On May 24th 2023 the European Data Protection Board (EDPB) adopted theGuidelines 04/2022 with the goal to provide to national data protection authorities uniformed criteria to calculate the fines connected to GDPR infringements.
GDPR infringements: Fines framework
In case of an ascertained infringement of the GDPR, the authorities of the Member States have the power to choose the type and entity of the penalty to apply. The Regulation does not contain, however, a precise indication of the penalties referable to each single infringement, merely stating that these should be effective, proportionate and dissuasive.
The only parameter clearly established by GDPR is the maximum amount for the pecuniary sanctions, which are divided in 2 tiers:
- First tier: applied to breaches considered less severe, such as those relating to the notification of a data breach or to the correct keeping of the processing registers. In these cases, the amount of the fine cannot be higher than 10 million euros or, for companies, 2% of the worldwide annual revenue of the previous year, if higher.
- Second tier: higher than the first, it is applied to infringements considered more severe and covers, for example, infringement of the basic principles of the processing, comprising those relating to consent. For these infringements it is provided a fine up to 20 million euros, or for companies, up to 4% of the worldwide annual revenue of the previous year, if higher.
In brief, the amount and/or the type of penalty is determined on a case-by-case basis, considering the peculiarities of the case, of the maximum amount and of other indicative parameters set out by the Regulation. For example, before quantifying the fine the Regulation imposes to evaluate different elements, such as the category of the personal data object of the infringements or the number of subjects involved. Moreover, “in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person”, it is suggested to issue a reprimand instead of a fine.
Guidelines 04/2022 on calculating fines for GDPR infringements
In order to facilitate the harmonious application of the GDPR in all the EU territory, the EDPB elaborated additional criteria to calculate pecuniary fines. In particular, once the tier to which the infringement belongs has been found, it is suggested to evaluate the criteria already provided for in the GDPR taking into account other interpretative elements.
For example, on the one hand the GDPR already asks to evaluate the damage level suffered by the interested parties, on the other the guidelines specify that such level refers to the damage suffered or that could be suffered, regardless of the number of subjects involved, and that such damage is both pecuniary and non-pecuniary.
Notwithstanding the discretion of the Authority in determining the final amount of the fine, EDPB suggests also how to determine the minimum amount of the fine:
- For less severe infringements, the starting value should be comprised between 0 and 10% of the maximum amount applicable;
- For infringements of medium severity, the starting value should be comprised between 10% and 20% of the maximum amount applicable
- For infringement of high severity, the starting value should be comprised between 20% and 100% of the maximum amount applicable.
Answer of the Italian DPA to the UBER and the so-called Cimitero dei feti (Fetus cemetery) cases
The guidelines try to answer to the common need to eliminate the different approaches of the individual national authorities. As a matter of fact, if it is true that in the European Union different sensibilities and different judicial systems coexist, it is also true that the answers of the authorities at times seem difficult to interpret.
At national level, in March 2022 the Italian DPA fined Uber € 4,240,000 for giving to users a policy “formulated in a generic and approximative manner, containing unclear and incomplete information, not easily understood by the data subjects and which can generate confusion on the various aspects of the processing” (more information in this article).
It emerges instead the case called Cimitero dei Feti (Fetus cemetery) where the fine inflicted in April 2023 was of € 415,000. The case dates back to 2020, at the discovery of the existence of a cemeterial area dedicated to hundreds of small burials for pregnancy remains, marked by crosses bearing the general information of the women who had terminated their pregnancy and the date of the interruption, all without the knowledge of the women involved.
In this case, the authority ascertained the unlawful diffusion of personal data and the infringement of the minimization principle, in addition the fundamental rights of women’s self-determination and religious freedom came to the fore front.
Even though recognizing that the infringements identified would fall into the highest fine tier, the Authority decided to quantify the fines inflicted at 176.000 € and 239.000€, respectively to Roma Capitale and to Ama (the company appointed to manage the cemetery services), as for Asl Roma 1 – also responsible for the unlawful processing – the measure of the warning was considered to be sufficient.
In conclusion, notwithstanding the need to keep a margin of discretion in quantifying the fines, the wish is that such discretion will really be declined proportionally and that the new guidelines represent a useful tool to guide the authorities’ answers, even in light of the immanent equality and legal certainty principles.
Ilaria Feriti