How to calculate privacy fines under the GDPR?

A major question when it comes to the EU privacy regulation the scope of applicable fines, how to calculate them and how to mitigate risks.Giulio CoraggioWhat are the new privacy fines?

The EU privacy regulation provides for fines

  • Up to € 10 million or 2% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
    • Implementation of a privacy by design and a security by design approach as well as the performance of a data protection risk assessment in case of new technologies such as those of the Internet of Things,
    • Recording of data processing activities,
    • Data processor’s main obligations,
    • Notification in case of data breaches and
    • Appointment of a data protection officer (when necessary);


  • Up to € 20 million or 4% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
    • Basic principles for data processing, including the conditions for privacy consent,
    • Individuals’ rights such as the right of access, the right to be forgotten and the portability right and
    • Transfer of personal data outside of the European Economic Area, which will be crucial in the view of the Privacy Shield now agreed as to the transfer of data to the United States.

The peculiarity of the fines above is that they do not set a minimum amount for each breach which will grant a higher flexibility to data protection authorities in determining the appropriate fines. However, this approach is expected to lead to also a higher risk of challenges and never ending disputes on the amount of fines.

On what are the fines percentages calculated? The concept of undertaking

The GDPR provides that fines are imposed on an “undertaking” and the Article 29 Working Party in its guidelines clarified that the notion of undertaking is provided for by the CJEU for the purposes of the application of Article 101 and 102 TFEU and shall be interpreted in accordance with EU law and case-law as

an undertaking must be understood to be the economic unit, which engages in commercial/economic activities, regardless of the legal person involved“.

The matter is not analyzed in details by Article 29 Working Party, but the definition of undertaking is a competition law concept. And indeed, we are using competition law cases in order to give indications to clients on the actual level of risk exposure that can be triggered by GDPR fines. And it derives from the above that:

  • Fines might not be calculated on just the turnover of the “breaching legal entitiy” or the data controller/process found performing the challenged conduct, but might be determined taking into account all the entities involved in the challenged activity;
  • A consequence of the conclusion above is that a strong infragroup integration on matters that are more esposed to privacy fines such as the creation of a centralized marketing or HR department serving the whole group might increase the risk of fines to be calculated on the turnover of the whole group or in general terms extended to more entities of the group;
  • A group reorganization especially in businesses that considerably rely on the exploitation of large quantities of personal data should be assessed to limit the privacy law related risk exposure of the whole group; and
  • It should be assessed whether having a single group DPO ensuring consistency on privacy law compliance across the group can on the one hand ensure a better control over the privacy strategy of all the subsidiaries, while on the other hand might increase the risk of a “domino effect“ across the group in case of challenged privacy breaches.

What are the criteria of their calculation?

The EU data protection regulation provides that the applicable fines shall be

  • Effective
  • Proportionate and
  • Dissuasive (i.e. if an undertaking is large, it is likely to face larger fines than a start-up for the same breach).

And such fines shall be determined on the basis of the nature, gravity and duration of the infringement taking into account among others of

  • The number of individuals affected and the damages suffered by them;
  • The purpose of challenged processing;
  • The level of damages suffered by individuals;
  • The intentional or negligent character of the infringement;
  • Any action taken to mitigate the damage suffered by individuals;
  • The implementation of the organizational measures of privacy by design and security by design that consequently become effective tools also aimed at mitigating the amount of fines in case of issued sanctions;
  • Any relevant previous infringements by the controller or processor i.e. the track record of the challenged undertaking will matter;
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
  • The categories of the personal data affected by the infringement e.g. if health related data has been affected by the infringement or data is identifiable, the potential fines might be higher;
  • The manner in which the infringement became known to the supervisory authority, in particularwhether, and if so to what extent, the controller/processor notified the infringement. And this has a major impact in determining the strategy to be adopted in case of data breach;
  • The adherance to codes of conducts and
  • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

How much money are we talking about?

It is interesting that see that up until now one of the largest fines issued in the European Union for privacy breaches was of € 1 million issued against Google for the data collected through their Street View service, followed more recently by the € 11 million privacy fine issued againt by the Italian data protection authority. But under the regime established by the EU privacy regulation, it has been calculated that Google might face a fine up to $ 2.9 billion.

Anything else to be worried about?

The new fines operate in addition to

  • claims against the company from individuals whose data has been victim of a data breach or just unlawfully processed;
  • claims against the directors and legal/compliance managers of the company from shareholders since with fines of this size the lack of implementation of all the measures necessary to ensure compliance can be considered as a major negligence;
  • orders of deletion of personal data unlawfully processed which might cause major damages to companies in a business that is exponentially relying of data; and
  • potential criminal sanctions against the directors or the legal/compliance managers of the company liable for the breach in countries where the criminal sanctions for privacy breaches are provided as it is the case in Italy.

The principle of accountability is an additional “weapon” against you

The GDPR provides for the principle of accountability which puts the burden of proof of demonstrating compliance with the obligations of the GDPR on the investigated party which makes the position of the latter even more delicate. The implementation of policies and procedures showing to have adopted whatever is required by the GDPR and the compliance with them of employees and contractors will become crucial.

Is time for a cultural revolution?

As I mentioned in this video, such large fines will oblige companies not to considered privacy compliance as a “nice to have” anymore. So far data is stored in some cases for many years or for an indefinite period of time, but data might become a ticking bomb that might endanger the whole company since their unlawful data processing might trigger huge fines.

It is necessary therefore to run an audit of the data currently processed in order to make sure, among others, that data has been collected in compliance with privacy laws, that has been stored for no longer than required by applicable laws and that has not been used for purposes other than those for which consent was obtained.

The EU privacy regulation is into force and will apply also to data that has been already collected NOW or in the past by a company.

Also given such large fines, even directors might face liabilities if they do not adopt any measure necessary to ensure privacy compliance.