top of page

The European Data Protection Board's new fining directive: what does it mean for your organisation?

The General Data Protection Regulation (GDPR) has had a huge impact on how businesses handle personal data since its introduction in 2018. Now, almost five years later, the regulations continue to evolve and we are seeing a significant change in the approach to their enforcement. The European Data Protection Board (EDPB) has issued a guideline for calculating adminstritative fines in case of violations of the GDPR. It is crucial that companies are aware of these changes and understand the potential consequences.

A new approach to fines

The EDPB's new fining directive seeks greater consistency in the application of fines across the EU. Under the previous directives, fine amounts varied significantly between EU member states. This inconsistency created uncertainty for companies, especially those operating in multiple EU member states.

Under the new directive, a uniform approach to calculating fines is introduced. The calculation of fines will be based on a number of different factors, including the nature, seriousness and duration of the breach, the number of people affected, the extent of the damage and the negligence or intent of the breach. This means fines will be better tailored to the seriousness of the infringement.

Turnover plays a crucial rolel

One of the most notable changes in the new fine directive is the role of company turnover in determining the fine. Under the new directive, the fine for an AVG breach is partly determined by the company's total annual turnover. Whereas previously, under the old rules, company turnover was only taken into account as a factor at the end of the fine calculation, under the new directive it will already be at the beginning of the fine calculation. This will also include the turnover of the parent company.

Categorisation of offences

Another major innovation in the new directive is the introduction of categories for infringements. Infringements will be categorised according to their severity with a different starting amount for each category.

Range of fine amounts

From now on, a bandwidth of fine amounts will be used to determine the starting amount of the fine. This means that the starting amount of the fine will vary within a certain range, depending on a range of factors such as the seriousness of the infringement, the company's turnover, any previous infringements and the extent to which the company has cooperated with the supervisory authority. This flexible approach allows for a more measured and proportionate assessment of the unique circumstances of each infringement.

Preparing for the new fining directive

What was obviously already important previously but still needs to be re-emphasised is that companies must ensure they have robust and effective data processing policies that comply with the AVG. Companies should also ensure an effective data breach response strategy to limit the damage of any breaches.

Do you have any questions regarding your data processing policy? Then take a look at our website and do not hesitate to contact us!


bottom of page