The EDPB’s framework for GDPR fines and its impact on German law

Fines are used to enforce data protection violations under the General Data Protection Regulation (GDPR). They can represent a significant financial burden for companies. Depending on the type of breach, fines can range from 10 to 20 million euros, or from 2% to 4% of a company's global annual turnover, whichever is higher. The trend in recent years shows that data protection authorities are issuing more and increasing fines for data protection violations.

However, the framework on data protection fines depends not only on the GDPR, but also on national laws and administrative proceedings. This means the results – particularly the amount of a fine – may vary across the Member States. To help standardise their approach, the European Data Protection Board (EDPB), comprised of the Member State regulators, has stepped in.  

Goal: uniform fine framework under the GDPR

The EDPB is an independent European body tasked with ensuring the consistent application of the GDPR and promoting cooperation between the EU data protection authorities. To help achieve a uniform fine framework under the GDPR, the EDPB published its recommendation (04/2022) in July 2022. In this recommendation, the EDPB suggests the competent national authorities calculate GDPR fines using the following five steps:

• Step 1: Record the specific privacy infringing behavior that seems to be worthy of a sanction in the form of a fine.
• Step 2: Determine the initial amount of the fine. The maximum statutory fine under the GDPR qualifies as a “starting amount". The type of infringement, its severity (low, medium or severe) and the company’s turnover are used to adjust that amount.
• Step 3: Consider any further, aggravating or mitigating circumstances. In particular, damage limitation measures, the degree of responsibility, any previous violations, the degree of cooperation with the authority and the manner in which the authority became aware of the breach. These circumstances can aggravate or mitigate the amount determined in step 2.
• Step 4: Ensure the fine is not more than the maximum amount permitted under the GDPR.
• Step 5: Double-check the fine in terms of its effectiveness, proportionality and as a deterrent. A further increase or reduction is possible at this final stage.

Please find more detail on this five-step plan including specific examples here.

It remains to be seen whether the national authorities will adhere to this five-step plan and what the consequences will be in terms of the number and amount of fines under the GDPR across the EU.

From a legal perspective, the EDPB's recommendation is already giving renewed focus to the question in Germany as to how the conduct of a natural person is attributable to the breaching company as legal entity.

Privacy enforcement in Germany – GDPR v German Act on Regulatory Offences

The EDPB states in its recommendation that a fine can be issued if the processor or controller (i.e. the respective company) has breached the GDPR. However, this opinion does not reflect German national law on administrative offences which states that fines can only be issued if the deliberate offence of an organ of the company (i.e. action of a natural person) is attributable to the respective company as legal entity. The procedural contradictions are obvious and have been submitted to the European Court of Justice the Deutsche Wohnen case in which the main question is the conditions under which a fine can be imposed on a legal entity.

Background of the case

In Autumn 2019, the Berlin Data Protection Commissioner issued a fine notice of 14.5m Euros to Deutsche Wohnen, one of Germany's largest real estate businesses. Deutsche Wohnen first came to the authority's attention in June 2017. At that time, the authority criticised it for data retention failings - personal data of tenants had been stored in an archive system and could not be deleted, even though it was no longer needed. As the infringement was not remedied, the authority issued the fine in 2020.

Deutsche Wohnen appealed the fine. The district court of Berlin then discontinued the fine proceedings on the basis that the fine notice was invalid because it did not contain any information on specific GDPR violations committed by an organ of the company. Under the German Act on Regulatory Offences, a fine can only be initiated against a legal entity if the issuing authority has proved that there has been a deliberate infringement by a natural person representing the company.

The public prosecutor filed an appeal against the decision of the district court Berlin. The Kammergericht Berlin which had jurisdiction in the next instance suspended the proceedings and referred the matter to the CJEU to clarify this issue.

CJEU: first hearing and impact

The proceedings are currently pending and the oral hearing before the CJEU took place on 17 January 2023. The following questions were considered:

• Are the general conditions for imposing fines under Article 83 GDPR conclusive or are supplementary national regulations possible?
• For what kind of GDPR breach is a legal entity sanctionable under the GDPR? Is it: (i) any breach; (ii) deliberate breach by an employee of the legal entity; or (iii) deliberate breach by a manager/organ representing the legal entity?

The Advocate General's opinion on this will be published on 27 April 2023. The CJEU's final decision will be decisive in terms of fine proceedings in Germany. The decision will set the course for whether and how national laws on regulatory fines remain applicable alongside the framework for fines under the GDPR and is eagerly anticipated.