FB pixel

New guidelines for calculating GDPR fines in the EU for data privacy violations

Biometrics and surveillance examples provided
New guidelines for calculating GDPR fines in the EU for data privacy violations

As the fines for data privacy violations mount, some clarity into how they are levied is being introduced. Enforceable since 2018, the European Union’s General Data Protection Regulation (GDPR) covers data protection and privacy in the European Economic Area and data leaving the EU and EEA. To enforce it there are two sets of penalties depending on the severity of offense. The European Data Protection Board (EDPB), which governs and enforces GDPR in the EEA has published its recommended methodology for calculating fines which are based on the offenders’ turnover.

The total for fines already issued is running into the billions of euros with the largest penalties meted out to large tech firms such as WhatsApp (€225 million) (approximately $237.6 million), multiple fines for Amazon, the largest being €746 million, and Google’s multiple fines of €60, €50, €40 and €7 million. British Airways was fined £183 million in the UK. The regulation has also been used for natural persons, such as a €3,000 fine for a Spanish landlord over video surveillance in an apartment building. A Swedish school was fined €20,000 for using facial recognition surveillance and associated biometric processing.

Adopted on 12 May 2022, the snappily-titled ‘Guidelines 04/2022 on the calculation of administrative fines under the GDPR’, open for public consultation until 27 June 2022, sets out a five-step methodology for calculating fines with the aim of harmonizing the approach of supervisory authorities where GDPR is enforced.

Step 1: identifying the data processing operations that took place in the case and the applicability of Article 83(3) GDPR (which empowers each supervisory authority to impose fines).

Step 2: the starting point for calculation, achieved by classifying the infringement, evaluating the seriousness of the infringement and turnover.

Step 3: evaluating any aggravating and mitigating circumstances for both past and present behavior to increase or decrease the fine.

Step 4: evaluating the legal maximums for the case.

Step 5: analysing whether the calculated amount meets the requirements of effectiveness, dissuasiveness and proportionality. At this stage the fine can be increased as long as it does not exceed the legal maximums.

The guidelines include an example with biometrics for weighing aggravating and mitigating circumstances with figures that provide the starting point for fine calculation:

“A sports club used cameras with facial recognition technology at the entrance of one of their locations for the purpose of identifying their clients upon entry. As the sports club did so in contravention of Article 9 GDPR (processing of biometric data without a valid exception), the supervisory authority competent to investigate the infringement decided to impose a fine. Taking into account all the relevant circumstances of the case, the supervisory authority considered this an infringement with a high level of seriousness, and since the sports club had an annual turnover of €150 million, a starting amount of €2,000,000 (at the very top of the category) was considered appropriate.

“However, the same sports club was fined two years earlier for using fingerprint technology at the turnstiles in another location. The supervisory authority decided to take this into account as a repeat offence (Article 83(2)(e) GDPR). In doing so, it attributed weight to the fact that this concerned nearly the same subject matter and the infringement was committed only two years prior. Because of this aggravating factor, the supervisory authority decided to increase the fine in this particular case to €2,600,000, not exceeding the applicable legal maximum of €20 million.”

The EDPB will constantly review its guidance, along with other areas of regulation such as AI.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News


What to do if certificates for passive authentication fail

By Ihar Kliashchou, Chief Technology Officer at Regula Electronic documents are praised for their top-notch security, mainly due to RFID chip…


Biometric passports get refresh in Indonesia, face hurdles in Lebanon and Kenya

Nations across the global south are looking to biometric passports as the next generation of travel documents. Indonesia will mark…


Biometrics, electronic devices and identity credentials converging

Biometrics in electronic devices and ID documents to support digital identity are a major theme of the week’s top stories…


SITA wraps up acquisition of Materna IPS

SITA reports it has completed all necessary regulatory and legal procedures and finalized its acquisition of Materna IPS, a provider…


Payface lands new retail biometric payments deal in Brazil

Brazilian face biometrics payments startup Payface has clinched a deal with supermarket chain Ítalo. Ítalo Supermercados, based in the southern…


EU to fund digital programs with €108m, including digital identity

The European Union has issued a new call for funding within the Digital Europe Programme (DIGITAL), allocating over 108 million…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events