Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 57 | 2019-04-18

Standardization of the level of administrative fines under the GDPR?
Alexa Finke, LL.M.

The administrative fines that have been imposed by the different European supervisory authorities since the GDPR took effect vary enormously. While the highest administrative fines imposed by the German authorities to date have been EUR 20,000 and EUR 80,000 and have therefore remained well below the possible maximum fine of EUR 20 million or 4 % of worldwide annual turnover, other countries’ supervisory authorities have already delivered higher fines. The Portuguese authority has issued a EUR 400,000 fine against a hospital and the French supervisory authority has just imposed a EUR 50 million fine against Google. A fine of EUR 219,500 has been issued in Poland.

In order to avoid a growing divergence in the level of fines imposed, Article 70 of the GDPR stipulates that the European Data Protection Board, the board of EU Member States’ supervisory authorities, will issue guidelines for a uniform application of the administrative fine provisions. The GDPR itself only provides in relation to administrative fines that these should, among other things, be dissuasive in nature. Otherwise, it is at the discretion of the relevant authority to decide the level of the administrative fine, depending on the nature, seriousness, extent and circumstances of the infringement and the financial means of the controller. However, the action plan of the European Data Protection Board for 2019-20 does not include any guidelines pertaining to the calculation of administrative fines.

Dutch data protection authority sets guidelines

In order to counteract different and potentially arbitrary fines, at least at a national level, the Dutch supervisory authority has now issued guideline values for administrative fines under the GDPR. To that end, it has classified infringements of GDPR provisions in four categories depending on how serious they determine the infringement to be. They have set levels for each fine category, including an average basic fine amount which should serve as the starting point for calculating the fine. Depending on the nature, seriousness and extent of the infringement, the authority is able to adjust the basic amount of the fines down to the minimum level or up to the maximum. In exceptional cases the authority may also depart from the category completely if no appropriate penalty can otherwise be guaranteed. In the case of a repeat infringement within five years in the same or similar circumstances, the administrative fine should generally be increased by 50 %.

It is striking that the maximum fine level is set at EUR 1 million. The fine level of up to EUR 20 million or 4 % of worldwide annual turnover provided for under the GDPR is therefore by no means exhausted. Consequently, in order to impose a fine higher than EUR 1 million on a controller, the supervisory authority must always give reasons for any exception, even where this concerns a serious infringement. In practice, this will certainly reduce instances of fines over EUR 1 million.

Infringements of the provisions concerning the processing of special categories of personal data and automated decision-making fall into this highest category, for which the basic fine level is EUR 725,000.

The second-highest category, with a basic fine level of EUR 525,000, which can be increased to EUR 750,000 or reduced to EUR 300,000, includes infringements of obligations under Articles 13 and 14 to provide information, the safeguarding of the rights of data subjects along with the unlawful transfer of data to third countries and an infringement of notification obligations in the event of a breach of data protection.

On the other hand, in a business-friendly move, structural infringements, such as the infringement of the processing record or of technical and organizational measures, only fall into the third-highest category, which stipulates a basic fine level of EUR 310,000, which can be increased to EUR 500,000 or reduced to EUR 120,000.

Implications for Germany

Although the multiplicity of data protection authorities in Germany increases the risk of disparate fines, the German Data Protection Conference so far appears unwilling to draw up guidelines for setting administrative fines, but instead refers to the European Data Protection Board to that end.

However, it is probable that German data protection authorities will adopt the guideline levels and fines already imposed by foreign data protection authorities as guidance when setting the level of their administrative fines. Given that foreign authorities are clearly imposing stricter standards – even the moderate amounts in the Netherlands are several times higher than the highest fines imposed in Germany to date – it is to be expected that the German authorities will follow suit in future decisions about fines and will likewise raise the level of these in order not to appear too lax compared with their European colleagues.

It is therefore recommended to use the ongoing grace period offered by the German authorities to ensure that internal procedures are compliant with the GDPR and thus avoid an increased fine in the event of a report or inspection.

Heuking Kühn Lüer Wojtek

Alexa Finke is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.


T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Anne Heisig
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf

I want to


Heuking Kühn Lüer Wojtek
© 2019 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.