The European Data Protection Board (EDPB) has adopted final guidelines for standardizing fine practices across Europe. Fines may be imposed whenever European supervisory authorities identify violations of the General Data Protection Regulation (GDPR). The guidelines provide five steps for determining fines which must be observed. In the first step, the processing of personal data by the controller is identified and the applicability of Article 83 (3) GDPR is checked. The starting point for calculating the fine is then determined based on the violation’s severity in relation to the circumstances of the individual case and the company’s turnover.
In the third step, the controller’s past or present behavior is assessed for aggravating or mitigating circumstances. The relevant statutory maximum contributions are then determined, which cannot exceed 20 million euros or up to 4% of the global annual turnover for companies, according to Article 83 GDPR. The final amount is checked for effectiveness, deterrence, and proportionality from Article 83 paragraph 1. The discretionary powers for the authorities have been increased from the original guidelines, with some starting amounts for the calculation adjusted upwards.
The guidelines contribute to an increase in transparency for fines and lay the foundation for Europe-wide uniform fine practices. These guidelines will be continuously reviewed and updated if necessary in the future, and authorities always have a certain degree of discretion in their decisions. The complete guidelines can be found on the EDPB website.