The European Data Protection Board has published for public consultation the new Guidelines 04/2022 on the calculation of fines. The deadline for a public consultation is 27 June 2022. Afterwards the final version of the guidelines will be adopted, taking into account feedback from stakeholders.
The purpose of the guidelines is to harmonize the methodology used by data protection authorities. They also include harmonized “starting points” for calculating fines. In doing so, three elements are considered: categorization of the nature of the violation, the severity of the violation and the turnover of the business.
The guidelines set out a 5-step calculation methodology.
First, the data protection authorities must establish whether the case in question concerns one or more cases of sanctioned conduct and whether they have led to one or more breaches. The aim is to clarify whether all or only some of the violations can be fined.
Secondly, the authorities must rely on a starting point for calculating the fine, for which the Committee provides a harmonized method.
Third, data protection authorities must take into account aggravating or mitigating factors that may increase or decrease the amount of the fine, for which the Committee provides a consistent interpretation.
The fourth step is to determine the legal maximum amounts of the fines specified in Art. 83 (4) – (6) of the General Data Protection Regulation (GDPR) and to ensure that these amounts are not exceeded.
In the fifth and final step, the authorities must analyze whether the calculated final amount meets the requirements for efficiency, deterrence and proportionality or whether additional adjustments are needed.
The guidelines are an important complement to the framework that the European Data Protection Board is building for more effective cooperation between data protection authorities in cross-border cases, which is a strategic priority of the Committee.