The EDPB has adopted the Guidelines to harmonise the methodology supervisory authorities use when calculating fines. They complement previously adopted Guidelines on the application and setting of administrative fines under the GDPR (WP253), which focus on the circumstances in which to impose a fine.

The calculation of fines is at the discretion of the supervisory authority, subject to the rules set out in the GDPR. In that context, the GDPR states that the amount of the fine shall in each individual case be effective, proportionate and dissuasive (Article 83(1)). Moreover, when setting the fine, supervisory authorities must give due regard to the list of circumstances set out in Article 83(2), which refer to features of infringement (its seriousness) and the degree of responsibility of the controller or processor, including any mitigation actions taken and their cooperation with the supervisory authority. Further, the amount of the fine must not exceed the maximum amounts provided for in Articles 83(4) (5) and (6). The quantification of the fine is therefore based on a specific evaluation carried out in each case, within the parameters provided for by the GDPR.

Considering the above, the EDPB has devised the following methodology, consisting of five steps, for calculating administrative fines for infringements of the GDPR:

1. the processing operations must be identified and the application of Article 83(3) GDPR must be evaluated (Chapter 3);
2. the starting point for further calculation of the fine needs to be identified (Chapter 4) by classifying the infringement under the GDPR, evaluating its seriousness in the circumstances of the case, and considering the turnover of the undertaking concerned;
3. the evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly (Chapter 5);
4. identification of the relevant legal maximums for different infringements (Chapter 6); and
5. an analysis of whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality, adjusting it accordingly (Chapter 7) without exceeding the legal maximum.

The EDPB stresses that the calculation of a fine is not a mere mathematical exercise. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can vary between any minimum amount and the legal maximum.

The consultation is open until 27 June 2022. To access the Guidelines and for details on responding to the consultation, click here.