The General Data Protection Regulation (GDPR) is a difficult piece of legislation to comply with, and not meeting some of its requirements may lead to hefty fines of up to 4% of global annual revenues of the preceding year or 20 million euros, whichever is highest. Organisations may find it difficult to calculate risk exposure when confronted with a potential breach of the GDPR, leading to frustration and often focussing on worst case scenarios only.

The European Data Protection Board (EDPB) recently issued guidelines on how Member States’ data protection authorities (DPAs) should calculate fines for infringements. The guidelines follow a step-by-step approach and provide a consistent methodology for all DPAs to follow. Although these guidelines are directed toward DPAs, they also allow companies to assess their risk exposure more accurately and realistically.

How were fines calculated before the guidelines?

Under the GDPR, each European Union Member State has its own DPA responsible for enforcement. These DPAs calculate so-called administrative fines (i.e., fines for violations of the GDPR) based on various criteria set out in the GDPR. In general, DPAs are required to:

  1. Ensure that the fine is effective, proportionate and dissuasive.
  2. Consider any aggravating or mitigating circumstances, including intention or negligence, the seriousness of the infringement and the infringer’s level of cooperation.
  3. Respect the maximum amounts for fines set out in the GDPR.

However, these broad parameters leave much room for interpretation on how fines should be calculated, leading to some uneven application across the EU and requiring lengthy dispute resolution procedures when DPAs disagree with each other on how to apply fines. It also is very difficult for businesses to accurately assess their financial exposure in the event of an infringement. The guidelines attempt to address these issues by introducing a five-step approach for all DPAs to use when calculating fines.

What is the five-step approach?

The five-step approach encourages DPAs to be objective when assessing fines under the GDPR by providing a practical calculation method and specifying a number of factual elements to consider, as follows.

Step 1: Identify infringing activities

Identify the processing operations which infringe the GDPR.

Apply Article 83(3) GDPR, which states that if an undertaking commits several infringements for the same/linked processing operations, the total amount of the administrative fine must not exceed the amount for the most serious infringement.

Step 2: Starting point

Identify the legal maximum

Article 83(4) infringement

10 million euros or, for undertakings, 2% of worldwide turnover (whichever is higher)

Article 83(5) and (6) infringement

20 million euros or, for undertakings, 4% of worldwide turnover (whichever is higher)

Assess the seriousness (nature, gravity and duration)

Low seriousness

0 – 10% of legal maximum

Medium seriousness

10 – 20% of legal maximum

High seriousness

20 – 100% of legal maximum

Adjust depending on the worldwide turnover of preceding financial year

≤ 2 million euro turnover

0.2 – 0.4% of the starting amount

2 to 10 million euros

0.3% – 2% of the starting amount

10 to 50 million euros

1.5 – 10% of the starting amount

50 to 100 million euros

8 – 20% of the starting amount

100 to 250 million euros

15 – 50% of the starting amount

250 to 500 million euros

40 – 100% of the starting amount

> 500 million euros

100%+ (i.e., dynamic legal maximum applies – see below)

Step 3: Mitigating/ aggravating circumstances

DPAs must consider the aggravating and mitigating circumstances listed in Article 83(2) GDPR, such as:

  • Actions taken to mitigate damage to the data subject.
  • Degree of responsibility of the controller/processor.
  • Previous infringements:
    • Time between previous infringement and current one.
    • Whether previous infringements were of the same or different subject matter.
    • Other considerations (e.g., enforcement by other DPAs against the same controller/processor).
  • Degree of cooperation with DPA.
  • Manner of notification of DPA.
  • Compliance with DPA’s previous orders regarding the same subject matter.
  • Compliance with code of conduct/certification mechanism.
  • Other factors (e.g., financial benefits gained from infringement).

Step 4: Ensure legal maximums are not exceeded

Static maximums

Article 83(4)

Up to 10 million euros

Article 83(5) and (6)

Up to 20 million euros

Dynamic maximums
(apply when an undertaking’s total annual turnover of the previous financial year exceeds 500 million euros)

Article 83(4)

Up to 2% of undertaking’s total annual turnover of previous financial year

Article 83(5) and (6)

Up to 4% of undertaking’s total annual turnover of previous financial year

Step 5: Effectiveness, proportionality and dissuasiveness

The DPA must assess whether the fine is effective, proportionate and dissuasive, or whether further adjustments are necessary to meet those requirements.

  • Effectiveness – Does it achieve the objectives for which it is imposed, e.g., compliance with rules?
  • Proportionality – Is the amount appropriate and necessary (also considering the undertaking’s ability to pay)?
  • Dissuasiveness – Does it have a specific deterrent effect (on the undertaking itself) and a general deterrent effect (on other undertakings)?

How does this work in practice?

The guidelines provide two practical examples, one of which we summarise below.


While the EDPB expects DPAs to apply the above calculation methods, it also states that fines should not be assessed in an automated, or merely mathematical, way. Each fine should instead be reviewed by a human being on its individual merits, taking care to ensure that the fine is effective, proportionate and dissuasive. This means that DPAs have considerable discretion over what the final amount will be, subject to the legal maximums.

The harmonised approach set out in these guidelines should provide more transparency and predictability in respect of administrative penalties in the EU (note that the Information Commissioner’s Office issued its own guidance, currently in draft form, with different calculations for organisations subject to the UK GDPR). Although the EDPB’s guidelines do not guarantee a set amount for fines, they do provide granular detail on the legal limits and mitigating/aggravating factors that will be taken into consideration. This should encourage DPAs to take a more consistent, objective approach across the EU and enable businesses subject to the GDPR to assess their compliance risk more accurately.

Please get in touch with the Cooley cyber/data/privacy team if you would like some assistance with calculating a potential GDPR fine.


Patrick Van Eecke

Morgan McCormack

Posted by Cooley