Skip to main content

Clifford Chance

Clifford Chance
Data<br />

Data

Talking Tech

New German model for the calculation of GDPR fines

A blueprint for Europe?

Data Privacy 21 October 2019

The detailed German model leads to greater transparency but also higher fines, particularly for companies with a large turnover.

In recent months, European data protection authorities have made clear use of the high fines which are available to them under the General Data Protection Regulation (GDPR). Notices from the British data protection authority (ICO) to fine both British Airways (GBP 183.4 million or 1.5% of its global turnover) and Marriott (GBP 99.2 million), as well as a sanction imposed by the French data protection supervisory authority (CNIL) on Google (EUR 50 million) have all been widely reported in the news. German data protection supervisory authorities, in contrast, have shown remarkable restraint in this regard and are yet to impose a fine exceeding EUR 195,407. 

One of the likely reasons for this was the fact that the individual German data protection supervisory authorities lacked a systematic, transparent and comprehensible approach to the calculation of fines. In comparison with the UK or France, where the ICO and the CNIL are the only competent supervisory bodies, Germany has 17 independent supervisory authorities - one for each state and the Federal Commissioner for Data Protection and Freedom of Information. In June 2019, however, the German data protection conference (Datenschutzkonferenz, "DSK"), a committee consisting of representatives of all German data protection authorities, agreed (behind closed doors) on a joint model for the calculation of fines under the GDPR in Germany which should provide for a transparent process. After testing the model in practice over the last view months, details of the new model have finally been published. 

In the following article, we (A) set out the details of the model and then (B) analyse the model's advantages, disadvantages and consequences for German entities, as well as address its possible impact on the European approach to fines. 

A. Details of the model
Scope of the new calculation model

The new calculation model is applicable for all German data protection supervisory authorities dealing with proceedings against companies that fall within the scope of the GDPR. The model is applicable to neither private associations nor to private persons outside their professional activities. Furthermore, it does not apply to cross-border cases.

A further noteworthy aspect is the fact that the model does not bind national courts and the German data protection supervisory authorities can consequently amend, expand or disapply the model at any time. 

In addition, the model shall cease to apply upon the issuance of the European Data Protection Board's guidelines on administrative fines. 

Calculation model

The turnover of a company is the basis of the calculation model. According to the DSK, turnover is a suitable and appropriate point of reference for the determination of a fine that ensures effectiveness, proportionality and deterrence. 

Against this background, the amount of the individual fine is determined by way of a five-stage procedure:

  • The company is assigned to a class based on its size, as well as a subgroup relative to the size class;
  • The average annual turnover of the respective subgroup is determined;
  • The annual turnover is divided by 360 in order to determine a daily rate as the basic value;
  • The basic value is multiplied by a factor, the amount of which depends on the seriousness of the infringement; and then
  • The amount is adjusted to reflect all circumstances of the individual case which have not yet been taken into account.

i. Assignment to a size class

The company subject to the fine procedure is assigned to one of four size classes (A to D) on the basis of its worldwide annual turnover in the previous year. Subsequently, the company is allocated to a subgroup relative to the size class. The calculation model provides for the following classes and subgroups: