Largely unnoticed by the public, the “Conference of the Independent Data Protection Supervisory Authorities of the Federation and the Countries” (DSK) discussed a new calculation model for fines already in June 2019. Similar to antitrust law, this model is intended to facilitate a comprehensible practice in the calculation of fines.
Despite explicit requests, the model itself is currently not to be published. However, the model has already been used in practice (only for test purposes, as the DSK stresses). According to initial reports, the fine model will very probably lead to a significant increase in fines. This should not come as a surprise in view of the sharp increase in the legal threat of a fine of up to 4% of the previous year's worldwide turnover or € 20 million. A closer look at the available information, however, suggests that fines such as the € 110 million already imposed on the Marriott hotel chain or the € 204 million imposed on the British Airways airline are also more likely to be imposed also in Germany.
In a press release, the data protection conference confirms the existence of a corresponding calculation model, but currently does not disclose any details and points out that the model is initially only “tested” in concrete fine proceedings in order to test its practicability and accuracy. A further conference in November will discuss this furthermore. A decision will then also be taken on the publication of the concept.
Although it has not yet been published, the planned model can be reconstructed, at least in part, on the basis of the reasons given for the fine notices already issued. Thus, for the imposition of fines pursuant to Art. 83 DSGVO, an economic basic value in the form of a so-called “daily turnover” was initially calculated. Subsequently, the daily turnover was to be used to calculate a standard fine corridor and an average value. The infringement was first categorised as light, medium, severe or very severe. Which infringement corresponds to which category depends on its unlawfulness. The degree of fault of the controller in the infringement should also be taken into account, in addition to other aspects. The amount of the fine is then calculated by multiplying the category value by the daily turnover.
For example, the unsolicited sending of advertising mails constitutes a slight infringement. If a company with an annual turnover of € 36 million has therefore committed a slight infringement, this initially results in a daily turnover of € 100.000,00 (annual turnover divided by 360), which in the light category corresponds to a regular fine corridor of € 100,000.00 to € 400.000,00 (category value 1 – 4). The relevant mean value would then be € 250.000,00. Starting from this mean value, the fine is then shifted further up or down. The decisive factors are in particular the duration, type, extent and purpose, the number of persons affected, the extent of the damage suffered and the degree of fault. In the end, the mean value could increase or decrease by several 100 per cent.
However, it is questionable whether the fine model thus planned actually takes into account the principle of proportionality, which is also required by the DSGVO. Proportionate means especially that sanctions must be appropriate to the act and the debt. This requirement seems only partially taken into account by the new fine model, as it is primarily oriented towards the company's worldwide total turnover. This means that companies with high turnover would have to pay a large fine even for a relatively minor infringement. Although this is intended to some extent due to the deterrent function of a fine. However, a fine must not be disproportionate to the infringement committed on the basis of a high average annual turnover alone.
Consequences for practice:
Although the information sometimes available has not yet been officially confirmed and does not appear to be final. Nevertheless, it indicates the will of the data protection supervisory authorities to exploit the range of possible fines. The calculation method already leads to serious risks of fines even for small and medium-sized enterprises, which seem to be based on the relevant standards of the infringements for antitrust law . There are justified doubts as to whether such a calculation is still proportionate within the meaning of Art. 83 (1) DSGVO. In practice, the fact that the courts are not bound by corresponding guidelines on the imposition of fines but have an independent full right of review is relevant. It is therefore to be expected that the courts will also exert a considerable influence on the fine model.