During its latest plenary, on 24 May 2023, the European Data Protection Board (“EDPB”) adopted a final version of the Guidelines on the calculation of administrative fines following public consultation (the “Guidelines”). These Guidelines aim to harmonise the methodology data protection authorities (“DPAs”) use to calculate fines and include harmonised “starting points”. Hereby, three elements are considered: (i) the categorisation of infringements by nature, (ii) the seriousness of the infringement and (iii) the turnover of a business. The Guidelines set out a 5-step methodology, taking into account the number of instances of sanctionable conduct, possibly resulting in multiple infringements; the starting point for the calculation of the fine; aggravating or mitigating factors; legal maximums of fines; and the requirements of effectiveness, dissuasiveness and proportionality. The content of the Guidelines and the related methodology had already been analysed, before the conclusion of the public consultation phase and the adoption of the final version, in a previous contribution available here. Moreover, the final version of the Guidelines includes a reference table summarising the methodology with a number of starting points for the calculation of fines, illustrating the range for the starting amount based on three level of seriousness (low level, medium level and high level) correlating with the range for the starting amount after adjustment applied for the size of the company, as well as two examples of practical application, for illustration purposes only and to be read in conjunction with the Guidelines. As also specified by the EDPB, the reference table shall also be read taking into consideration that the calculation of an administrative fine is no purely mathematical exercise, and that real life cases, practice and DPAs case law will inevitably lead to a further sharpening of the starting points included in the table. To that end, the Guidelines mention that the table and the numbers therein remain under close review by the EDPB and will be adapted if needed and the numbers constitute the starting points for further calculation and not fixed amounts (price tags). A useful tool for assessing the economic risks of violations of the data protection legislations Compared to the 'pre-consultation' version of the Guidelines, the inclusion of a table intended to provide numerical indications on the possible determination of fine amounts may be a useful tool to enable data controllers to carry out appropriate assessments - at least in economic terms - of the impact and risks related to possible breaches of data protection legislations. As part of the risk assessment process, including any personal data protection impact assessments required under Article 35 of the GDPR, the methodology used to evaluate the risk - in terms of value of data and information, impacts and likelihood of incidents, acceptable risk, residual risk, and countermeasures - could also be defined in terms of the possible economic impact within the business organisation. In fact, analysing the economic impacts may make the risk analysis more realistic and may give it greater capacity to communicate with all the stakeholders of the corporate organisation who are in charge of carrying out and approving this assessment. In addition, the economic impact of any administrative fines, which could potentially be imposed by the competent DPA and which can be determined - albeit not with mathematical precision - on the basis of the table made available by the EDPB, to be considered when defining the risk assessment process, can also be a useful tool for determining the sustainability of the risk treatment plan, also in light of the provisions of Article 32 of the GDPR. Article 32 of the GDPR provides, in fact, that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Therefore, for the purpose of determining the sustainability of the risk treatment plan, the following elements may be taken into account:
