The European Data Protection Board (EDPB) recently issued its draft guidance on calculating fines entitled “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” This article looks at this development in brief.
What’s this all about?
Under EU GDPR organizations can be fined for GDPR infringements. The calculation of the amount of the fine is at the discretion of the supervisory authority/data protection authority (“DPA”), subject to certain rules provided for in GDPR: GDPR requires that the amount of the fine must in each individual case be effective, proportionate and dissuasive; when setting the amount of the fine, DPAs must give due regard to a list of circumstances that refer to features of the infringement (its seriousness) or of the character of the perpetrator; and, the amount of the fine must not exceed the maximum amounts provided for in GDPR.
Taking all of this into account, the EDPB has now come up with a methodology, in the form of guidance, consisting of five steps, for calculating administrative fines for GDPR infringements.
The aim of the guidance is to have a standardized approach, including for the purposes of legal certainty, so that DPAs across the EU/EEA will follow the same methodology to calculate fines, always bearing in mind that the individual circumstances of a case will always be a determining factor.
What are the highlights of the draft guidance?
The guidance sets out a five step calculation methodology, summarised as follows:
- First, DPAs have to determine whether the case in question concerns one or more instances of sanctionable conduct and if they have led to one or multiple infringements (concurrent infringements), the purpose being to clarify whether all the infringements or only some of them can be fined;
- Second, the starting point for further calculation of the amount of the fine needs to be identified. This is done by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the organization;
- Third, the aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine must be evaluated;
- Fourth, the relevant legal maximums for the different infringements must be identified; increases applied in previous or next steps cannot exceed this maximum amount; and,
- Fifth, whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality must be analysed. The fine can still be adjusted, but without exceeding the relevant legal maximum.
As the guidance makes clear, DPAs are not obliged to follow all the above steps if they are not applicable in a given case.
We’ve selected below aspects concerning aggravating & mitigating circumstances and corporate liability respectively as these seem to us to be of key importance to organizations:
Aggravating and Mitigating Circumstances:
- “A first step in determining whether aggravating or mitigating circumstances have occurred, is to review Articles 83(2)(c) [of EU GDPR], which concerns “any action taken by the controller or processor to mitigate the damage suffered by data subjects”;
- “[…] in case of an infringement, the controller or processor should “do whatever they can do in order to reduce the consequences of the breach for the individual(s) concerned”;
- “The measures adopted must be assessed, in particular, with regard to the element of timeliness, i.e. the time when they are implemented by the controller or processor, and their effectiveness. In that sense, measures spontaneously implemented prior to the commencement of the [DPA’s] investigation becoming known to the controller or processor are more likely to be considered a mitigating factor, than measures that have been implemented after that moment”;
- “[…] the [DPA] should take into account any relevant documentation provided by the controller or processor, e.g. in the context of the exercise of their right of defence. In particular, such documentation could provide evidence of when the measures were taken and how they were implemented, whether there were interactions between the controller and the processor (if applicable), or whether there has been contact with the [Data Protection Officer] or data subjects (if applicable)”;
- “Given the increased level of accountability under the GDPR […] it is likely that the degree of responsibility of the controller or processor will be considered an aggravating or a neutral factor. Only in exceptional circumstances, where the controller or processor has gone above and beyond the obligations imposed upon them, will this be considered a mitigating factor”;
- “Firstly, regard must be given to the point in time when the prior infringement took place, considering that the longer the time between a previous infringement and the infringement currently being investigated, the lower its significance. Consequently, the longer ago the infringement was committed, the less relevance shall be given by the supervisory authorities”;
- “However, since infringements committed a long time ago might still be of interest when assessing the “track record” of the controller or processor, fixed limitation periods are not to be set to this purpose. However, some national laws do prevent the [DPA] from considering previous infringements after a settled period. Likewise, certain national laws impose a record deletion obligation after a certain period of time, which prevents the acting [DPAs] from taking into account these precedents”;
- “Even though all prior infringements might provide an indication about the controller’s or processor’s general attitude towards the observance of the GDPR, infringements of the same subject matter must be given more significance, as they are closer to the infringement currently under investigation, especially when the controller or processor previously committed the same infringement (repeated infringements). Thus, same subject-matter infringements must be considered as more relevant than previous infringements concerning a different topic”;
- “For example, the fact that the controller or the processor had failed in the past to respond to data subjects exercising their rights in a timely manner must be considered more relevant when the infringement being investigated refers also to a lack of response to a data subject exercising their rights than when it refers to a personal data breach”;
- “However, due account must be taken of previous infringements of a different subject matter, but that were committed in the same manner, as they might be indicative of persisting problems within the controller or processor organization. For example, this would be the case for infringements arising as a consequence of having ignored the advice provided by the Data Protection Officer”;
- “The existence of previous infringements can be considered an aggravating factor in the calculation of the fine. The weight given to this factor is to be determined in view of the nature and frequency of the previous infringements. The absence of any previous infringements, however, cannot be considered a mitigating factor, as compliance with the GDPR is the norm. If there are no previous infringements, this factor can be regarded as neutral”;
- “Following Article 83(2)(h) [of EU GDPR], the manner in which the infringement became known to the [DPA] could be a relevant aggravating or mitigating factor. In assessing this, particular weight can be given to the question whether, and if so to what extent, the controller or processor notified the infringement out of its own motion, before the infringement was known to the [DPA] by – for instance – a complaint or an investigation. This circumstance is not relevant when the controller is subject to specific notification obligations (such as in the case of personal data breaches according to Article 33 [of EU GDPR]). In such cases, this notification should be considered as neutral”;
- “Article 83(2)(k) GDPR mentions examples of “any other aggravating or mitigating factor applicable to the circumstances of the case,” i.e. financial benefits gained, or losses avoided, directly or indirectly, from the infringement. It is considered that this provision is of fundamental importance for adjusting the amount of the fine to the specific case”;
- “The scope of this provision, which is necessarily open-ended, should include all the reasoned considerations regarding the socio-economic context in which the controller or processor operates, those relating to the legal context and those concerning the market context”; and,
- “In particular, economic gain from the infringement could be an aggravating circumstance if the case provides information about profit obtained as a result of the infringement of the GDPR”;
- “As for the term “undertaking” […] Recital 150 GDPR states: “Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU [Treaty on the Functioning of the European Union] for those purposes” – please note that these articles concern competition/antitrust law;
- “[…] in cases where the [data] controller or processor is (part of) an undertaking in the sense of Articles 101 and 102 TFEU, the combined turnover of such undertaking as a whole can be used to determine the dynamic upper limit of the fine […]”;
- “The [European] Court of Justice has developed a vast body of case law on the concept of undertaking. The term ‘undertaking’ “encompasses every entity engaged in an economic activity, regardless of the legal status of the entity and the way in which it is financed.” For the purpose of competition law, “undertakings” are therefore identified with economic units rather than legal units. Different companies belonging to the same group can form an economic unit and therefore an undertaking within the meaning of Articles 101 and 102 TFEU”;
- “In line with settled CJEU case law the term undertaking in Articles 101 and 102 TFEU can refer to a single economic unit (SEU), even if that economic unit consists of several natural or legal persons. Whether several entities form a SEU depends largely on whether the individual entity is free in its decision-making ability or whether a leading entity, namely the parent company, exercises decisive influence over the others. The criteria for determining this are based on the economic, legal and organizational links between the parent company and its subsidiary, for example, the amount of the participation, personnel or organizational ties, instructions and the existence of company contracts”;
- “In line with the SEU doctrine, Article 83(4)–(6) GDPR follow the principle of direct corporate liability, which entails that all acts performed or neglected by natural persons authorized to act on behalf of undertakings are attributable to the latter and are considered as an act and infringement directly committed by the undertaking itself. The fact that certain employees did not comply with a code of conduct is not sufficient to disrupt this attribution. Rather it is only disrupted where the natural person acts solely for its own private purposes or for purposes of a third party, thereby becoming itself a separate controller (i.e. the natural person has acted in excess of their permitted remit). This European Union law principle and scope of corporate liability takes precedence and must not be undermined by limiting it to the acts of certain functionaries (like principal managers) by contradicting national law. It is not relevant which natural person acted on behalf of which of the entities. The [DPA] and national courts therefore must not be required to determine or identify a natural person in the investigations or the fining decision”;
- “In the specific case where a parent company holds 100% of shares or almost 100% of shares in a subsidiary which has infringed Article 83 GDPR and therefore is able to exercise decisive influence over the conduct of its subsidiary, a presumption arises that the parent company does in fact exercise this decisive influence over the conduct of its subsidiary (so-called Akzo presumption). This also applies if the parent company does not directly hold the shares in the total capital directly, but indirectly through one or more subsidiaries. For example, there might also be a chain of subsidiaries, where one entity holds 100% or almost 100% of shares of an intermediate entity that holds 100% or almost 100% of shares of another entity, and so forth. Also a parent company might hold 100% or almost 100% of shares of two entities that each hold about 50% of an entity, thereby providing the parent company with decisive influence on all of them. In those circumstances, it is sufficient for the [DPA] to prove that the subsidiary is directly or indirectly wholly or almost wholly owned by the parent company in order to presume – as a rule of practical experience – that the parent exercises a decisive influence”;
- “However, the Akzo presumption is not an absolute one, but can be rebutted by other evidence. In order to rebut the presumption, the company(ies) must provide evidence relating to the organizational, economic and legal links between the subsidiary and its parent company which are apt to demonstrate that they do not constitute a SEU despite holding 100% or almost 100% of shares. In order to ascertain whether a subsidiary itself acts autonomously, account must be taken of all the relevant factors relating to those links that tie the subsidiary to the parent company, which may vary from case to case and cannot therefore be set out in an exhaustive list”;
- “If, on the other hand, the parent company does not hold all or almost all of the capital, additional facts must be evidenced by the supervisory authority to justify the existence of a SEU. In such a case, the supervisory authority has to demonstrate, not only that the parent company has the ability to exercise decisive influence over the subsidiary, but also that it has actually exercised such decisive influence so that it can intervene at any time in the subsidiary’s freedom of choice and determine its behaviour. The nature or type of instruction is irrelevant when determining the parent company’s influence”;
- “The fine is addressed to the (joint-) controller(s)/processor(s), and the competent [DPA] has the option to hold the parent company jointly and severally liable for the payment of the fine”; and,
- Fines are based on total worldwide annual turnover. “Turnover is taken from the annual accounts of an undertaking, which are drawn up with reference to its business year and provide an overview of the past financial year of a company or of a group of companies (consolidated accounts). Turnover is defined as the sum of all goods and services sold. The term turnover within the meaning of Article 83(4)–(5) GDPR is to be understood in terms of the net turnover of Directive 2013/34/EU60. According to this directive, net turnover means the amount derived from the sale of products and the provision of services after deducting sales rebates and value added tax (VAT) and other taxes directly linked to turnover”.
What are the next steps?
The draft guidance is open to public consultation – comments are to be sent by 27 June 2022 at the latest (here https://edpb.europa.eu/our-work-tools/documents/public-consultations/reply-form_en?node=3617). After the consultation, a final version of the guidance will be adopted, which it is said will include a reference table with a range of starting points for the calculation of a fine, correlating the seriousness of an infringement with the turnover of an organization.
What are the takeaways?
Key considerations include the following:
- As the guidance itself says, this general methodology should not be misunderstood as a form of automatic or arithmetical calculation. The individual setting of a fine will always be based on an assessment of all relevant circumstances of the case and must be effective, proportionate and deterrent with regard to that specific case, i.e. every case will be different;
- These guidelines cannot anticipate each and every possible particularity of a case and in this regard cannot provide an exhaustive guidance for DPAs, and, guidance is just guidance – a court will have the final say on the interpretation of fines under EU GDPR; and
- Brief the Board on the corporate liability aspects – they may not be aware that where there are parent and subsidiary companies the parent may find itself as taken into the equation when a fine is calculated, which could make a very significant difference to the level of the fine, i.e. a much higher fine.
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The European Data Protection Board guidance can be found here https://edpb.europa.eu/news/news/2022/edpb-adopts-guidelines-calculation-fines-guidelines-use-facial-recognition_en
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|