What is the concept of business development?

How do data protection regulators determine corporate fines? - DSK publishes new concept

The data protection conference of the federal and state governments (DSK) published a concept for determining fines according to the DSGVO on October 14th. This is similar in some aspects to the model presented by the Berlin supervisory authority in June (we reported), but remains less tangible in some aspects.

According to its own statement, the concept of the DSK should be used until the final publication of guidelines by the European Data Protection Committee to determine fines. A rough orientation with regard to potential fine margins can be taken from the concept.

The basic point of contact of the supervisory authorities in the context of the new concept is the annual turnover, on the basis of which the five steps comprehensive procedure for calculating fines is based. The DSK emphasizes that, in its opinion, sales represent a suitable, appropriate and fair point of reference for the assessment of fines.

1. Determination of the size class

On the basis of the mean annual turnover, the companies are divided into one of four size classes.

  • Micro business (Size class A up to € 2 million annual turnover with d subgroups),
  • small businesses (Size class B over € 2 to 10 million annual sales with 3 subgroups),
  • medium business (Size class C over € 10 to 50 million annual sales with 7 subgroups)
  • and Large corporations (over € 50 million annual turnover with 7 subgroups)

The four size classes have further subgroups. The spectrum of the classification ranges from very small companies of the lowest level (A.I.) with an annual turnover of up to € 700,000 to large corporations of the highest subgroup (D.VII) with an annual turnover of more than € 500 million.

2. Determination of the mean annual turnover of the subgroup

In a second step, the average annual turnover for the respective company is determined. In the concept of fines, specific figures are given, which count as the mean annual turnover of the subgroup. The spectrum here ranges from a mean value of € 350,000 (lowest level A.I) up to two or four percent of the actual annual turnover for large companies with a turnover of over 500 million euros.

3. Determination of the basic economic value

The mean annual turnover determined in the second step is divided by 360 days and results in a daily rate. The range here ranges from € 972 for a micro-enterprise in the lowest sub-class to values ​​above the € 1.25 million mark. Because from an annual turnover of more than € 500 million, the percentage fines of 2% or 4% of the annual turnover are used as the maximum limit.

4. Determination of the multiplier

In addition to the basic economic value, which was calculated in steps 1 - 3, a multiplier between 1 and 12 is now set, depending on the severity of the violation. The categorization takes place in formal violations according to Art. 83 Paragraph 4 and material violations according to Art. 83 para. 5,6 GDPR based on Severity of the circumstances (mild, moderate, severe or very severe) as factor. The result is a factor between 1-6 for formal violations and 1-12 for material violations.

The criteria for determining the severity are not disclosed. There are no concrete examples of when the threshold for the next degree of severity is reached or which criteria are used to determine the factor.

5. Perpetrator-related and other circumstances

This criterion is a kind of buffer in order to determine a fine amount for the individual case. Although Art. 83 (2) GDPR is used as the basis, it remains very vague with regard to the other aspects, which are exemplified with the duration of the procedure and impending insolvency. In principle, the DSK plans to specifically orient itself towards the GDPR with regard to the general conditions for the imposition of fines.

The following circumstances of the individual case could be used according to Art. 82 Para. 2 GDPR: Specific facts including the number of persons concerned and the extent of the damage, intent or negligence as well as measures to reduce the damage incurred, the degree of responsibility and previous behavior of those responsible and Processors taking into account the data security measures.

scope of application

The DSK limits its concept exclusively to the assessment of fines for companies that are active in Germany and are covered by the scope of the GDPR. In addition, the fine should not be set for societies or natural persons outside their economic activity apply. The concept is also neither for cross-border cases nor for other EU data protection supervisory authorities binding.

Conclusion

The DSK publishes a catalog to categorize companies as micro, SME or large companies. This can generally be helpful for assessing the economic risks in the event of data protection violations. However, there is a lack of transparent guidelines regarding the factor and other perpetrator-related circumstances. The assessment base “annual sales” should also be viewed critically. Because sales are far from being a profit.

While it is good to be able to specify a very rough order of magnitude for fines, much remains imprecise with regard to determining the severity of violations and offender-related and other circumstances.

Stefanie Wojak || Supervisory authorities | Fine, fine proceedings, DSK