Fines are used to enforce data protection violations under the General Data Protection Regulation (GDPR). They can represent a significant financial burden for companies. Depending on the type of breach, fines can range from 10 to 20 million euros, or from 2% to 4% of a company's global annual turnover, whichever is higher. The trend in recent years shows that data protection authorities are issuing more and increasing fines for data protection violations.
However, the framework on data protection fines depends not only on the GDPR, but also on national laws and administrative proceedings. This means the results – particularly the amount of a fine – may vary across the Member States. To help standardise their approach, the European Data Protection Board (EDPB), comprised of the Member State regulators, has stepped in.
The EDPB is an independent European body tasked with ensuring the consistent application of the GDPR and promoting cooperation between the EU data protection authorities. To help achieve a uniform fine framework under the GDPR, the EDPB published its recommendation (04/2022) in July 2022. In this recommendation, the EDPB suggests the competent national authorities calculate GDPR fines using the following five steps:
Please find more detail on this five-step plan including specific examples here.
It remains to be seen whether the national authorities will adhere to this five-step plan and what the consequences will be in terms of the number and amount of fines under the GDPR across the EU.
From a legal perspective, the EDPB's recommendation is already giving renewed focus to the question in Germany as to how the conduct of a natural person is attributable to the breaching company as legal entity.
The EDPB states in its recommendation that a fine can be issued if the processor or controller (i.e. the respective company) has breached the GDPR. However, this opinion does not reflect German national law on administrative offences which states that fines can only be issued if the deliberate offence of an organ of the company (i.e. action of a natural person) is attributable to the respective company as legal entity. The procedural contradictions are obvious and have been submitted to the European Court of Justice the Deutsche Wohnen case in which the main question is the conditions under which a fine can be imposed on a legal entity.
Background of the case
In Autumn 2019, the Berlin Data Protection Commissioner issued a fine notice of 14.5m Euros to Deutsche Wohnen, one of Germany's largest real estate businesses. Deutsche Wohnen first came to the authority's attention in June 2017. At that time, the authority criticised it for data retention failings - personal data of tenants had been stored in an archive system and could not be deleted, even though it was no longer needed. As the infringement was not remedied, the authority issued the fine in 2020.
Deutsche Wohnen appealed the fine. The district court of Berlin then discontinued the fine proceedings on the basis that the fine notice was invalid because it did not contain any information on specific GDPR violations committed by an organ of the company. Under the German Act on Regulatory Offences, a fine can only be initiated against a legal entity if the issuing authority has proved that there has been a deliberate infringement by a natural person representing the company.
The public prosecutor filed an appeal against the decision of the district court Berlin. The Kammergericht Berlin which had jurisdiction in the next instance suspended the proceedings and referred the matter to the CJEU to clarify this issue.
CJEU: first hearing and impact
The proceedings are currently pending and the oral hearing before the CJEU took place on 17 January 2023. The following questions were considered:
The Advocate General's opinion on this will be published on 27 April 2023. The CJEU's final decision will be decisive in terms of fine proceedings in Germany. The decision will set the course for whether and how national laws on regulatory fines remain applicable alongside the framework for fines under the GDPR and is eagerly anticipated.
Victoria Hordern looks at the Irish Data Protection Commissioner's approach to GDPR enforcement, particularly in the context of big tech.
1 of 5 Insights
Debbie Heywood looks at the evolution of the UK ICO's enforcement strategy.
2 of 5 Insights
Benjamin Znaty looks at the recent enforcement decisions by the CNIL which underline the need for French controllers to carry out audits of their contractors' GDPR compliance.
4 of 5 Insights
Jesús Yáñez Colomo, Teresa Pereyra Caramé and Alejandro Touriño Pena from ECIJA look at the Spanish regulator's GDPR enforcement.
5 of 5 Insights
Back to