New Gui­de­lines published: will com­pa­nies face hea­vier fines for vio­la­ti­ons of the GDPR?

The Euro­pean data pro­tec­tion aut­ho­ri­ties forming the Euro­pean Data Pro­tec­tion Board (EDPB) have published new gui­de­lines on the cal­cu­la­ti­on of admi­nis­tra­ti­ve fines for vio­la­ti­ons of data pro­tec­tion law. The object of the new gui­de­lines, which are still the sub­ject of a public con­sul­ta­ti­on pro­cess, is to har­mo­ni­ze prac­ti­ces for the impo­si­ti­on of admi­nis­tra­ti­ve fines in the various EU mem­ber sta­tes. As a result, com­pa­nies should be pre­pared to pay signi­fi­cant­ly hig­her fines for vio­la­ti­ons of data pro­tec­tion law.

Over­view of the new Guidelines

Despi­te fears to the con­tra­ry, the admi­nis­tra­ti­ve fines which have actual­ly been impo­sed for vio­la­ti­ons of the GDPR have been lower than expec­ted, asi­de from a few spec­ta­cu­lar cases, such as e.g. that invol­ving the pro­vi­der of the Grin­dr app. This is due in part to the fact that some data pro­tec­tion aut­ho­ri­ties in Euro­pe, and in Ger­ma­ny as well, have so far been reluc­tant to impo­se hea­vy fines. But this will chan­ge with the adop­ti­on of the new Gui­de­lines, par­ti­cu­lar­ly for lar­ge com­pa­nies with sub­stan­ti­al reve­nues. Nota­b­ly, the EDPB assu­mes that all actions or omis­si­ons by natu­ral per­sons who are aut­ho­ri­zed to act on behalf of com­pa­nies can be attri­bu­ted to the com­pa­nies them­sel­ves. In accordance with § 30 of the Ger­man Admi­nis­tra­ti­ve Offen­ses Act (only in Ger­man), on the other hand, fines can only be impo­sed on the com­pa­ny direct­ly in cases whe­re an exe­cu­ti­ve of the com­pa­ny com­mit­ted a cri­mi­nal act or admi­nis­tra­ti­ve offen­se. The ques­ti­on as to whe­ther or not this sta­tu­te appli­es to fines impo­sed for vio­la­ti­ons of the GDPR has yet to be deter­mi­ned by the ECJ and is curr­ent­ly the sub­ject of a preli­mi­na­ry ruling pro­ce­du­re (only in German).

Are the Gui­de­lines binding?

The Gui­de­lines stress seve­ral times that the actu­al amount of the fine depends on the cir­cum­s­tances of the indi­vi­du­al case. In other words, the EDPB’s five-step model is not a fee cal­cu­la­tor which can be used to deter­mi­ne the amount of a poten­ti­al fine with mathe­ma­ti­cal pre­cis­i­on. Howe­ver, the divi­si­on of the pro­cess into steps pre­scri­bes a metho­do­lo­gy which should result in a pro­cess which is high­ly ratio­nal and com­pre­hen­si­ble. It also rai­ses the ques­ti­on as to the degree to which the new gui­de­lines are bin­ding for data pro­tec­tion aut­ho­ri­ties. Gene­ral­ly spea­king, EDBP gui­de­lines are non-binding recom­men­da­ti­ons which are desi­gned to ensu­re con­sis­tent appli­ca­ti­on and inter­pre­ta­ti­on of the GDPR. The EDPB its­elf has stres­sed this point in the past. But in prac­ti­ce, the courts and data pro­tec­tion aut­ho­ri­ties may have to meet a hig­her bur­den of expl­ana­ti­on in the future in order to jus­ti­fy devia­ti­ons from the EDPB’s gui­de­lines. After all, in accordance with the prin­ci­ple that the admi­nis­tra­ti­on is bound by its own acts, the gui­de­lines will take on bin­ding effect in the future if data pro­tec­tion aut­ho­ri­ties con­vert the Gui­de­lines into rou­ti­ne admi­nis­tra­ti­ve practice.

Con­se­quen­ces for companies

The new Gui­de­lines have the poten­ti­al to inject new life into the enforce­ment prac­ti­ces of the data pro­tec­tion aut­ho­ri­ties, which have beco­me some­thing of a paper tiger late­ly. Accor­din­gly, data pro­tec­tion must be part of each com­pany’s com­pli­ance stra­tegy. But if a vio­la­ti­on of data pro­tec­tion law can­not be avo­ided despi­te the fact that a data pro­tec­tion com­pli­ance manage­ment sys­tem is in place, so that the com­pa­ny is facing the pos­si­bi­li­ty of a fine, the­re is no cau­se for panic even with the new Gui­de­lines. After all, the new Gui­de­lines still give com­pa­nies a gre­at deal of lee­way to pre­sent miti­ga­ting cir­cum­s­tances and nego­tia­te with the data pro­tec­tion authorities.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.