GDPR Fine: On January 29, 2021, the Danish Data Protection Agency published new guidelines on determining GDPR fines for violations of data protection rules.
The guidelines set out a calculation model intended to make the determination of GDPR fines for violations of the General Data Protection Regulation more transparent.
The model consists of four steps designed to ensure that fines are determined in a structured manner, taking into account both aggravating and mitigating circumstances to determine an appropriate fine amount.
1: Determination of the base amount
In the first step of the Danish Data Protection Agency’s calculation model, the Agency sets a base amount for the proposed GDPR fine.
The Danish Data Protection Agency makes this assessment primarily by classifying the violation according to whether it falls under Article 83(4) or (5) of the General Data Protection Regulation. The violations are then categorized into six subcategories, which are defined based on the severity of the violation, and each of which is assigned a standard base amount. The first three subcategories include infringements covered by Article 83(4), while the last three categories include infringements covered by Article 83(5).
The violations are categorized as follows:
Violations covered by Article 83(4) (Maximum fine of DKK 75 million / 2% of annual turnover)
Category 1
- Appointment of a representative (Article 27)
- Cooperation with the supervisory authority (Article 31)
Alvorlig overtrædelse ⇒
Grundbeløb udgør 5 % af bødemaksimum dvs. 3,75 mio. kr.
Category 2
- Processing that does not require identification (Article 11)
- List of processing activities (Article 30)
- Reporting of personal data breaches (Article 33)
- Appointment, etc., of a Data Protection Officer (DPO) (Articles 37–39)
Mere alvorlig overtrædelse ⇒
Grundbeløb udgør 10 % af bødemaksimum dvs. 7,5 mio. kr.
Category 3
- Consent of the child (Article 8)
- Privacy by design (Article 25)
- Joint data controllers (Article 26)
- Data Processing Agreement (Article 28)
- Processing carried out on behalf of the controller or processor (Article 29)
- Data protection (Article 32)
- Notification of a personal data breach (Article 34)
- Data Protection Impact Assessment (DPIA) (Articles 35–36)
- Monitoring of approved codes of conduct (Article 41(4))
- Certification (Articles 42–43)
Mest alvorlig overtrædelse ⇒
Grundbeløb udgør 20 % af bødemaksimum dvs. 15 mio. kr.
Category 4
- Notification of recipients in the event of erasure, etc. (Article 19)
- Right to data portability (Article 20)
Alvorlig overtrædelse ⇒
Grundbeløb udgør 5 % af bødemaksimum dvs. 7,5 mio. kr.
Category 5
- Basic Principles (Article 5)
- Consent (Article 7)
- Transparency (Article 12)
- The duty to provide information when collecting personal data directly from the data subject (Article 13)
- Lawful processing (Article 6)
- The duty to provide information when collecting personal data from sources other than the data subject (Article 14)
- Right of access (Article 15)
- Right of rectification (Article 16)
- Right to erasure (Article 17)
- Right to restrict processing (Article 18)
- Right to object (Article 21)
- Automated individual decision-making, including profiling (Article 22)
Mere alvorlig overtrædelse ⇒
Grundbeløb udgør 10 % af bødemaksimum dvs. 15 mio. kr.
Category 6
- Processing of special categories of personal data (Articles 9–10)
- Transfers to third countries and international organizations (Articles 44–49)
Mest alvorlig overtrædelse ⇒
Grundbeløb udgør 20 % af bødemaksimum dvs. 30 mio. kr.
Once the Danish Data Protection Agency has determined the base amount based on the classification of the violation, it adjusts this base amount in proportion to the company’s revenue and market share to determine the final base amount in the specific case.
Depending on the company’s revenue and market share, the Danish Data Protection Agency may reduce the base amount to:
- 0.4% of the standard base amount for micro-enterprises (with an annual group revenue of up to DKK 15,000,000)
- 2% of the standard base amount for small businesses (with an annual group revenue of up to DKK 75,000,000)
- 10% of the standard base amount for medium-sized enterprises (with an annual consolidated revenue of up to DKK 375,000,000)
The guidelines stipulate that revenue should be calculated as consolidated revenue, even if the parent company is not the data controller in the case in question.
See also the article: H&M Fined 260 Million Danish Kroner Under GDPR
2: Adjustment of the base amount based on a specific assessment of the nature of the violation
Once the base amount has been adjusted in relation to the company’s revenue and market share, the Danish Data Protection Agency may further adjust the base amount based on the specific circumstances of the case, including, for example, the nature, severity, duration, and scope of the infringement, as well as the number of data subjects affected and the harm caused, etc.
3: Mitigating or aggravating factors for adjustment
Once the Danish Data Protection Agency has determined the final base amount, it assesses whether further adjustment of a GDPR fine is necessary based on the mitigating and aggravating circumstances listed in Article 83(2) of the General Data Protection Regulation.
Datasynet reviews all the points listed in Article 83(2) of the guidelines.
The guidelines state, among other things, that it is an aggravating circumstance if the violation was intentional, but that it is not a mitigating circumstance if the violation occurred as a result of negligence.
In addition, the guidelines emphasize any measures the data controller has taken to mitigate the harm that data subjects have suffered or are suffering.
The Data Protection Authority also cites previous violations as an aggravating factor.
4: Adjustment based on the maximum amount specified in the General Data Protection Regulation (GDPR) or adjustment based on ability to pay
The fourth and final step in the guidelines concerns any adjustment of the fine based on the maximum amounts specified in Article 83(4) and (5), which are DKK 75 million and DKK 150 million, respectively, or a percentage of group turnover.
In addition, the Danish Data Protection Agency states in its guidelines that, in certain cases, the data controller’s “inability to pay” may be taken into account. This should be viewed as a principle of proportionality when a large GDPR fine would result in serious financial consequences for the data controller. However, this is not a get-out-of-jail-free card; according to the Danish Data Protection Agency, it may be applied under special circumstances if the deterrent effect can be achieved with a smaller fine that does not jeopardize the data controller’s business.
Traffic violation cases in Denmark
Once the Danish Data Protection Agency has finalized the calculation of the GDPR fine, it will, as a general rule, be required to file a police report against the company recommending a fine; it will then be up to the Public Prosecutor’s Office to assess the case and the Agency’s fine recommendation and to bring the case against the company before the courts.
Since the General Data Protection Regulation came into effect, the Danish Data Protection Agency has filed complaints against eight companies and public authorities, recommending fines ranging from 50,000 to 1.5 million Danish kroner.
On February 12, 2021, the Aarhus District Court handed down its ruling in the first Danish case involving a violation of the General Data Protection Regulation. In this case against IDdesign A/S, the district court reduced the fine from 1.5 million Danish kroner to 100,000 Danish kroner.
