CALCULATION OF ADMINISTRATIVE FINES – CEPD Guide 4/2022
By Mugurel Olariu, RPD protectie date
Among the corrective powers of the National Supervisory Authorities, provided by art. 58 paragraph (2) of the GDPR, is also the imposition of administrative fines in accordance with art. 83 of the GDPR.
Thus, the European specialized body – EDPB adopted*1 in the version of public consultation – until 27 June 2022, Guidelines 4/2022 on the calculation of administrative fines according to the GDPR.
Although at first sight it is a specific working tool of the national supervisory authorities, the article aims to signal the appearance of this guide, in order to know by the operators / empowered persons the mechanism provided by the GDPR and developed by the EDPB.
Working tool – Guidelines 4/2022 presents the legal framework and methodology for calculating fines, being mentioned a number of 5 steps for the administrative approach, as follows:
Step 1. Identifying the processing operations in the case and evaluating the application of Article 83(3) GDPR. (Chapter 3)
Step 2. Finding the starting point for further calculation based on an evaluation of (Chapter 4)
a) the classification in Article 83(4)–(6) GDPR;
b) the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) GDPR;
c) the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive and proportionate fine, pursuant to Article 83(1) GDPR.
Step 3. Evaluating aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly. (Chapter 5)
Step 4. Identifying the relevant legal maximums for the different processing operations. Increases applied in previous or next steps cannot exceed this amount. (Chapter 6)
Step 5. Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Article 83(1) GDPR, and increasing or decreasing the fine accordingly. (Chapter 7)
According to the GDPR*2, each supervisory authority shall ensure that the imposition of administrative fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and, 6 is, in each case, effective, proportionate and dissuasive.
In other words, the amount of the fine applied is adapted to the infringement committed in its specific context, and the EDPB considers that it is up to the supervisory authorities to verify whether the amount of the fine meets these requirements or whether further adjustments are needed.
Thus, the imposition of administrative fines pursues their final characteristics of being effective, proportionate and dissuasive, namely:
✔ Effectiveness – Generally speaking, a fine can be considered effective if it achieves the objectives with which it was imposed. This could be to reestablish compliance with the rules, to punish unlawful behavior, or both. Moreover, Recital 148 GDPR emphasizes that administrative fines should be imposed “in order to strengthen the enforcement of the rules of this Regulation.” The amount of the fine imposed on the basis of these Guidelines should therefore be sufficient to meet these objectives.
✔ Proportionality – The principle of proportionality requires that the measures adopted do not exceed the limits of what is appropriate and necessary to achieve the objectives legitimately pursued by the legislation in question; where it is possible to choose between several appropriate measures, the least onerous ones must be used and the disadvantages caused must not be disproportionate to the aims pursued.
✔ Dissuasive – Finally, a dissuasive fine is one that has a real deterrent effect. In that regard, a distinction can be made between general discouragement (discouraging others from committing the same infringement in the future) and specific discouragement (discouraging the recipient of the fine from committing the same infringement again). When imposing a fine, the supervisory authority shall take into account both general and specific deterrence.
In the same sense, we also specify that the adherence to a code of conduct is an attenuating factor, likely to show the concern of the controller or processor empowered to comply with the GDPR, as it results from recital 148 of the GDPR which shows: …
… due account should be taken of the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of sanctions, including administrative fines, should be subject to appropriate procedural guarantees, in accordance with the general principles of Union law and the Charter, including effective judicial protection and a fair trial. …