German Data Protection Authorities Releases a New Model to Calculate FDPR Fines

Written by: Richard Sheinis, Esq.

German data protection authorities have published a new model for calculating fines under GDPR, which, is likely to lead to higher fines.  While this model is strictly being tested in Germany, since GDPR should be applied equally across the EU, it is possible that this model could be expanded to provide a model for other member states.

The model is a calculation based on a number of factors.  The model first determines a “daily rate” for the “offending’ business by dividing the business’ aggregate global revenue for the previous year by 360 days.  Parent companies and subsidiaries are regarded as a single economic unit for purposes of calculating the daily rate.

The next step is to apply a multiplier based upon the severity of the subject offense.  The multiplier can be between 1 and 4 for a minor infringement, up to 12 to 14.4 for very severe infringements.  The daily rate is then multiplied by the multiplier range assigned to the infraction.

Other factors then considered are the duration of the infringement, the number of data subjects involved in the processing, and the extent of harm experienced by data subjects.  The supervisory authority would also consider other criteria related to the conduct of the offender.  This would include whether the offender was negligent or intentional in their violation of GDPR, measures implemented to mitigate damages, the existence of any previous infringements, cooperation with the supervisory authority, the type of personal data involved, and compliance with any previous orders from the supervisory authority.  Lastly, this model leaves room for any other aggregating or mitigating circumstances.

The overall calculation starts with a strictly mathematical equation which morphs into consideration of other more subjective factors.  The test for his model is whether it complies with Art. 83 of the GDPR which requires that fines are proportionate to the offense.