European Union: Adopted EDPB Guidelines 04/2022 on the Calculation of Administrative Fines Under the GDPR

On 24 May 2023, the European Data Protection Board (EDPB) adopted the final version of the Guidelines on the calculation of administrative fines aiming to standardise the approach used by supervisory authorities when determining the amount of fines for infringements. The Guidelines complement existing ones and focus on when to impose fines. In particular, the EDPB developed a five-step methodology for calculating administrative fines for GDPR violations. This involves identifying the processing operations, evaluating the classification and seriousness of the infringement, considering the turnover of the undertaking, assessing aggravating and mitigating circumstances, determining legal maximums, and ensuring the fine meets effectiveness, dissuasiveness, and proportionality requirements. The final fine amount is determined by the specific circumstances of each case and can range up to the legal maximum.