News

European Data Protection Board: New guidelines on the calculation of administrative fines

17.05.2022

The European Data Protection Board (EDPB) has recently published new Guidelines 04/2022 on the calculation of administrative fines under the GDPR for public consultation.

In their new guidelines, the European supervisory authorities formulate a common methodology for the calculation of fines for the first time. The five-stage calculation method is intended to contribute to further harmonisation and transparency of the data protection authorities’ fines practice.

The new guidelines could also become an essential tool for businesses to better assess the risk of fines in practice, for example in the case of data breaches. In practice, the authorities’ considerations of aggravating and mitigating circumstances based on the behaviour of the controller to increase or reduce fines (step 3) are likely to play a key role. Both past and present behaviour can affect the amount of the fine, which is also an essential strategic factor in any data protection litigation.

The EDPB is seeking feedback on its new guidelines in the public consultation process until 27 June 2022. While it cannot be ruled out that the EDPB will make some changes to its guidelines on the basis of the feedback received, experience shows that the final version of the guidelines is likely to contain clarifications rather than any fundamental changes. We therefore recommend that the guidelines formulated by the EDPB already be taken into consideration at this point, especially since the published version of the guidelines reflects the common line of the European supervisory authorities.