The EU’s General Data Protection Regulation (GDPR) became applicable four years ago. Both the number and amounts of administrative fines imposed by the supervisory authorities of EU Member States have been steadily increasing during these years. The biggest fines have reached tens and even hundreds of millions of euros. But have they been proportionate and harmonised, and how has the European Data Protection Board (EDPB), monitoring the consistent application of the GDPR, sought to ensure this?
Despite the direct applicability of the GDPR and the objectives of harmonising data protection rules, there have been ambiguities and inconsistencies between Member States in the imposition of administrative fines. This is due, inter alia, to the fact that the GDPR does not specify the amount of the fine to be imposed. It only sets the maximum amount for an infringement of certain provisions. However, this is finally being clarified as the EDPB issued guidelines on the calculation of fines for public consultation in May. See. EDPB’s Guidelines 04/2022 on the calculation of administrative fines under the GDPR. According to the GDPR, the amount of an administrative fine can be up to 4 % of the undertaking’s global turnover of the preceding financial year, regardless of the size of the undertaking in question. According to the new guidelines, supervisory authorities may consider the size of the undertaking when determining the starting amount of the fine. This means that the starting amount of the fine would be substantially higher for a larger undertaking than for a smaller one.
The turnover of an undertaking is determined by taking into account all natural and legal persons who can be considered to exercise a decisive influence over the undertaking. For example, a parent company can be held liable for an infringement committed by its subsidiary. Therefore, the turnover of the whole group can be taken into account when determining the starting amount of the fine. We have covered this competition law-based doctrine in more detail in our article: Liability for data protection fines – who ends up with the bill? published in June 2021 on www.dittmar.fi. The supervisory authority is also not required to determine or identify a natural person in the fining decision as the corporate liability entails that all acts performed by natural persons on behalf of undertakings are considered as acts directly committed by the undertaking. However, the principle of corporate liability contradicts the national law of certain Member States. As a result, the first case concerning the administrative fines under the GDPR is now pending in the CJEU. (See. Pending case C-807/21, Staatsanwaltschaft Berlin v Deutsche Wohnen SE.)
The guidelines also confirm that the turnover of the preceding financial year should not be understood as the year preceding the infringement but the year preceding the fining decision of the supervisory authority. This can prove detrimental to the undertaking where time has elapsed between the infringement and the fining decision. The undertaking might have grown its business so that its current turnover no longer corresponds to its turnover at the time of the infringement. It must be emphasized that the supervisory authorities are not obliged to apply the guidelines if they do not consider them necessary from the point of view of effectiveness, proportionality and dissuasiveness of the fines. There is already case law, where the Court has held that turnover-based calculation may lead to disproportionate fines. (Regional Court Bonn, case 29 OWi 1/20, 11 November 2020.)
The guidelines are useful tools for understanding the GDPR, but they are not binding sources of law
Although these guidelines have been drawn up for supervisory authorities, the EDPB has issued many other guidelines to encourage the application of the GDPR. They are useful tools for understanding the GDPR, but they are not binding sources of law. It is therefore contradictory to a certain extent that the supervisory authorities refer to them in their fining decisions. For example, the Finnish Data Protection Authority (DPA) issued a €100,000 administrative fine to postal service Posti Oy in 2020 for not informing data subjects of their rights. In its decision, the DPA referred to the guidelines on transparency. It is stated in the guidelines that the GDPR’s requirement to provide the data subjects with information “means that the data controller must take active steps to furnish the information in question to the data subject”. The fine decision was based on the fact that the information had not been provided actively enough. The Administrative Court of Helsinki overturned the fine based on the fact that the GDPR does not explicitly specify how and in what form the information shall be provided. According to the Court, the guidelines referred to by the DPA are not binding sources of law. The decision is not yet final, as the DPA has appealed to the Supreme Administrative Court.
“Although the guidelines are not binding, a company that aims to operate responsibly considers them in its operations”.
In general, the EDPB’s guidelines can be seen as facilitating companies in interpreting the GDPR. Although they are not binding, a company that aims to operate responsibly considers them in its operations . It should be emphasized that an administrative fine may have other significant effects in addition to a direct pecuniary loss. Negative publicity received by a company for non-compliance with its data protection obligations can cause significant reputational damage. Reputational damage, in turn, can lead to the loss of customers and business partners, which leads to additional financial losses and, for example, reduced turnover. An infringement of the GDPR may also result in other significant liability to both the company’s contracting parties and data subjects. Therefore, it is possible that claims for damages by data subjects and other parties who have suffered damage in the processing of personal data will incur a higher financial risk than the administrative fine.
These and many other aspects affecting the company’s business are discussed in more detail in co-author Roope Liuha’s Master’s thesis on administrative fines imposed on an undertaking. The thesis has been published in Finnish at Edilex Liuha: Tietosuoja-asetuksen mukaisten hallinnollisten seuraamusmaksujen määrääminen yritykselle.