Global menu

Our global pages


German data protection authorities agree on calculation model for GDPR fines

  • Germany
  • Privacy, data protection and cybersecurity


While fines recently imposed by the French and UK data protection supervisory authorities have been high, the supervisory authorities in Germany have so far imposed rather moderate penalties. This could now be changed by a new model for calculating fines for GDPR infringements, which was agreed upon by the Conference of Independent Data Protection Authorities of the Federal Government and the Federal States (DSK) at its interim conference on 25 June 2019.

The model has been presented to the European Data Protection Board (EDPB) and is already used by the data protection authorities of the states of Berlin, Lower Saxony and Baden-Württemberg. It is intended to enable a systematic, transparent and comprehensible calculation of fines. Nevertheless, the system is quite complex and comprises a whole series of calculation steps. The following is a brief summary of the calculation mechanism.

Sales-based determination of the daily rate

The calculation basis of the new model is the worldwide company turnover in the previous year, from which the daily rate is derived. In the case of companies with a turnover of less than EUR 500 million, the actual turnover is not taken as the basis, but the company is assigned to a so-called "size class" and the average annual turnover of the respective size class is used to calculate the daily rate. If, at a prior hearing, the companies concerned do not provide any information on their turnover, it can also be estimated.

Assessment of fines corridors and average calculation

The daily rate is multiplied by a factor depending on the seriousness of the infringement. DSK's calculation model provides four different categories: Factors 1 to 4 are provided for a light infringement, 4 to 8 for a medium infringement, 8 to 12 for a serious infringement and 12 to 14.4 for a very serious infringement. The seriousness of the relevant infringement depends on the classification in Art. 83 (4) to (6) GDPR. For example, a marketing e-mail sent to an users without a lawful basis (e.g. consent) would likely be considered as light infringement, whereas a the unauthorized monitoring of employees would likely be considered as serious infringement. As a first step, the authority establishes a corridor of fines, followed by an average, on which the calculation will be based.

Classification of the concrete infringement

After having identified the calculation basis by the assessment of fine corridors and average calculation, the authorities align the calculation to the severity level of the concrete infringement. The severity level results from a points system which takes into account the duration of the infringement, the nature, scope and purpose of the unlawful processing concerned, the number of persons involved, and the extent of the damage suffered.

Percentage changes according to Art. 83 (2) GDPR

The authorities then assess other relevant criteria for calculating fines in accordance with Art. 83 (2) GDPR, i.e. intent or negligence, the initiation of measures to mitigate damage, the degree of responsibility, the existence of any previous infringements, cooperation with the supervisory authority, the categories of personal data processed within the scope of the infringement, the way the infringement became known to the authority, compliance with any measures previously ordered by the authority and, if applicable, compliance with approved procedural rules or certifications. According to these criteria, increases of up to 300 percent or reductions of up to 25 percent may be considered.

Determination of the final amount of the fine

Finally, the authorities examine whether other aggravating or mitigating circumstances exist which call for a further adjustment of the fine. In addition, it must be ensured that the fine imposed does not exceed the maximum amounts specified in Art. 83 (4) to (6) GDPR. Finally, the calculated fine must be effective and deterrent. This is not the case if the amount of the fine in the public perception would be regarded as too low for the size of the undertaking. Furthermore, the calculated fine must be proportionate and generally appropriate to the facts and the offence.

What should you do?

It is questionable whether the fines imposed under the new DSK calculation model are in fact still proportionate within the meaning of Art. 83 (1) GDPR. Nevertheless, companies should check their existing data protection structures and processes to help ensure they reduce their exposure to fines – or better still, avoid them.