A Look at the EDPB Guidelines and the Approach of the Hellenic DPA
Introduction
Regulation (EU) 2016/679 (“GDPR”), which came into force in May 2018, introduced a unified fines framework across the European Union as a mechanism to enforce compliance with the data protection legal regime. However, the increase in the powers of supervisory authorities varied depending on whether the authority already possessed such powers under pre-existing national legislation. For instance, in the UK, the 1998 Data Protection Act imposed a maximum fine of £500,000, and in Spain, a maximum fine of €600,000, whereas comparable regulators in Poland and Belgium lacked such enforcement powers.
Roughly five years later, on 24 May 2023, the European Data Protection Board (EDPB) published new guidelines on the calculation of administrative fines under the GDPR (“New Guidelines”). These guidelines aim to provide clarity and consistency in the calculation of fines across all EU Member States and, according to the EDPB, “seek to harmonize the methodology used by Data Protection Authorities (DPAs) in calculating fines, including harmonized starting points.”
It is noted that these New Guidelines are intended to complement the earlier Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 (WP253).
The purpose of this article is to provide a brief overview of the content of the New Guidelines, in comparison with the guidance provided by the Hellenic Data Protection Authority (HDPA) on calculating administrative fines.
Imposition of Fines under the GDPR
The introduction of an administrative fine mechanism under the GDPR in May 2018 marked a major development in data protection enforcement. Under the GDPR, fines may be imposed for a range of violations. The first tier can result in a maximum fine of €10 million or 2% of a company’s global annual turnover, whichever is higher, and the second tier allows for a maximum fine of €20 million or 4% of turnover, whichever is higher.
This fines regime was intended to ensure that organizations take data protection seriously. The threat of significant financial penalties was meant to incentivize organizations to implement appropriate measures for safeguarding personal data and, in some cases, prompted the adoption of robust data protection compliance programs.
As is often the case with regulatory frameworks that introduce substantial financial penalties, enforcement typically follows a three-stage process:
-
An initial period of concern and debate among legal and compliance professionals, guiding compliance programs and the adoption of internal policies before laws take full effect;
-
A perceived lull in enforcement activity immediately following implementation;
-
A slow but steady uptake by regulators, leading to increases in both the volume and severity of fines.
Approximately five years after the GDPR’s entry into force, we are clearly in the third stage, with supervisory authorities across the EU issuing fines with growing confidence. As a result, companies are increasingly subject to fines and are developing strategies to mitigate such risk. As fines continue to grow, the economic pressure on businesses to invest in compliance also increases. This growing enforcement trend has resulted in a developing body of case law and administrative practice related to the calculation and imposition of fines, within which the New Guidelines now operate.
It is also worth noting that ideally, guidance on the calculation of such fines should have been available as early as 2018, when the authority to issue fines first became effective. The fact that the EDPB required almost five years to develop, consult on, and publish these guidelines illustrates how complex it is to create a fair and consistent approach that works across multiple legal systems and jurisdictions.
The EDPB’s New Guidelines
The New Guidelines aim to provide the clarity and consistency needed for GDPR enforcement. They are intended to ensure that fines are applied uniformly across EU Member States and that organizations are treated fairly. However, the calculation of the fine amount remains at the discretion of the supervisory authority. The EDPB recognizes that the guidelines need not be so precise as to allow a controller or processor to mathematically predict the exact amount of a potential fine.
The guidelines harmonize starting points and the methodology for fine calculation rather than harmonizing the exact outcomes.
Subject to the GDPR’s requirements—namely that fines must be effective, proportionate, and dissuasive (Article 83(1)) and that supervisory authorities must duly consider the seriousness of the infringement and the nature of the offender (Article 83(2))—the New Guidelines propose a five-step approach for calculating fines. Authorities are not obliged to follow all steps if they are not relevant in a given case, nor are they required to justify unused elements of the methodology. They remain free to apply a methodology similar to that described in the five-step process.
Step 1: Identify the processing operations and assess the application of Article 83(3) GDPR to determine the most serious infringement. This step requires identifying the specific processing activity that led to the violation and evaluating any concurrence of offenses, unity of action, or plurality of acts. These legal notions should not overlap but rather function within a coherent framework.
Step 2: Establish the starting point for further calculation based on an assessment of:
-
The categorization of the infringement under Article 83(4)–(6) GDPR;
-
The seriousness of the infringement, under Article 83(2)(a), (b), and (g);
-
The company’s annual turnover, as a relevant element for determining an effective, dissuasive, and proportionate fine (Article 83(1)).
Depending on the assessment of seriousness, the starting amount will fall within:
-
Low level: 0–10% of the applicable legal maximum;
-
Medium level: 10–20% of the applicable legal maximum;
-
High level: 20–100% of the applicable legal maximum.
The Guidelines also provide direction on adjusting the base amount depending on company size, particularly for micro, small, and medium-sized enterprises. Generally, the higher the turnover within a tier, the higher the likely starting amount.
Step 3: Evaluate the controller’s/processor’s past or present conduct and adjust the fine accordingly. Each factor in Article 83(2) GDPR should only be considered once. Aggravating factors include intentional breaches, prior violations, lack of cooperation, and failure to mitigate harm. Mitigating factors include corrective actions, cooperation, and low culpability. The absence of prior violations is not a mitigating factor, as compliance is expected. The way the violation was discovered and any financial benefit or harm avoided are also relevant.
Step 4: Determine the applicable legal maximum limits for the processing activities involved, as defined in Article 83(4)–(6) GDPR.
Step 5: Review whether the final calculated amount satisfies the effectiveness, deterrence, and proportionality criteria under Article 83(1) GDPR, and adjust accordingly.
These New Guidelines may lead to higher fines for organizations. The base amounts are generally higher, and adjustments based on aggravating/mitigating factors may significantly affect fines EU-wide. There is a general trend of “fine inflation,” strengthening regulators’ ability to compare penalties and increase consistency. Although the EDPB Guidelines are not legally binding, they are persuasive and are expected to influence enforcement practices throughout the EU. Organizations should take them into account when assessing their GDPR compliance and the risks of non-compliance.
Criteria Considered by the Hellenic DPA
In a series of decisions, the HDPA has adopted specific criteria for determining fines, based on the assessment factors set out in Article 83(2) GDPR, in conjunction with the EDPB’s Guidelines and the earlier WP253 Guidelines. Specifically, the HDPA considers:
-
Whether compliance with the GDPR was ensured by design and by default;
-
The number of data subjects affected by the unlawful processing;
-
The presence of fault or negligence by the controller and the level of diligence exercised;
-
The technical and organizational measures implemented;
-
Whether the violation was systemic or due to a lack of policies and procedures;
-
Whether there were previous similar violations;
-
Whether the breach concerned special categories of data (Articles 9 and 10 GDPR);
-
Whether the violation was reported by the controller or triggered by a complaint;
-
Whether the controller gained any benefit from the unlawful processing;
-
Whether material damage occurred;
-
The turnover of the controller in the preceding year.
Conclusion
The New EDPB Guidelines, combined with the criteria consistently applied by the Hellenic DPA, can serve as a useful guide for legal professionals representing public authorities or businesses before the HDPA. Awareness of these criteria enables practitioners to reasonably assess the likelihood and potential scale of administrative fines by the HDPA or other authorities, including the EDPB.