In May 2018, the General Data Protection Regulation (AVG) and its Implementing Act for the General Data Protection Regulation (UAVG) went into effect. Since then, the Personal Data Authority (AP) as regulator has been allowed to issue fines. But how are such fines calculated? That’s what this blog is about.
Power to impose fines
The regulator can fine both public and private organizations. In the case of non-compliance with the AVG, a maximum of twenty million euros or 4% of annual worldwide turnover can be imposed (Article 83 paragraphs 4 and 5 AVG and Articles 17 and 18 UAVG). In 2021, the AP published 11 fines on its website. These range from 7,500 euros to 2.75 million euros. In determining the amount of fines, the AP uses rules from its self-created “Personal Data Authority Fine Policy 2019. However, agencies that have violated the AVG want more transparency and predictability of fines. That is why there is a new guideline from the European Data Protection Board (EDPB). This should ensure more uniform fines across European Union member states.
Uncertainty about how AP operates
Research was commissioned by the Scientific Research and Documentation Center (WODC) to examine, among other things, the application and effectiveness of the AP’s administrative fine. The report was published in June of this year. The researchers conclude that there is no apparent policy on AP oversight and enforcement. The AP’s actions are inconsistent. Regularly, the dialogue with the alleged violator of the AVG is lacking. In its response to the report, the AP states that a mathematical comparison between different case positions has little meaning. Of course, the specific circumstances of the case must be considered. But the researchers rightly note that some legal certainty is desirable.
Roadmap for calculating fines
On May 12, 2022, the EDPB published guidance on calculating administrative fines under the AVG. The recommendations contained herein can be outlined in the five steps below. In any case, the fines imposed must be effective, proportionate and dissuasive (Article 83(1) AVG).
Step 1: Identify processing activities and violation(s)
First, the processing activities must be identified. Then it is assessed whether a controller or processor has intentionally or negligently violated multiple requirements of the AVG. Does the latter apply? Then the fine imposed cannot exceed that of the most serious offense. The EDPB further describes in detail the various (im)possibilities in the case of (non)cumulative violations.
Step 2: Classify the violation(s).
After identifying the processing activities, the breach must be classified within the framework of the AVG (Article 83(4-6) AVG). The severity of the breach in the specific case must also be determined. Finally, the turnover of the alleged violator must be determined. The severity of each violation takes into account the nature, severity and duration of the offense. Even more specifically, the EDBP states that the following are relevant:
- The nature, scope and purpose of the processing;
- the number of people affected;
- the severity of the damage.
The violator’s turnover can be used to impose an appropriate fine. Based on all these criteria, the supervisor must determine the appropriate starting amount.
Step 3: Identify aggravating or mitigating circumstances
Third, the supervisor must identify aggravating or mitigating circumstances. Are there any current or past circumstances that could explain the behavior of the controller or processor? If so, the starting amount can be adjusted to a higher or lower amount. Of importance in this assessment include:
- the actions taken by the organization to reduce damage;
- the degree of responsibility;
- the possible previous violations;
- The degree of cooperation with the supervisor.
Step 4: Testing against legal frameworks
Do applicable legal frameworks not prevent the adjustment of the amount in the third step? The (changed) amount may not exceed the ceilings laid down in Article 83 AVG. The AP will additionally have to check its own frameworks from its policy rule in this step.
Step 5: Testing for effectiveness, proportionality and deterrence
Finally, the regulator will have to consider whether the amount is sufficiently effective, proportionate and dissuasive. The fine should strengthen AVG enforcement to be effective and deterrent. The economic viability of the organization to be fined determines how proportional the fine is. The difference between the fine for PVV Overijssel and the global company Booking. com is a concrete example of how this proportionality works.
A welcome addition to the AP’s current policy rule
The AP’s fining policies consist mainly of categorizing the various violations. This categorization is associated with certain minimum and maximum amounts. In addition to this categorization, relevant factors are listed. The EDPB’s guidance provides extensive additional explanations of these factors. It also gives great insight into the path to be taken by a supervisor. How does it go from the start of an investigation to the actual fining? In my opinion, following these regulations will lead to more consistent and transparent enforcement by the AP.
Is the AP taking enforcement action against you? Or has the AP started an investigation? We can help you from beginning to end in these difficult issues. To do so, contact one of our specialists.