Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Guidelines for fines in Germany published

In October 2019, the 18 data protection supervisory authorities in Germany published their concept for the assessment of fines for infringements of the GDPR.

When issuing a fine, first of all the supervisory authority would assign a company-related basic economic value, which is calculated as a daily rate based on the annual turnover of companies of similar turnover (1/360 of the average annual turnover of the respective cluster of companies).

This daily rate shall be multiplied by a factor depending on the severity of the infringement. The severity level comprises four levels (light, medium, severe or very severe), for the determination of which the factual criteria of Article 83 para 2 GDPR shall be used. This leads to the following factors for the daily rate:

Severity of the Infringement	Factor for Formal Infringements pursuant to Art. 83 para. 4 GDPR	Factor for Material Infringements pursuant to Art. 83 para. 5, 6 GDPR
Light	1 to 2	1 to 4
Medium	2 to 4	4 to 8
Severe	4 to 6	8 to 12
Very Severe	6 <	12 <

In the case of groups of companies with an annual turnover of more than 500 million euros, this comes close to the limitations of a fine pursuant to Art. 83 para 4 or para 5 and 6 GDPR: Seven times the daily rate for very severe formal infringements corresponds to 1.9%, 13 times the annual rate for very severe material infringements corresponds to 3.6% of the annual turnover, whereas DGPR provides for a fine of 2% an 4% respectively.

The fine calculated in this way will be adjusted to the individual case, taking into account perpetrator-related circumstances of Art. 83 para 2 GDPR as well as other circumstances such as long proceedings or the threat of insolvency of the company.

In particular, it can be criticized that the determination of the basic economic value is not made directly from the annual turnover of the companies concerned. Rather, comparable companies or groups of companies are grouped into a total of 20 clusters. The daily rate is then the same for all companies within a cluster. Thus, in the smallest cluster, a simple formal data protection infringement leads to the same fine of 972.00 EUR for a microenterprise with an annual turnover of 70,000.00 EUR as for a small enterprise with an annual turnover of 700,000.00 EUR. Thus, the focus on the annual turnover is not implemented here: a direct calculation of the daily rate for both companies would rather lead to fines of 194.00 EUR and 1,944.00 EUR respectively.

In addition, the concept of calculating the daily rate is excessively broad, while the assessment of the degree of seriousness of the offence relevant to the factor or the influence of perpetrator-related circumstances is practically only mentioned. Finally, despite these guidelines, there is still considerable room for the supervisory authority to maneuver, which can lead to a quadrupling of the fine in the case of minor material infringements, for example.

In any event, the German supervisory authorities make it clear that they intend to link the amount of fines in particular to the turnover of those responsible. Further differentiation by the supervisory authorities will have to be observed. Nevertheless, there are already gaps in the approach presented here.

Contact

Contact Person Picture

Alexander Von Chrzanowski

Rechtsanwalt

Associate Partner

+49 3641 4035 30

Invia richiesta

RÖDL & PARTNER GERMANY

Discover more about our offices in Germany. Read more »

DATA PROTECTION BITES

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR.

Read all releases »