The European Data Protection Board (EDPB), the umbrella organization in which all European privacy regulators are represented, has adopted new rules for calculating violations of the General Data Protection Regulation (AVG). The aim is that all regulators will now calculate the amount of fines in the same way. The new rules take effect immediately. The Autoriteit Persoonsgegevens and EDPB report this in a press statement. The new ground rules are laid down in the Fining Gold Lines.
Until now, each regulator in the EU applied its own rules. As a result, it could happen that a company was punished more severely for a violation in one country than in another. By standardizing the calculation of fines, companies and organizations will be treated the same for similar violations. Also, regulators can better monitor each other and point out any miscalculations.
The revamped fine policy differs in three respects from the rules that the Autoriteit Persoonsgegevens used to date. First, a company's turnover plays a greater role in determining the amount of the fine. Under the old regime, although this was also taken into account, it only happened at the end of the fine calculation. From now on, this will happen at the beginning.
In the new guidelines, companies can see what amount the privacy watchdog uses as a starting point for calculating a fine. The turnover of the parent company is also included in the fine decision.
The second point where the new fine rules differ from the old ones is that regulators will now use three categories to determine the severity of a privacy violation: low, medium and high. A different starting amount of fine applies to each category.
Finally, regulators now use a range to determine the amount of the starting amount. The starting amount can then be increased or decreased by this bandwidth. This depends, among other things, on any extenuating circumstances, for example, if a company has done everything possible to limit the consequences of a violation for the victims. If a company has been convicted of the same offense more than once, that may be grounds for increasing the starting amount of the fine.
What does not change is that the fine amounts can reach up to 20 million euros, or 4 percent of a company's global turnover, whichever is higher.
The new penalty rules are effective immediately. This applies not only to new cases, but also ongoing cases. The new rules only apply to companies, because not all regulators are allowed to impose fines on public authorities. For government agencies, the old rules on fines still apply. At European level, we are looking at which rules regulators want to apply to government organizations in the future.
