, it must be borne in mind that the calculation of a fine is no mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – vary between any minimum amount and the legal maximum.
These Guidelines and its proposed methodology will remain under constant review of the EDPB."
DeFine helps anticipate what the "starting amount" might be, i.e. Chapter 4 of Guidelines 04/2022 - and on the assumption that a supervisory authority takes into account all of the suggestions by the EDPB.
Because of all these caveats, it should not be seen as providing a full picture, but we hope it will be helpful to understand the proposed methodology better. For a comparison between this methodology and the top 250 GDPR fines imposed by August 2022 on companies with an identifiable turnover, read our separate article here.
Should you trust this website?
[Format: 12345678 + currency. Use integers, with no decimals. ,
Also, this information never goes to any servers so don't worry about confidentiality.]
Which are the (alleged) infringements, per relevant article of the GDPR?
Notes: (i) multiple selections permitted but (ii) where an infringement concerns both a specific provision and a general one (e.g. one of the data protection principles) that the specific one embodies, the EDPB states that "[a] more specific provision (derived from the same legal act or different legal acts of the same force) supersedes a more general provision, although both pursue the same objective", in accordance with the principle of specialty (specialia generalibus derogant). Because the application or not of the principle cannot be assessed through this tool, only select relevant provisions that are not superseded.
| Art. 5(1), 5(2);
Art. 6, 7 [Lawfulness of processing; conditions for consent]
Art. 8 [Child's consent in relation to information society services]
Art. 9 [Health, biometrics, politics, etc.]
Art. 11 [Processing which does not require identification]
Art. 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 [Transparency, access, rectification, erasure, restriction, portability, objection, automated decision-making]
Art. 25 [Data protection by design and by default]
Art. 26, 27, 28, 29 [Joint controllers, processors, EU representatives]
Art. 30 [Records of processing activities]
Art. 31 [Cooperation with the supervisory authority]
| Art. 32, 33, 34, 35, 36 [Security, personal data breach management and notification, data protection impact assessment and prior consultation]
Art. 37, 38, 39 [Data protection officer designation, position and tasks]
Art. 41(4), 42, 43 [Monitoring of code of conduct observance, certification observance and monitoring]
Art. 44, 45, 46, 47, 48, 49 [Obligations in relation to international data transfers]
Art. 58(1), 58(2) [Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority, non-provision of access requested by a supervisory authority]
Art. 85, 86, 87, 88, 89, 90, 91 [Obligations Member States can impose in relation to e.g. national identification numbers, employment-related processing, safeguards regarding statistics or research processing, etc.]
Seriousness of the infringement
What is the likely level of "seriousness" the supervisory authority will give to the infringement(s)?
[There are three levels - low, medium and high. See explanations for more insights.]
On the basis of the parameters given, the EDPB's methodology suggests the following:
Likely fine range, before mitigating & aggravating factors: between XXX and XXX EUR
This GDPR fine calculator is based on the relevant guidelines of the European Data Protection Board, and the calculation is based on information provided by the user. This calculator is intended only to inform readers on how the EDPB's guidelines appear to work and does not create a lawyer-client relationship. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. Keller and Heckman LLP will accept no responsibility for any actions taken or not taken on the basis of this calculator. This may qualify as "Lawyer Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.