EU DPAs issue guidelines on how they calculate fines

The European Data Protection Board has issued guidelines today for consultation on the calculation of administrative fines. The EU DPAs aim at a harmonised approach that will reflect the seriousness of an infringement.

The DPAs plan to adopt a five-step approach for calculating a fine:

  1. Establish whether there is one or multiple infringements.
  2. Use the EDPB approved method for assessing a starting point for a further calculation, reflecting the seriousness of the infringement.
  3. Consider aggravating or mitigating factors that can increase or decrease the amount of the fine, for which the EDPB provides a consistent interpretation.
  4. Determine what could be the maximum fine, considering the limits set in the GDPR.
  5. Analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality, or whether further adjustments to the amount are necessary.

The EDPB considers that it is fair to take into account the size of the undertaking and its turnover to make sure the fine is proportionate. Mitigating factors include, for example, adherence to codes of conduct or good cooperation with the regulator. As for aggravating factors, economic gain from the infringement or previous infringements would be taken into account.

The public consultation closes 27 June.

See: EDPB - Guidelines 04/2022 on the calculation of administrative fines under the GDPR