Tuca Zbarcea & Asociatii

Schoenherr - A novel model for calculating GDPR fines: Companies beware!

23 Octombrie 2019   |   Schoenherr

Companies across the region have to prepare for significant fines for GDPR violations.

Competition authorities are typically lambasted for their ever-increasing fines for breaches of competition law. European Commissioner for Competition Margrethe Vestager was roasted for imposing multi-billion fines on Google. Looking at recent penalties for comparatively trivial violations of GDPR rules by some companies considerably smaller than Google, data protection authorities are not only trying to catch up, but are actually leapfrogging the antitrust enforcement in deterrence. The new method of setting GDPR fines in Germany1 will support this trend. Companies should brace themselves for a fight. They might learn from lessons in antitrust enforcement.

It must have sent shivers through company boards in Europe when it emerged earlier this year that the Conference of German Data Protection Authorities had adopted a first of its kind GDPR fine model. If consistently enforced, it will likely lead to fines that frequently approach the maximum limit of 4 % of the implicated undertaking's (group) turnover. The announcement went hand-in-hand with a regional data protection authority making clear that it wanted to impose multimillion-euro fines for GDPR violations.

The Conference was quick to note that the model is not binding on courts or data protection authorities in other countries. However, since it is being shared with other European supervisory authorities in the context of the harmonisation procedure of the GDPR, chances are it will become the role model for other authorities as well.

How does it work?

In a nutshell, fines are set using a multi-step system:

→    First, daily rates derived from the company's worldwide turnover in the preceding year are calculated. This is multiplied by a factor based on the severity of the breach. The multiplier ranges between 1 to 4 for minor infringements and 12 to 14.4 for very severe infringements (the last of four levels of severity).
→    Second, the resulting amount is then adjusted depending on the degree of fault and previous breaches ("recidivism"), using a scoring system.
→    Third, adjustments are made based on aggravating and mitigating factors.
→    Finally, it is checked whether fines exceed the limit of 4 % of the respective undertaking's turnover pursuant to Art. 83 GDPR.

First thoughts and comments: the group turnover and its questionable consequences

A major reason for the anxiety about massive fines is the reference to group turnover as being relevant for calculating the 4 % maximum fine. The model for this rule was the concept of a single economic unit ("SEU") in antitrust law (see also Recital 150 GDPR). A company and its subsidiaries comprise a single group so that the group's total turnover is relevant for calculating fines. While broadly accepted in competition law (for Austria see for example in KOG 16 Ok 5/08 – Elevators), it is still questionable whether the same concept should be transposed into the GDPR.

For one, the positive flipside of the SEU in antitrust law is that the cartel prohibition does not apply between entities constituting an SEU. They can exchange information, agree on prices and split markets as they like. In contrast, the GDPR does not acknowledge privileged data sharing within a corporate group but imposes specific restrictions on the exchange of data between affiliated companies.

Second, the SEU concept under antitrust rules requires that the parent company can influence the commercial behaviour of the subsidiary, which is the ability to influence budgets, business plans or the appointment of key management. Commercial behaviour has no real nexus to privacy, which is at the heart of the GDPR.

Third, one of the consequences of the SEU concept will likely be that, similar to the enforcement of antitrust rules, parent companies will be liable for damages caused by subsidiaries that have violated GDPR obligations. It is doubtful whether such liability, which is based on the influence over non-privacy related behaviour, is in line with rules on guilt under tort law.

After all, it seems the main driving force behind the use of the SEU concept for fines under Art. 83 GDPR is the ability to impose more deterrent fines. Whether this takes into account the criteria required by this provision sufficiently and can properly ensure that fines are in fact proportionate is doubtful.

Further thoughts – Defence rights under Art. 6 ECHR

GDPR fines, like antitrust fines, must reflect the gravity and duration of the infringement as well as the circumstances of each case. The European Court of Justice has long recognised that antitrust proceedings must meet the requirements of Art. 6 ECHR (ECJ in C-185/95 P – Baustahlgewerbe; in Austria KOG 16 Ok 4/07 – Payment cards).

Despite the possibly huge fines, Art. 6 ECHR allows for sanctions by an administrative body (see for example ECtHR in 13102/04 – Impar). The key prerequisite is that there must be the possibility of appeal before a judicial body that has full jurisdiction to review the decision (see for example ECtHR in 25774/05 – Bistrovic). It is questionable whether the administrative procedures currently in place in Central and Eastern Europe comply with the requirements under Art. 6 ECHR.

As a further consequence, data protection enforcement must also offer extensive procedural safeguards, such as the right to be heard, the right to a fair trial, the concept of ne bis in idem, the presumption of innocence as well as the prohibition of retroactive effects. All these rights offer ample defence rights in the setting of fines. These defence rights also mean that the parent company must be a party to the proceedings

Art. 83 GDPR does not allow schematic penalisation

Finally, the Conference's approach seems too schematic to satisfy Art. 83 GDPR. It provides transparency only at first sight. Art. 83 GDPR provides a comprehensive catalogue of factors that need to be considered when imposing fines, such as the severity of the infringement and the data categories that allegedly have been misused. The Conference's approach acknowledges this by asking the "basic value" of the fine multiplier to be "aligned" to those factors. In other words, the authorities will still have to make individual assessments, and the Conference's approach fails to provide harmonisation on that end. Moreover, the schematic approach of the Conference seems to indicate that fines have to be imposed in any case. This is unsupported by national laws (in Austria Sec. 11 DPA) and by the GDPR itself, which doubtlessly give room for other sanctions, such as warnings (without fines). Bottom line: Authorities' assessments are characterised by individual considerations which should not be substituted by a too schematic approach. 


Companies across the region have to prepare for significant fines for GDPR violations. The best defence, as always, is to make sure that no breaches of GDPR rules occur. If, nevertheless, a breach happens and an authority launches an investigation, companies should be well aware of their defence rights. They might offer additional opportunities to bring an eventual fine down than simply relying on mitigating factors.






Ascunde Reclama


Nume *
Email (nu va fi publicat) *
Comentariu *
Cod de securitate*

* campuri obligatorii

Articol 171 / 2455

Ascunde Reclama
LegiTeam: ZRVP recrutează avocat definitiv pentru departamentul Consultanță
In-House Legal Romania: Grupul Policolor – Orgachim anunță numirea Florinei Homeghiu pe poziția de Legal and Compliance Group Director
Meet the Professionals | Din vorbă în vorbă cu șeful echipei de Legal de la Revolut. TOM HAMBRETT, Head of Legal and Group General Counsel: Mă bucur să lucrez cu avocați talentați din toată Europa, iar dacă cineva vrea să ni se alăture, aș fi mai mult decât încântat să discutăm despre asta
Grupul E-INFRA a dus la capăt mai multe proiecte de infrastructură la care s-a lucrat intens în ultimele luni. Adina Calfa, Group General Counsel: Diferența pe care o câștigăm în experiența de management în perioada aceasta este aceea pe care o câștigă un pilot după ce a traversat o furtună și a aterizat forțat pe o autostradă
Ciprioții de la EP Wind Project (Rom) Six Ltd. cheamă România la arbitraj. Ministerul Economiei trebuie să aleagă consorțiul care se va ”bate” la ICSID cu avocații King & Spalding
Studiu Refinitiv | Cum și-au împărțit firmele de avocatură harta fuziunilor și achizițiilor din zona EMEA în primele 4 luni din 2020. O firmă cu 200 de avocați, pe primul loc în Europa Estică
In-houseLegal.ro | Consilierii juridici din companii au continuat să ofere asistență juridică pentru activitatea uzuală, însă au adaugat și noi proiecte specifice stării de urgență. Dr. Sabin Taclit, Legal Manager NextGen: În domeniul telecomunicatiilor proiectele au continuat, în paralel cu demersurile de adaptare la reglementările impuse
Avocatura penalistă este și va rămâne un “sport de contact” direct, atât cu clientul, cât și cu organele judiciare. Gabriel Albu, Managing Partner Albu-Legal: Pentru viitor anticipăm o creștere substanțială a volumului de activitate, astfel încât ne punem problema măririi echipei
Concurenta.ro | Soluție excepțională obținută de D&B David și Baias în prima cauză judecată în România cu privire la o practică anticoncurențială de tip ”hub & spoke”. Amenda dată de Consiliul Concurenței unor producători internaționali de armament pentru trucarea unor licitații a fost anulată
Hervis Sports obține în instanța amânarea chiriei în mall-ul Vivo! Cluj, deschizând calea și altor retaileri mari, afectați de criza medicală. Soluție obținută de litigatorii firmei Stratulat Albulescu, în colaborare cu C.I. Flavia Maier
Statul are nevoie de avocați specializați în arbitraje internaționale | Frații Sukyas au inițiat două arbitraje împotriva României, în SUA și Canada, pentru a maximiza șansele de a primi despăgubiri de peste 900 mil. usd
Avocații Stratulat Albulescu au dus la final mai multe proiecte, în perioada crizei, printre care o finanțare de 21 mil. €. Silviu Stratulat, Managing Partner: În limba chineză, ideograma care desemnează criza e compusă din alte două ideograme: primejdie și oportunitate. Am învățat că sunt oportunități infinite și că trebuie să ne adaptăm noilor cereri ale clienților
Citeste pe SeeNews Digital Network
  • BizBanker

  • BizLeader

      in curand...
  • SeeNews

    in curand...