What is DeFine?
DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).
These guidelines are only guidelines and do not guarantee any outcome, and due to the public consultation, they should also not be viewed as final.
To quote the EDPB:
"The calculation of the amount of the fine is at the discretion of the supervisory authority, subject to the rules provided for in the GDPR. In that context, the GDPR requires that the amount of the fine shall in each individual case be effective, proportionate and dissuasive (Article 83(1) GDPR). Moreover, when setting the amount of the fine, supervisory authorities shall give due regard to a list of circumstances that refer to features of the infringement (its seriousness) or of the character of the perpetrator (Article 83(2) GDPR). Lastly, the amount of the fine shall not exceed the maximum amounts provided for in Articles 83(4) (5) and (6) GDPR. The quantification of the amount of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR.
Taking the abovementioned into account, the EDPB has devised the following methodology, consisting of five steps, for calculating administrative fines for infringements of the GDPR.
Firstly, the processing operations in the case must be identified and the application of Article 83(3) GDPR needs to be evaluated (Chapter 3). Second, the starting point for further calculation of the amount of the fine needs to be identified (Chapter 4). This is done by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the undertaking. The third step is the evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly (Chapter 5). The fourth step is identifying the relevant legal maximums for the different infringements. Increases applied in previous or next steps cannot exceed this maximum amount (Chapter 6). Lastly, it needs to be analysed whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality. The fine can still be adjusted accordingly (Chapter 7), however without exceeding the relevant legal maximum.
Throughout all abovementioned steps, it must be borne in mind that the calculation of a fine is no mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – vary between any minimum amount and the legal maximum.
These Guidelines and its proposed methodology will remain under constant review of the EDPB."
DeFine helps anticipate what the "starting amount" might be, i.e. Chapter 4 of Guidelines 04/2022 - and on the assumption that a supervisory authority takes into account all of the suggestions by the EDPB.
Because of all these caveats, it should not be seen as providing a full picture, but we hope it will be helpful to understand the proposed methodology better. For a comparison between this methodology and the top 250 GDPR fines imposed by August 2022 on companies with an identifiable turnover, read our separate article here.
Should you trust this website?
[Format: 12345678 + currency. Use integers, with no decimals. ,
Also, this information never goes to any servers so don't worry about confidentiality.]
The EDPB's guidelines include many considerations on what constitutes the "undertaking" whose turnover needs to be included. Notably:
"120. Accordingly, in cases where the controller or processor is (part of) an undertaking in the sense of Articles 101 and 102 TFEU, the combined turnover of such undertaking as a whole can be used to determine the dynamic upper limit of the fine (see Chapter 6.2.2), and to ensure that the resulting fine is in line with the principles of effectiveness, proportionality and dissuasiveness (Article 83(1) GDPR."
[…] 124. In the specific case where a parent company holds 100% of shares or almost 100% of shares in a subsidiary which has infringed Article 83 GDPR and therefore is able to exercise decisive influence over the conduct of its subsidiary, a presumption arises that the parent company does in fact exercise this decisive influence over the conduct of its subsidiary (so-called Akzo presumption)
[…] 125. However, the Akzo presumption is not an absolute one, but can be rebutted by other evidence
[…] 126. If, on the other hand, the parent company does not hold all or almost all of the capital, additional facts must be evidenced by the supervisory authority to justify the existence of a [single economic unit]."
The EDPB's guidelines also define how to calculate the "turnover":
"128. Turnover is taken from the annual accounts of an undertaking, which are drawn up with reference to its business year and provide an overview of the past financial year of a company or of a group of companies (consolidated accounts). Turnover is defined as the sum of all goods and services sold. The term turnover within the meaning of Article 83(4)–(5) GDPR is to be understood in terms of the net turnover of Directive 2013/34/EU. According to this directive, net turnover means the amount derived from the sale of products and the provision of services after deducting sales rebates and value added tax (VAT) and other taxes directly linked to turnover.
129. Turnover is taken from the presentation of the profit and loss account within the meaning of Annexes V or VI to Article 13(1) of Directive 2013/34/EU under the heading "net turnover". Net turnover includes revenue from the sale, rental and leasing of products and revenue from the sale of services less sales deductions (e.g. rebates, discounts) and VAT. Revenue therefore does not include items which are unrelated to the business object/sector of the company such as for example the proceeds from the sale of fixed assets, rental of unused parts of buildings, insurance premiums, commissions and interest income in case of an industrial company."
Which are the (alleged) infringements, per relevant article of the GDPR?
Notes: (i) multiple selections permitted but (ii) where an infringement concerns both a specific provision and a general one (e.g. one of the data protection principles) that the specific one embodies, the EDPB states that "[a] more specific provision (derived from the same legal act or different legal acts of the same force) supersedes a more general provision, although both pursue the same objective", in accordance with the principle of specialty (specialia generalibus derogant). Because the application or not of the principle cannot be assessed through this tool, only select relevant provisions that are not superseded.
| Art. 5(1), 5(2);
Art. 6, 7 [Lawfulness of processing; conditions for consent]
Art. 8 [Child's consent in relation to information society services]
Art. 9 [Health, biometrics, politics, etc.]
Art. 11 [Processing which does not require identification]
Art. 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 [Transparency, access, rectification, erasure, restriction, portability, objection, automated decision-making]
Art. 25 [Data protection by design and by default]
Art. 26, 27, 28, 29 [Joint controllers, processors, EU representatives]
Art. 30 [Records of processing activities]
Art. 31 [Cooperation with the supervisory authority]
| Art. 32, 33, 34, 35, 36 [Security, personal data breach management and notification, data protection impact assessment and prior consultation]
Art. 37, 38, 39 [Data protection officer designation, position and tasks]
Art. 41(4), 42, 43 [Monitoring of code of conduct observance, certification observance and monitoring]
Art. 44, 45, 46, 47, 48, 49 [Obligations in relation to international data transfers]
Art. 58(1), 58(2) [Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority, non-provision of access requested by a supervisory authority]
Art. 85, 86, 87, 88, 89, 90, 91 [Obligations Member States can impose in relation to e.g. national identification numbers, employment-related processing, safeguards regarding statistics or research processing, etc.]
Seriousness of the infringement
What is the likely level of "seriousness" the supervisory authority will give to the infringement(s)?
[There are three levels - low, medium and high. See explanations for more insights.]
The EDPB's guidelines state clearly that the assessment of seriousness of an infringement is based on various factors that determine "the seriousness of the infringement as a whole. This assessment is no mathematical calculation in which the abovementioned factors are considered individually, but rather a thorough evaluation of the concrete circumstances of the case, in which all of the abovementioned factors are interlinked. Therefore, in reviewing the seriousness of the infringement, regard should be given to the infringement as a whole."".
The factors in question are the following:
Nature, gravity, and duration of the infringement
54. […] This assessment should therefore consider the following specific elements:
a) The nature of the infringement, assessed by the concrete circumstances of the case. In that sense, this analysis is more specific than abstract classification of Article 83(4)–(6) GDPR. The supervisory authority may review the interest that the infringed provision seeks to protect and the place of this provision in the data protection framework. In addition, the supervisory authority may consider the degree to which the infringement prohibited the effective application of the provision and the fulfilment of the objective it sought to protect.
b) The gravity of the infringement, assessed on the basis of the specific circumstances. […]
i. The nature of the processing, including the context in which the processing is functionally based (e.g. business activity, non-profit, political party, etc.) and all the characteristics of the processing. When the nature of processing entails higher risks, e.g. where the purpose is to monitor, evaluate personal aspects or to take decisions or measures with negative effects for the data subjects, depending on the context of the processing and the role of the controller or processor, the supervisory authority may consider to attribute more weight to this factor. Further, a supervisory authority may attribute more weight to this factor when there is a clear imbalance between the data subjects and the controller (e.g. when the data subjects are employees, pupils or patients) or the processing involves vulnerable data subjects, in particular children.
ii. The scope of the processing, with reference to the local, national or cross-border scope of the processing carried out and the relationship between this information and the actual extent of the processing in terms of the allocation of resources by the data controller. This element highlights a real risk factor, linked to the greater difficulty for the data subject and the supervisory authority to curb unlawful conduct as the scope of the processing increases. The larger the scope of the processing, the more weight the supervisory authority may attribute to this factor.
iii. The purpose of the processing, will lead the supervisory authority to attribute more weight to this factor. The supervisory authority may also consider whether the purpose falls within the so-called core activities of the controller. The more central the processing is to the controller’s or processor’s core activities, the more severe irregularities in this processing will be. The supervisory authority may attribute more weight to this factor in these circumstances. There may be circumstances though, in which the processing of personal data is further removed from the core business of the controller or processor, but significantly impacts the evaluation nonetheless (this is the case, for example, of processing concerning personal data of workers where the infringement significantly affects those workers’ dignity).
iv. The number of data subjects concretely but also potentially affected. The higher the number of data subjects involved, the more weight the supervisory authority may attribute to this factor. In many cases it may also be considered that the infringement takes on "systemic" connotations and can therefore affect, even at different times, additional data subjects who have not submitted complaints or reports to the supervisory authority. The supervisory authority may, depending on the circumstances of the case, consider the ratio between the number of data subjects affected and the total number of data subjects in that context (e.g. the number of citizens, customers or employees) in order to assess whether the infringement is of a systemic nature.
v. The level of damage suffered and the extent to which the conduct may affect individual rights and freedoms. The reference to the "level" of damage suffered, therefore, is intended to draw the attention of the supervisory authorities to the damage suffered, or likely to have been suffered as a further, separate parameter with respect to the number of data subjects involved (for example, in cases where the number of individuals affected by the unlawful processing is high but the damage suffered by them is marginal). Following Recital 75 GDPR, the level of damage suffered refers to physical, material or non-material damage. The assessment of the damage, in any case, be limited to what is functionally necessary to achieve correct evaluation of the level of seriousness of the infringement as indicated in paragraph 61 below, without overlapping with the activities of judicial authorities as tasked with ascertaining the different forms of individual harm.
c) The duration of the infringement, meaning that a supervisory authority may generally attribute more weight to an infringement with longer duration. Noting that a given conduct might have been illicit also within the previous regulatory framework, thus adding an additional element to assess the gravity of the infringement. The longer the duration of the infringement, the more weight the supervisory authority may attribute to this factor. If permitted by national law, both the period after the GDPR's effective date and the previous period may be taken into account when quantifying the fine, taking into account the conditions of that framework.
Intentional or negligent character of the infringement
57. The intentional or negligent character of the infringement (Article 83(2)(b) GDPR) should be assessed taking into account the objective elements of conduct gathered from the facts of the case. The EDPB highlighted that “it is generally admitted that intentional [infringements], demonstrating contempt for the provisions of the law, are more severe than unintentional ones.”23 In case of an intentional infringement, the supervisory authority is likely to attribute more weight to this circumstance. Depending on the circumstances of the case, the supervisory authority may also attach weight to the degree of negligence. At best, negligence could be regarded as neutral.
Categories of personal data affected
58. Concerning the requirement to take account of the categories of personal data affected (Article 83(2)(g) GDPR), the GDPR clearly highlights the types of data that deserve special protection and therefore a stricter response in terms of fines. This concerns, at the very least, the types of data covered by Articles 9 and 10 GDPR, and data outside the scope of these Articles the dissemination of which causes immediate damages or distress to the data subject (e.g. location data, data on private communication, national identification numbers, or financial data, such as transaction overviews or credit card numbers). In general, the more of such categories of data involved or the more sensitive the data, the more weight the supervisory authority may attribute to this factor.
59. Further, the amount of data regarding each data subject is of relevance, considering that the infringement of the right to privacy and protection of personal data increases with the amount of data regarding each data subject.
On the basis of the parameters given, the EDPB's methodology suggests the following:
Likely fine range, before mitigating & aggravating factors: between XXX and XXX EUR
This GDPR fine calculator is based on the relevant guidelines of the European Data Protection Board, and the calculation is based on information provided by the user. This calculator is intended only to inform readers on how the EDPB's guidelines appear to work and does not create a lawyer-client relationship. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. Keller and Heckman LLP will accept no responsibility for any actions taken or not taken on the basis of this calculator. This may qualify as "Lawyer Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.