Privacy & Cybersecurity Law Blog

On June 7, 2023, the European Data Protection Board (“EDPB”) adopted the final version of its Guidelines on the calculation of administrative fines under the GDPR (the “Guidelines”). Through the Guidelines, the EDPB intends to harmonize the methodology used by supervisory authorities (“SA”) to calculate fines.

The EDPB maintained the five-step methodology previously included in the public consultation version of the Guidelines, composed of the following steps: 1) identify the processing operations in the case and evaluate the application of Article 83(3) of the GDPR; 2) identify the starting point for further calculation of the fine amount; 3) evaluate aggravating and mitigating circumstances related to past/present behavior of the controller/processor; 4) identify the legal maximum(s) for the infringement(s) and corporate liability and; 5) assess the effectiveness, proportionality and dissuasiveness of the fine (and increase or decrease it accordingly). A step-by-step analysis of the methodology can be found here. 

The EDPB clarified that this methodology should not be misunderstood as a form of automatic or arithmetical calculation; a human assessment of all relevant facts and circumstances at hand must always be conducted.

While the final version of the Guidelines remains generally aligned with the public consultation version, it is important to highlight a few key amendments. In particular, the EDPB introduced changes in how the size of an organization is considered in defining the starting amount for calculating fines (the starting amount being the figure calculated based on factors such as the nature of the violations and their seriousness in accordance with the five-step methodology).  Full details of how the size of the organization can adjust the starting amount can be found in the Annex of the Guidelines but by way of example:

• For organizations with an annual turnover ≤ €2 million, the SA may consider to proceed calculations on the basis of a sum between 0.2% and 0.4% of the identified starting amount; and
• For organizations with an annual turnover of between €250 million and €500 million, the SA may consider to proceed calculations on the basis of a sum between 40% and 100% of the identified starting amount.

The Guidelines also include two detailed examples of applying such calculations in the Annex, along with several other examples throughout the Guidelines.

Read the Guidelines.