The EDPB adopted new guidelines on the calculation of administrative fines under GDPR.
On 12 May 2022, the European Data Protection Board (EDPB) adopted a first version of Guidelines 04/2022 on the calculation of administrative fines under the GDPR. The objective is to strengthen harmonisation and transparency of the methodology used by national supervisory authorities to calculate the amount of the fines. According to the EDPB Guidelines, “it must be borne in mind that the calculation of a fine is no mere mathematical exercise”.
These new Guidelines complement the previous Guidelines adopted on 3 October 2017 on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP 253). What these two texts have in common is that they clarify the practical application of Article 83 of the GDPR (“General conditions for imposing administrative fines”). However, the 2017 Guidelines focus only on the circumstances in which to impose a fine.
The Guidelines 04/2022 propose five practical steps to calculate the amount of the fines:
- Step 1 – Identification of the processing operations and the existence of one or more infringements;
- Step 2 – Determination of the starting point for further calculation of the amount of the fine;
- Step 3 – Evaluation of the seriousness of the infringement in light of the aggravating and/or mitigating circumstances;
- Step 4 – Identification of the relevant legal maximums for the different infringements;
- Step 5 – Analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality, and the eventual need of adjustment.
The EDPB welcomes comments on these Guidelines by 27 June 2022 at the latest.
By Edouard Cruysmans and Erik Valgaeren