Data Protection Academy » Data Protection News » DSK data protection fine concept

Two data protection commissioners discuss the data protection fine concept DSK

DSK data protection fine concept

While other European countries and their supervisory authorities have already enforced very high fines since the entry into force of the General Data Protection Regulation (GDPR), the German supervisory authorities have been reluctant - until now!

With the calculation model for fines, many experts expect higher fines. Since 16 October, the concept has been published by the Conference of Independent Data Protection Supervisors of the Federal Government and the Länder (DSK).

Background data protection fine concept

Since the entry into force of the GDPR In May 2018, numerous fines were already enforced against data protection violations. So far, however, the calculation of the fines has been rather non-transparent and not very comprehensible. For this reason, the European supervisory authorities and the European Data Protection Board (EDSA) are working on concepts for fines to ensure more transparency.

The German concept of fines was developed as a reaction to the model of the French data protection authority CNIL, which seemed too incomprehensible and too case-specific to the German supervisory authorities. As a result, the German model was developed with considerably more comprehensive calculation steps. The German fine model was presented to the Task Force Fining of the European Data Protection Board (EDPB) and met with interest. In particular, as the concept would ensure a systematic, transparent and comprehensible calculation of fines.

Content of the data protection fine concept

The calculation of the fines is essentially based on 5 assessment criteria, which are defined in the DSK's concept will be explained in more detail.

Calculation criteria:

  • The enterprise concerned is first allocated to a size class.
  • The average annual turnover of the size class subgroup is determined.
  • A basic economic value (daily rate) is then determined.
  • Depending on the gravity of the circumstances of the crime, the basic value is multiplied by a factor.
  • Finally, the value determined is adjusted if there are other circumstances to be taken into account.

Higher fines also expected in Germany

While European neighbours have long since levied fines in the millions, the German supervisory authorities have remained comparatively cautious. The first significantly higher fine was enforced by the Berlin supervisory authority in October against Delivery Hero. According to the Federal Data Protection Commissioner Ulrich Kelber, more are to follow:

"The restraint of the data protection authorities will of course also become less and less [...] there will soon be fines 'in the millions' in Germany too.

Source: https://netzpolitik.org/2019/datenschuetzer-ulrich-kelber-wir-werden-auch-in-deutschland-strafen-in-millionenhoehe-sehen/

The fine system is designed in such a way that it is likely to result in very high fines for larger companies. There is therefore a high risk, especially for groups with subsidiaries. It would be possible that these very cases could end up in court and be subsequently adjusted.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Notes on the use of the fine concept

DSK's concept focuses exclusively on the enforcement of data protection fines against companies. The concept does not apply to associations or natural persons outside their economic activities. Furthermore, the concept is not binding on cross-border cases, other European supervisory authorities or courts.

As soon as the European Data Protection Board (EDPA) calculates its own concept for the calculation of data protection fines, the concept of the DPC loses its validity.

Do you have specific questions about data protection or would you like professional advice? Our data protection experts are there for you throughout Germany! Come to us!

Prof. Dr. Andre Döring

This might interest you too:

Whatsapp Privacy

WhatsApp and privacy

The messenger service WhatsApp is part of the Facebook group to which Instagram also belongs. At the beginning of 2021, Whatsapp announced an adjustment of its privacy policy. What can users do?

Privacy issues in 2020: Interview with the BfDI office

Learn more about: Data processing by Facebook, Goolge & Co. Fines imposed by regulatory authorities. The impact of brexite on data protection in Europe.

GDPR ruling video surveillance medical practice

Data protection and video surveillance: How can you apply the BVerwG ruling to your practice?