Skip to content

You are here:

High administrative fines for infringements of the GDPR

Since the end of May last year, the data protection officers of the Länder (Federal States) have imposed administrative fines in more than 100 cases of infringements of the European general data protection regulation (GDPR). In an international comparison, the actions of the authorities in Germany have so far been moderate. Based on a search through the press, the average level of these fines was reportedly almost € 6,000. A new concept for calculating administrative fines has now been published according to which there would be a risk of much higher fines.

Current sanctions practice

The GDPR applies to all companies that are based in the EU or that process the data of EU citizens. In accordance with Article 83 GDPR, infringements of the GDPR may result in the imposition of administrative fines of up to €20m or of up to 4% of the total worldwide annual turnover of the preceding financial year – the higher of the two values shall be applicable. The administrative fines that have been imposed in Germany have been relatively moderate. By contrast, France fined Google €50m and the UK fined the Marriott hotel chain €110m and issued the airline British Airways with a fine of €204m.

New concept and higher administrative fines

On 25.6.2019, the Conference of the German Independent Data Protection Supervisory Authorities of the Federal Government and the States (Datenschutzkonferenz, DSK) agreed a new concept for calculating administrative fines that has now been published and could lead to greater transparency but also to higher administrative fines. In proceedings against companies, the calculation of administrative fines under this concept would be performed according to the following steps.

  • First of all, the company concerned would be assigned to a size category.
  • Next, the average annual turnover of the respective sub-group for the size category would be determined.
  • After that, an economic base value would be calculated. This base value would then be multiplied by a factor that would be contingent on the seriousness of the infringement, for instance, a factor between 1 and 4 for a slight infringement and up to a factor of between 12 and 14 for a serious infringement.
  • The value that is determined would then be adjusted for circumstances connected with the offender and other circumstances that had not yet been taken into consideration.

Several factors would have to be taken into account when making the adjustment. In cases of minor or unintentional negligence the amount would go down by 25%. For ordinary negligence the amount would remain the same and in the case of the negligence being wilful or deliberate the fine could go up by 25% or even 50%. If the authority had already previously found irregularities at the company then this would likewise be reflected in the calculation of the fine. One new infringement would entail a 50% premium, two would mean a 150% premium and three or more infringements would entail a 300% premium. Furthermore, other factors could also have a negative impact, for example, how the authority assesses the cooperation with it, or also the measures that the company has already taken to mitigate the damage.

Please note: The DSK views this procedure as being appropriate for guaranteeing a verifiable and transparent way of assessing case-specific administrative fines.

Recommendation: The current concept for administrative fines applies solely to German authorities and also only until the European Data Protection Board issues guidelines in this respect. Moreover, the concept is not binding with respect to the fixing of administrative fines by the courts. Nevertheless, in view of the potentially draconian level of administrative fines we strongly recommend closing any existing data protection gaps.

Back to top of page