Germany introduces large million-Euro fines for data protection violations
On 14 October 2019, the German Conference of independent federal and state data protection authorities (“DSK”) published their criteria for the calculation of data protection fines (English working translation). This paper, for the first time, allows a more accurate estimate of the range that fines can reach in individual cases. Especially with respect to large enterprises, the DSK concept provides for very high fines. The Berlin data protection authority has now put this concept into practice by imposing a fine of 14.5 million Euros against Deutsche Wohnen SE (English working translation of the press release).
1. Background 2. The DSK Concpet 2.1 Classification according to size (step 1) 2.2 Determination of the average annual turnover; division by 360 (steps 2 and 3) 2.3 Factor according to severity of the violation (step 4) 2.4 Adjustment of evaluation (step 5) 3. The fine imposed against Deutsche Wohnen SE 4. Conclusions
1. Background
Art. 83 GDPR, with respect to potential fines that competent data protection authorities may impose, includes various criteria to be considered when calculating a fine. These include, among others, the type, the severity and the duration of a data protection infringement as well as the level of intention and/or negligence involved in such an infringement. Based on these criteria, the data protection authorities shall, according to the law, stipulate “proportionate” fines that at the same time have a “dissuasive” effect on the controller. The maximum amount of a fine can be up to 20 million Euros or 4% of the annual worldwide turnover of an enterprise, whichever is higher.
For major enterprises, the maximum possible fines can be very high. This applies in particular if the calculation of the annual turnover is not based on the actual turnover of the respective enterprise, but on the so-called concept of functional undertakings in the meaning of EU cartel law. According to this concept, subsidiaries and parent companies are regarded as one enterprise. The consequences of this approach can be very substantial for corporate groups, if the total worldwide turnover of the entire group is taken as a basis for the calculation of fines. The application of the concept of functional undertakings is much discussed, since the wording of Art. 83 GDPR merely refers to “undertakings”. Recital (150) GDPR, however, implies the concept of corporate groups.
After entry into force of the GDPR, the German data protection authorities initially imposed rather low fines, but it can be assumed that with the publication of the new calculation concept this practice will definitely come to an end.
2. The DSK Concpet
Right at the beginning of its concept, the DSK clarifies that, applying the concept of functional undertakings under EU cartel law, it will consider the total turnover of the group as a basis for the calculation of fines.
In future, the calculation of fines shall be effected in five steps: First, the respective enterprise is assigned to a size category (step 1), whose average annual turnover is then determined (step 2). This average annual turnover is then divided by 360 to determine the “basic economic value” of the enterprise (step 3). Then, taking into account the criteria of Art. 83 (2) sentence 2 letters a) - k) GDPR, a factor is determined by which the basic economic value is multiplied (step 4). The result of this calculation is then subject to an overall evaluation in which relevant circumstances previously not taken into account are considered (step 5).
2.1 Classification according to size (step 1)
The enterprises concerned, or more precisely the company groups, are - depending on their annual turnover – qualified to different classes, ranging from “A” (micro-enterprises) to “D” (large enterprises), with classes A and B being subdivided into three further subgroups and classes C and D into seven further subgroups. The respective threshold values can be seen in the table on pages 3-5 of the concept.
2.2 Determination of the average annual turnover; division by 360 (steps 2 and 3)
Now the average value of the upper and lower threshold values is determined for each subcategory and then divided by 360 (steps 2 and 3). The result of this calculation is referred to as the “basic economic value” by the DSK.
One exception applies to groups with an annual turnover of more than 500 million Euros. For these, the “basic economic value” is determined by dividing the actual annual turnover of the group by 360, since the maximum limit of 2% or 4% has to be taken as a basis for the calculation of fines. Especially for these enterprises, the “basic economic value” can be very high. For a corporate group with an annual turnover of just over 500 million Euros, it would be as high as 1.39 million Euros.
2.3 Factor according to severity of the violation (step 4)
In step 4, the factor is determined by which the respective “basic economic value” is to be multiplied in order to calculate the final fine – subject to step 5. The DSK established four categories for the classification of data protection infringements. The factors to be applied in each individual case are shown in the table below:
Severity of the infringement | Factor for formal infringements pursuant to Art. 83 (4) GDPR | Factor for material infringements pursuant to Art. 83 (5), (6) GDPR |
Leicht | 1-2 | 1-4 |
Mittel | 2-4 | 4-8 |
Schwer | 4-6 | 8-12 |
Sehr schwer | > 6 | > 12 |
The evaluation is carried out on the basis of an assessment of the infringement in each individual case, taking into account the criteria specified in Art. 83 (2) GDPR.
Since at least a factor of 1 must be applied, the “basic economic value” determined in the course of steps 2 and 3 represents the minimum value of the fine. An exception could only apply if the evaluation under step 5 allows a reduction to a factor smaller than 1. The concept of the DSK does not specify, whether the possibility of such a reduction is intended. It was, however, applied by the Berlin data protection authority.
2.4 Adjustment of evaluation (step 5)
In step 5, the calculated amount is reviewed again, taking into account the criteria not considered in the course of step 4. In this context, the DSK refers to “circumstances relating to the infringer” as well as any other circumstances, such as a long duration of proceedings or the imminent insolvency of the enterprise.
3. The fine imposed against Deutsche Wohnen SE
Deutsche Wohnen SE, whose annual turnover for the year 2018 amounted to 1.101 billion Euros, had to experience firsthand how substantial the fines under the new concept can be.
According to a press release dated 5 November 2019, the Berlin data protection authority imposed a fine of 14.5 million Euros on Deutsche Wohnen SE for storing personal data relating to the personal and financial circumstances of tenants without assessing whether such storage was permissible and/or for not deleting old data. The archiving system used by Deutsche Wohnen SE did not provide for the deletion of such data and Deutsche Wohnen SE did not adequately comply with a request from the Berlin authority in 2017 to adjust the archiving system.
According to the Berlin authority, the statutory framework for calculation of the fine for the data protection infringement was an amount of 28 million Euros. A further incriminating factor was that Deutsche Wohnen SE had consciously installed the archiving system and had processed the data in question over a long period and in an inadmissible manner. What led to a reduction of the fine was that the enterprise had, to some extent, cooperated well with the authority.
Moreover, the Berlin authority imposed additional fines between 6,000 and 17,000 Euros on Deutsche Wohnen SE for the unlawful storage of personal data of tenants in 15 individual cases.
The decision shows that the new concept may entail high fines even in case of first offenders and without an unlawful access by third parties being involved. According to the concept as explained above, the “basic economic value” of Deutsche Wohnen SE amounted to approx. 3.06 million Euros (1.101 billion Euros divided by 360). The statutory maximum amount for a fine against Deutsche Wohnen SE would thus be approx. 44 million Euros (4% of 1.101 billion Euros). According to the DSK concept, a fine between approx. 3.06 and 44 million Euros would therefore have been possible. Therefore, the Berlin data protection authority apparently assumed a factor of 4.74 (4.74 times 3.06 million Euros results in approx. 14.5 million Euros) in relation to the “basic economic value”, which would correspond to an “infringement of medium severity” against the GDPR. It is unclear, what the Berlin authority meant by “statutory framework for the calculation of the fine” and how it came up with a value of “approx. 28 million Euros”.
Another interesting fact of the decision is that the Berlin authority imposed additional fines for individual infringements in an amount far below the “basic economic value” of Deutsche Wohnen SE. It can therefore be concluded that – at least in the opinion of the Berlin authority – such fines will remain possible even against major enterprises.
4. Conclusions
The new DSK concept makes the calculation of fines more predictable. Assuming that step 4 does not provide for a factor smaller than 1, the minimum amount of a fine can even be calculated accurately. Nevertheless, the new concept still leaves quite some maneuvering room for various assessments by the data protection authorities, so that in the end only an approximate range for the amount of a fine can be determined.
The decision of the Berlin data protection authority suggests that relatively low fines may still be imposed for individual infringements and/or that a factor of smaller than 1 can indeed be applied.
Since courts are not bound by the calculation concept of the DSK, it remains to be seen how they will react to fines calculated on that basis. The penalty notice issued against Deutsche Wohnen SE has not yet become legally binding.
Should you have any questions in this context, please do not hesitate to contact us. Our team will also be present at the IAPP European Data Protection Congress on 20 and 21 November 2019 in Brussels. Should you attend this congress, please feel free to contact us so that we can meet you there.