The German data protection body has published a model for calculating GDPR fines. According to a Data Protection Report from Norton Rose Fulbright, penalties for violations will be determined in
five steps (we quote):
- The company is assigned to a group based of its size—Firms will be divided into groups and sub-groups. According to the report, parent firms and
subsidiaries will be regarded as an economic unit (an “undertaking”), so that "the total turnover of the group of companies will be used as the basis for calculating the fine."
- The DSK determines the average annual turnover of the “undertaking” base on the specific group to which it has been allocated.
- Calculation of the daily rate—This will
divide the turnover of the firm for the past year by 360 days.
- The DS determines the “regular fine corridors” and the mean value—This is assessed, partly, on the
severity of the violation and the harm to individuals.
- Classification o the specific GDPR infringement—This considers the extent of the unlawful processing the number of data
subjects and the harm they suffer, duration of the infringement and the threat of corporate insolvency.
The new model was published by (DSK), the joint body of the German data