The German concept for the calculation of GDPR fines
The German DPAs put forward a formula for calculating fines in Germany until the EDPB issues guidance. Dr. Moritz Hüsch and Daniel Röll of Covington & Burling LLP Germany explain.
The general framework for fines for infringements of the Regulation (EU) 2016/679 (GDPR) is set forth in Article 83 GDPR. Fines can, at the upper end, go up to 4% of the total worldwide annual turnover, Article 83 (5) GDPR. However, neither Article 83 GDPR nor other Articles of the GDPR contain a process or methodology on how fines should be calculated in an individual case. Pursuant to Article 70 (1) k) GDPR, it is up to the European Data Protection Board (EDPB) to draw up European guidelines which have not been published yet. So far, there are only the general guidelines on the application and setting of administrative fines available which were issued by the Article 29 working Party (now EDPB) in 2017.(1) In the absence of a more detailed concept at a European level, Germany’s data protection authorities (DPAs), within their regular conference Datenschutzkonferenz, or DSK), have developed their own concept for the calculation of GDPR fines.