(Germany) The German privacy authorities have settled formal guidelines for data protection fines, known as the Fining Concept. This is intended to produce a level of uniformity for the fines imposed in Germany. Gibson, Dunn & Crutcher LLP reports as follows:
In October 2019, the German Conference of Federal and State Data Protection Authorities (DSK) published its long-awaited guidelines for the determination of fines in privacy violation proceedings against companies.
The Fining Concept applies to the imposition of fines by German Data Protection Authorities within the scope of the European General Data Protection Regulation. According to the DSK, the Fining Concept is intended to provide for a uniform, comprehensible, transparent and case-by-case method of determining fines. The central starting point for the determination of the fine is the global annual turnover of a company in the preceding business year.
As a consequence, in the future, we will likely be seeing significantly higher GDPR fines in Germany more in the range of the higher end of the maximum fine limits laid out in Article 83 GDPR – up to 4 % of a company’s global annual group-wide turnover. The application of corporate liability principles, which were originally developed under EU antitrust law, may also heighten the stakes. Noteworthy, the Fining Concept has been tested in actual cases already, leading to an increase in fines.
It is important, though, that the Fining Concept is neither binding on data protection authorities outside Germany, nor for cross-border cases, nor for the review of fines by the German national courts.
(Privacy press clipping sourced via Gibson, Dunn & Crutcher LLP)
The Fining Concept is a methodology for calculating and applying fines for violations of the GDPR. There are a number of steps. First, a company is ‘sized’ depending on its turnover into standardized and uniform categories. Only if turnover is more than EUR 500 million will actual turnover be considered. Second, a “daily fining amount” is calculated. Finally – the daily fining amount is multiplied according to the seriousness of the violation. For example, “minor” violations will be multiplied by 1 to 4, while more serious violations are subject to a multiple of between 8 and 12.
These guidelines will mark a change from practice under earlier legislation in Germany, and companies can expect generally higher fines within the maximums set out by the GDPR. Gibson Dunn note that the guidelines draw much inspiration from the way antitrust fines are calculated in the EU. They also note that, for merely formal violations of the GDPR, a large entity (USD 340 million+ in turnover) could expect a fine in the seven digits. This means that even relatively minor violations could be given heavy fines in Germany.
Gibson Dunn point out that parent companies could be responsible for GDPR violations of their subsidiaries. This could occur if the companies are considered a “single economic unit”. In such cases, data privacy authorities may be able to pierce the corporate veil to hold a parent company responsible. Under German law, it would be possible to hold (for example) a non-EU parent company liable in this way.