European Data Protection Board: Updated guidelines on the calculation of administrative fines

The European Data Protection Board (EDPB) updated its Guidelines on the calculation of administrative fines a while ago. This is in and of itself a good reason for recalling the (from a company perspective) extensive assistance that the EDPB provides companies for assessing their own risk of receiving an administrative fine.

Already in May 2022, the EDPB published Guidelines on the calculation of administrative fines in which the European supervisory authorities formulated a common methodology for the calculation of fines for the first time. The five-stage calculation method is intended to contribute to further harmonisation and transparency of the data protection authorities’ fines practice.

Apart from making some editorial changes and clarifying some points, the updated version of the guidelines now includes an Annex with a reference table, which summarises the methodology for calculating administrative fines and contains further examples of the application of the methodology in practice. The table’s purpose is to illustrate the approach to calculating administrative fines that is set out in the main part of the guidelines and which is already applicable.

The updated guidelines could become an essential tool for companies to better assess the risk of administrative fines in practice, for example in cases involving data breaches. In practice, the points authorities consider when assessing aggravating and mitigating circumstances on the basis of data controllers’ behaviour are likely to play a central role in their decisions to increase or decrease administrative fines (Step 3). In this context, both past and present behaviour can have an influence on the amount of an administrative fine. Present behaviour in particular can thus be a very important strategic factor in every Data Protection Litigation.