EDPB provides insights on GDPR fine calculations

On 7 June 2023, the European Data Protection Board (EDPB) published the final version of its Guidelines on the calculation of administrative fines. These were finalised more swiftly than usually is the case, albeit still a year after the consultation version. The impetus behind the finalisation may have been the number of cases going to the EDPB’s dispute resolution mechanism, including Meta and Accor (see our blog and the EDPB’s Annual Report), most of which refer to disagreements between data protection authorities (DPAs) on the penalty amount.

The Guidelines provide a five-step methodology for DPAs on setting administrative fines, following the factors identified in Article 83 of the GDPR. However, significantly they provide for:

• suggested percentage ranges (of the legal maximum) as a calculation starting point for infringements falling within three different levels of severity, with guidance provided on each category; and
• further adjustments of this starting penalty amount based on percentage bandings reflecting organisations’ global turnover.

Under the GDPR, an organisation’s turnover is, for the purpose of calculating the penalty, that of the “undertaking”. The EDPB confirmed that CJEU case law, including in the context of competition law, is relevant to the interpretation of what amounts to an ‘undertaking’. As such, companies within the same corporate group can together form one ‘undertaking’ for GDPR purposes if they are a ‘single economic unit’ (SEU), and guidance on assessing which group entities this would capture is included in the Guidelines. It is then that SEU’s ‘combined’ turnover which is relevant for the penalty calculation, hence, in most cases, bringing into the net at least some turnover from other group entities.

The EDPB also clarified that the relevant turnover for the purposes of penalty calculation is from the financial year preceding the issuance of the final penalty.

Although it is helpful to have guidance on the calculation of fines, there are some issues that remain with the Guidelines, including that:

• ultimately, DPAs retain discretion in terms of setting penalty amounts and can, to an extent, disregard elements of the Guidelines if they think fit, which provides less certainty for organisations. Having said that, if a penalty amount is disputed by other DPAs and escalated to the EDPB under the GDPR’s dispute resolution procedure, it is very likely that the EDPB will apply the calculation methodology outlined in the Guidelines (or will at least evaluate how the DPA has applied the guidance itself). As such, the Guidelines are likely to have the most impact on organisations carrying out substantial cross-border processing, as it may ensure greater consistency in DPAs’ approach in relation to those more material cases.
• the GDPR does not mention turnover, let alone global turnover, as a starting point for the calculation of fines. Using global turnover can arguably produce disproportionate outcomes in relation to more localised incidents. Interestingly, the ICO has also chosen to use turnover as a starting point in its guidance, albeit that it is still in draft form (see our blog here) and referenced the turnover of the parent company in TikTok’s recent fine.

Further guidance expected

This continues to be a developing area in the EU and the UK as regulators grapple with differing approaches and priorities amidst a backdrop of fast-paced technological change. In the UK, given the TikTok decision is being appealed, we may yet see some further guidance from the courts on the calculation of fines. The EDPB will also have the opportunity to put its guidance into practice over the next few months, for example potentially in relation to the TikTok decision by the Irish Data Protection Commission that was referred to the EDPB’s dispute resolution process in May this year.