German Data Protection bodies, known collectively as the DSK, has revealed that agreement has been reached in relation to the calculation of General Data Protection Regulation (GDPR) penalties.
Using five different steps to calculate the appropriate financial fine for each breach of GDPR, this new method of calculation is expected to result in much higher penalties. The highest possible fine under GDPR is 4% of annual global revenue for the previous financial year for €20m – whichever figure is higher. It is likely that a greater number of companies will be subjected to this high rate is the new model of calculation is fully implemented.
The new five-step structure works as follows:
Step 1: Determination of Company Size and Group Classification: The classifications include very small, small and medium sized. After these are further sub-divisions within each classification. This helps in the calculation of annual revenue
Step 2: Calculation of Average Annual Turnover: The DSK determined the guilty company’s annual turnover of the previous year and assigns a a fixed “average annual turnover fee” to the undertaking, based on the sub-group it has been sorted into in Step 1.
Step 3: Calculation of the Daily Rate: Using the annual revenue figures assigned, the DSK calculates a daily rate by dividing the calculated average annual turnover of the undertaking for the previous year by 360 days.
Step 4: Identification of Regular Fine Corridors & Mean Value: Next an assessment by the authority of the perceived severity of the specific offence is carried out. This severity assessment is mainly based on an overall assessment taking into consideration, inter alia, the GDPR provisions infringed and the maximum fine limits included in Article 83 (4) – (6) of the GDPR, with some discretion for the authorities to take into account the level of harm to individuals. Following this there are four levels of severity, split into two groups. The level of severity is determined by considering if there was a technical of material infringement and the level of the perceived gravity of the infringement.
Step 5: Classification of the specific GDPR Infringement: In the final step the fine calculated in step 4 is amended to reflect the specific nature of the offence and its consequences for the impacted data subject.
A number of German Data protection authorities have already begun to use this new method of calculating fines for GDPR breaches. However, as this new method is still in its early days, there remains some wrinkles to iron out and it is advisable for all companies subject to GDPR to be certain that they have a effective litigation defense in advance of being sanctioned with one of these penalties.