Guidelines on the calculation of administrative fines under the GDPR

On 16 May 2022, the European Data Protection Board (“EDPB“) published the first version of the Guidelines on the calculation of administrative fines under the GDPR.

The EDPB pursues the goal of harmonizing the approach for calculating the amount of a fine by proposing a five-step methodology:

(i) Establish whether there are one or multiple infringements.
(ii) Use the EDPB-approved method for assessing a starting point for a further calculation, reflecting the seriousness of the infringement.
(iii) Consider aggravating or mitigating factors that can increase or decrease the fine amount, for which the EDPB provides a uniform interpretation.
(iv) Determine what could be the maximum fine, considering the limits set in the GDPR.
(v) Analyse whether the calculated final amount meets the effective, deterring and proportional requirements or whether further adjustments to the amount are necessary.

The EDPB considers that it is fair to consider the size of the undertaking and its turnover to make sure the fine is proportionate. Mitigating factors include, for example, adherence to codes of conduct or good cooperation with the authority.

As per aggravating factors, economic gain from the infringement or previous infringements would be taken into account.

These Guidelines are subject to public consultation, and the feedback should be sent by 27 June at the latest.