How will the amount of the fine be measured in the event of data protection violations by companies? The independent data protection supervisory authorities of the federal and state governments in Germany have published a concept for the assessment of fines dated 14 October 2019 (PDF).

Fines for data protection violations

Sanctions should be effective, proportionate and dissuasive, Art. 84 para. 1 sentence 2 DSGVO. In the opinion of the supervisory authorities, the turnover of a company represents a suitable, appropriate and fair link for determining the amount of the fine. The assessment is to be carried out in five steps:

  1. Allocation to a certain size class (A-D) on the basis of the previous year’s turnover:
    A micro-enterprises, B small and C medium-sized enterprises (SMEs) and D large enterprises
  2. Determination of the average annual turnover of the respective subgroup of the size class
  3. Determination of a basic economic value
  4. Multiplication of the basic value by means of a factor dependent on the severity of the circumstances of the offence
  5. Adjustment based on perpetrator-related and other circumstances that have not yet been taken into account, such as a long duration of the proceedings or an imminent insolvency of the company.