Article 83 GDPR: Difference between revisions

From GDPRhub
Line 273: Line 273:
The fine is obviously (at least also) of an administrative nature. Article 83 GDPR explicitly refers to administrative fines in various places. Recital 150 GDPR also supports this classification (“''administrative fines''”). Moreover, the supervisory authority is competent as an administrative body. It follows in particular from [[Article 55 GDPR|Article 55(3) GDPR]] that supervisory authorities are not considered by the GDPR to belong to the judiciary. [[Article 79 GDPR]] also speaks of "''administrative or non-judicial remedies''".<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).</ref>
The fine is obviously (at least also) of an administrative nature. Article 83 GDPR explicitly refers to administrative fines in various places. Recital 150 GDPR also supports this classification (“''administrative fines''”). Moreover, the supervisory authority is competent as an administrative body. It follows in particular from [[Article 55 GDPR|Article 55(3) GDPR]] that supervisory authorities are not considered by the GDPR to belong to the judiciary. [[Article 79 GDPR]] also speaks of "''administrative or non-judicial remedies''".<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).</ref>


However, the fine also has elements of criminal law. Admittedly, it cannot be classified as criminal in the narrower sense. The EU lacks the legislative competence to enact regulations in criminal law.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 41 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> However, a classification as criminal in the broader sense is appropriate. ''Kotschy,'' applying the ''Engel criteria'' of the ECHR, concludes that fines are "''criminal within the wider, autonomous meaning of Article 6 ECHR''", but not in the "''criminal''" sense of EU law.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).</ref> This means that the imposition of fines must in any case respect the core principles of criminal law, e.g. the principles ''nemo tenetur se ipsum accusare'', ''ne bis in idem'' and ''nulla poena sine lege'' (in particular ''nulla poena sine lege certa''). This will be dealt with in the following while discussing the relevant provisions. However, ''Bergt'' rightly points out that the application of these criminal law principles to an administrative sanction cannot necessarily have the same scope as a criminal sanction in the narrower sense.<ref>''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 44 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref>
However, the fine also has elements of criminal law. Admittedly, it cannot be classified as criminal in the narrower sense. The EU lacks the legislative competence to enact regulations in criminal law.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 41 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> However, a classification as criminal in the broader sense is appropriate. ''Kotschy,'' applying the ''Engel criteria'' of the ECHR, concludes that fines are "''criminal within the wider, autonomous meaning of Article 6 ECHR''", but not in the "''criminal''" sense of EU law.<ref>''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).</ref> This means that the imposition of fines must in any case respect the core principles of criminal law, e.g. the principles ''nemo tenetur se ipsum accusare'', ''ne bis in idem'' and ''nulla poena sine lege'' (in particular ''nulla poena sine lege certa''). This will be dealt with in the following while discussing the relevant provisions. However, ''Bergt'' rightly points out that the application of these criminal law principles to an administrative sanction cannot necessarily have the same scope as a criminal sanction in the narrower sense.<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 44 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref>


==== Supervisory Authority as the Competent Body ====
==== Supervisory Authority as the Competent Body ====
Line 286: Line 286:
One of the main elements of the provision is the minimum triad to the fine on the discretionary side. The fine should be (a) effective, (b) proportionate and (c) dissuasive. This triad of requirements should be seen as the guiding principle not only for the issuing of a fine (Recitals 151 sentence 4 and 152 sentence 1 GDPR) but also for other types of sanctions, according to [[Article 84 GDPR|Article 84(1)(2) GDPR]].
One of the main elements of the provision is the minimum triad to the fine on the discretionary side. The fine should be (a) effective, (b) proportionate and (c) dissuasive. This triad of requirements should be seen as the guiding principle not only for the issuing of a fine (Recitals 151 sentence 4 and 152 sentence 1 GDPR) but also for other types of sanctions, according to [[Article 84 GDPR|Article 84(1)(2) GDPR]].


The elements of “effectiveness” and “dissuasiveness” cannot be clearly distinguished from each other or merge into each other.<ref>''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref>
The elements of effectiveness and dissuasiveness cannot be clearly distinguished from each other or merge into each other.<ref>''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref>


However, it seems clear that, by using the term “dissuasive”, the fine shall have a preventive function. In this context, it should be noted that dissuasion is not only to be related to specific prevention for the data controller or processor concerned. Rather, according to the GDPR's overriding objective of effectiveness, the fine is also intended to pursue general prevention objectives.<ref>''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 7 (Beck 2021, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 19 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref>
However, it seems clear that, by using the term “dissuasive”, the fine shall have a preventive function. In this context, it should be noted that dissuasion is not only to be related to specific prevention for the data controller or processor concerned. Rather, according to the GDPR's overriding objective of effectiveness, the fine is also intended to pursue general prevention objectives.<ref>''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 7 (Beck 2021, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 19 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref>


To be dissuasive the fine must be so severe that the person responsible will refrain from further infringements, especially infringements of the same nature. The actual economic capacity of companies must be taken into account and used as a basis for orientation.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 22 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref>  Insofar as it is argued that only the economic significance of the data processing, and not the overall economic performance, is to be used to measure the dissuasive effect,<ref>''Moos/Schefzig'', in Taeger/Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 26 (Beck 2019, 3rd ed.) (accessed 10 August 2021).</ref> this view must be rejected. This opinion is justified by considerations of economic efficiency, according to which it is sufficient to make specific data processing unprofitable. This view disregards the sanction character of a fine. The fine cannot be seen as an "high price" for data processing. Even fines in stricter criminal law are based on both the economic performance of the actor and the economic (in)value of the criminal conduct.
To be dissuasive the fine must be so severe that the person responsible will refrain from further infringements, especially infringements of the same nature. The actual economic capacity of companies must be taken into account and used as a basis for orientation.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 22 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref>  Insofar as it is argued that only the economic significance of the data processing, and not the overall economic performance, is to be used to measure the dissuasive effect,<ref>''Moos/Schefzig'', in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 26 (Beck 2019, 3rd ed.) (accessed 10 August 2021).</ref> this view must be rejected. This opinion is justified by considerations of economic efficiency, according to which it is sufficient to make specific data processing unprofitable. This view disregards the sanction character of a fine. The fine cannot be seen as an "high price" for data processing. Even fines in stricter criminal law are based on both the economic performance of the actor and the economic (in)value of the criminal conduct.


Furthermore, the fine alone must ensure effective sanctioning of data protection violations with sufficient dissuasive effect. In particular, this prohibits the supervisory authorities from making the assessment of the amount of the fine dependent on or coordinated with any claims for damages under [[Article 82 GDPR]]. Otherwise, the effectiveness of the fine would no longer be ensured.<ref>''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 10 August 2021); also ''Moos/Schefzig'', in Taeger/Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 24 (Beck 2019, 3rd ed.) (accessed 10 August 2021).</ref>  
Furthermore, the fine alone must ensure effective sanctioning of data protection violations with sufficient dissuasive effect. In particular, this prohibits the supervisory authorities from making the assessment of the amount of the fine dependent on or coordinated with any claims for damages under [[Article 82 GDPR]]. Otherwise, the effectiveness of the fine would no longer be ensured.<ref>''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 10 August 2021); also ''Moos/Schefzig'', in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 24 (Beck 2019, 3rd ed.) (accessed 10 August 2021).</ref>  


The terms dissuasive and effective also introduce a lower limit for the fine. It must not be merely symbolic in nature.<ref>Cf. ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 20 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref>  
The terms dissuasive and effective also introduce a lower limit for the fine. It must not be merely symbolic in nature.<ref>Cf. ''Boehm'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 20 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref>  


The principle of proportionality enshrined in EU primary law in Article 5(4) TEU and Article 52(1)(2) CFR is reflected in secondary law.<ref>''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 6 (Beck 2021, 3rd ed.) (accessed 10 August 2021).</ref> A measure is proportionate if it pursues a legitimate aim, it is suitable and necessary to achieve this aim and the measure is also appropriate.
The principle of proportionality enshrined in EU primary law in Article 5(4) TEU and Article 52(1)(2) CFR is reflected in secondary law.<ref>''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 6 (Beck 2021, 3rd ed.) (accessed 10 August 2021).</ref> A measure is proportionate if it pursues a legitimate aim, it is suitable and necessary to achieve this aim and the measure is also appropriate.


==== Case-by-case Assessment ====
==== Case-by-case Assessment ====
The provision also stipulates that the minimum triad must be met "in each individual case". In this respect, a case-by-case assessment is required. This contrasts with the basic objective of the GDPR to achieve a uniform application of the law and also enforcement. Despite the case-by-case examination, comparable infringements are therefore also to be punished comparably. This interpretation is supported in particular by [[Article 70 GDPR|Article 70(1)(k) GDPR]], which assigns the EDPB the task of drawing up guidelines concerning the setting of administrative fines.<ref>''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 9 (Beck 2018, 2nd ed.) (accessed 10 August 2021); ''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 51 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref>
The provision also stipulates that the minimum triad must be met "in each individual case". In this respect, a case-by-case assessment is required. This contrasts with the basic objective of the GDPR to achieve a uniform application of the law and also enforcement. Despite the case-by-case examination, comparable infringements are therefore also to be punished comparably. This interpretation is supported in particular by [[Article 70 GDPR|Article 70(1)(k) GDPR]], which assigns the EDPB the task of drawing up guidelines concerning the setting of administrative fines.<ref>''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 9 (Beck 2018, 2nd ed.) (accessed 10 August 2021); ''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 51 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref>


=== (2) Discretion on Whether and How to Impose a Fine; Relation to Corrective Measures ===
=== (2) Discretion on Whether and How to Impose a Fine; Relation to Corrective Measures ===
Line 321: Line 321:
The supervisory authority must first decide whether to impose a fine at all. The discretionary power granted in this respect is, however, intended.<ref>Correctly only ''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 26 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> This means that in the event of an infringement, the authority must in principle impose a fine, unless there is an exceptional, atypical case that does not justify the imposition of a fine. The discretion is "intended" in that the legislator generally wants a fine, but allows exceptions in deviating cases. In exercising its discretionary power, the authority must take into account the minimum triad in the specific case (see above) and - in particular for the purpose of evaluating whether a minor infringement has occurred - also the criteria listed in Article 83(2)(2) GDPR (see below).
The supervisory authority must first decide whether to impose a fine at all. The discretionary power granted in this respect is, however, intended.<ref>Correctly only ''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 26 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> This means that in the event of an infringement, the authority must in principle impose a fine, unless there is an exceptional, atypical case that does not justify the imposition of a fine. The discretion is "intended" in that the legislator generally wants a fine, but allows exceptions in deviating cases. In exercising its discretionary power, the authority must take into account the minimum triad in the specific case (see above) and - in particular for the purpose of evaluating whether a minor infringement has occurred - also the criteria listed in Article 83(2)(2) GDPR (see below).


The fact that the authority has a resolution discretion follows firstly from the wording of Article 83(2)(2) GDPR, which is unambiguous in this respect. A view according to which the authority has an obligation to impose a fine,<ref>''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021); ''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref> is to be rejected.  
The fact that the authority has a resolution discretion follows firstly from the wording of Article 83(2)(2) GDPR, which is unambiguous in this respect. A view according to which the authority has an obligation to impose a fine,<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021); ''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref> is to be rejected.  


According to Article 83(2)(2) GDPR, the supervisory authority is not only entitled to decide on the amount of the fine. Rather, it says the following: "When deciding whether to impose an administrative fine […]". Insofar as the opposing view refers to the wording of Article 83(2)(1), Recital 148 sentence 1 GDPR and Article 83(4) and (5) GDPR ("shall ... impose"), which deviates from this,<ref>''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref> this is not convincing. The primary regulatory objective of Article 83(2)(1) GDPR (and of Recital 148 sentence 1 GDPR) is to regulate the relationship of fines to other measures. There is no evidence that the provision is intended to introduce a simultaneous "incidental" obligation to impose fines. Rather, the decision on "whether" and "how" to impose a fine is explicitly regulated in the second sentence. Certainly, this is not completely convincing systematically, since the legislator could have made independent paragraphs out of sentences 1 and 2 in order to support the interpretation adopted here. However, the wording of paragraphs 4 and 5 cannot justify a different interpretation, as they only want to introduce the catalogue of infringements to be sanctioned and the respective fine frameworks, and explicitly refer to Article 83(2)(2) GDPR for the decision on "whether" and "how". Having said this, it is also irrelevant that the wording ''"may impose fines''" initially provided for in the Council draft on Article 83(2)(1) as well as (4) and (5) GDPR was replaced by "shall impose fines".<ref>Cf. ''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021); cf. ''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref> Recital 148 sentence 2 GDPR, which mentions two examples in which the imposition of a fine is to be waived ("''minor infringement''"; "''disproportionate burden to a natural person''"), also speaks in favour of the view taken here. If there was no discretion, these exceptions could hardly be taken into account according to administrative law dogma, especially since the Recitals are not binding. That the phrasing in Article 83(2)(2) GDPR and Recital 149 sentence 2 GDPR are mere drafting errors must be rejected as an unfounded assertion in this respect.<ref>''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref>  
According to Article 83(2)(2) GDPR, the supervisory authority is not only entitled to decide on the amount of the fine. Rather, it says the following: "When deciding whether to impose an administrative fine […]". Insofar as the opposing view refers to the wording of Article 83(2)(1), Recital 148 sentence 1 GDPR and Article 83(4) and (5) GDPR ("shall ... impose"), which deviates from this,<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref> this is not convincing. The primary regulatory objective of Article 83(2)(1) GDPR (and of Recital 148 sentence 1 GDPR) is to regulate the relationship of fines to other measures. There is no evidence that the provision is intended to introduce a simultaneous "incidental" obligation to impose fines. Rather, the decision on "whether" and "how" to impose a fine is explicitly regulated in the second sentence. Certainly, this is not completely convincing systematically, since the legislator could have made independent paragraphs out of sentences 1 and 2 in order to support the interpretation adopted here. However, the wording of paragraphs 4 and 5 cannot justify a different interpretation, as they only want to introduce the catalogue of infringements to be sanctioned and the respective fine frameworks, and explicitly refer to Article 83(2)(2) GDPR for the decision on "whether" and "how". Having said this, it is also irrelevant that the wording ''"may impose fines''" initially provided for in the Council draft on Article 83(2)(1) as well as (4) and (5) GDPR was replaced by "shall impose fines".<ref>Cf. ''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021); cf. ''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref> Recital 148 sentence 2 GDPR, which mentions two examples in which the imposition of a fine is to be waived ("''minor infringement''"; "''disproportionate burden to a natural person''"), also speaks in favour of the view taken here. If there was no discretion, these exceptions could hardly be taken into account according to administrative law dogma, especially since the Recitals are not binding. That the phrasing in Article 83(2)(2) GDPR and Recital 149 sentence 2 GDPR are mere drafting errors must be rejected as an unfounded assertion in this respect.<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref>  


Contrary to ''Holländer''<nowiki/>'s opinion, the wording in Recital 150 sentence 1 GDPR is not sufficient in itself to establish a discretionary power.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 26.1 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> What has been said about the wording above applies accordingly here. The Recital primarily seeks to specify the requirement of a supervisory authority's power to intervene and does not in itself make any statement about the discretion to decide.
Contrary to ''Holländer''<nowiki/>'s opinion, the wording in Recital 150 sentence 1 GDPR is not sufficient in itself to establish a discretionary power.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 26.1 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> What has been said about the wording above applies accordingly here. The Recital primarily seeks to specify the requirement of a supervisory authority's power to intervene and does not in itself make any statement about the discretion to decide.


The discretionary power granted is "intended".<ref>See also ''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 26 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> A deviating view that provides for a free discretion to decide must also be rejected.<ref>''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 8 to 12 (Beck 2021, 3rd ed.) (accessed 10 August 2021); ''Moos/Schefzig'', in Taeger/Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 28 (Beck 2019, 3rd ed.) (accessed 10 August 2021).</ref> It is clear from the preceding discussion that the imposition of a fine should be the rule. This follows in particular from the relationship of the fine to other measures under [[Article 58 GDPR|Article 58(2) GDPR]] (see above, Article 83(2)(1) GDPR and Recital 148 sentence 1 GDPR), which can be made fruitful at this point. Furthermore, according to Recital 148 sentence 2 GDPR, a fine should only be waived in clearly defined exceptional cases. Overall, the intended discretion is the most flexible solution. Only when it is applied can the intentions of the legislator resulting from Article 83 and the Recitals be implemented in a dogmatically clean manner. It leads to the authority imposing a fine as a rule on the one hand. On the other hand, it is the only way to exceptionally refrain from imposing a fine.  
The discretionary power granted is "intended".<ref>See also ''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 26 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref> A deviating view that provides for a free discretion to decide must also be rejected.<ref>''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 8 to 12 (Beck 2021, 3rd ed.) (accessed 10 August 2021); ''Moos, Schefzig'', in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 28 (Beck 2019, 3rd ed.) (accessed 10 August 2021).</ref> It is clear from the preceding discussion that the imposition of a fine should be the rule. This follows in particular from the relationship of the fine to other measures under [[Article 58 GDPR|Article 58(2) GDPR]] (see above, Article 83(2)(1) GDPR and Recital 148 sentence 1 GDPR), which can be made fruitful at this point. Furthermore, according to Recital 148 sentence 2 GDPR, a fine should only be waived in clearly defined exceptional cases. Overall, the intended discretion is the most flexible solution. Only when it is applied can the intentions of the legislator resulting from Article 83 and the Recitals be implemented in a dogmatically clean manner. It leads to the authority imposing a fine as a rule on the one hand. On the other hand, it is the only way to exceptionally refrain from imposing a fine.  


As already stated in the discussion on the teleological reduction of Article 83(2)(1) GDPR with regard to a reprimand, a fine may not be imposed if the supervisory authority issues a reprimand. Since the requirements of a fine and a reprimand under [[Article 58 GDPR|Article 58(2) GDPR]] overlap, the "intended discretion" is again the only way to allow the supervisory authority not to impose a fine without ignoring the legislator's intention to generally have to impose a fine.
As already stated in the discussion on the teleological reduction of Article 83(2)(1) GDPR with regard to a reprimand, a fine may not be imposed if the supervisory authority issues a reprimand. Since the requirements of a fine and a reprimand under [[Article 58 GDPR|Article 58(2) GDPR]] overlap, the "intended discretion" is again the only way to allow the supervisory authority not to impose a fine without ignoring the legislator's intention to generally have to impose a fine.
Line 338: Line 338:
The provision itself says nothing about the relationship between the criteria described, in particular whether they should be weighted differently. Consequently, an abstract graded relationship should not be assumed. This is also in line with the ever-present requirement of a case-by-case assessment.<ref>''Kotschy'' explains (unconvincingly, we find) that the main criteria are (a), (b), (c), (e) and (f). This is neither further substantiated (''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020)), nor can it be deduced from the Recitals. Recitals 148 and 150 GDPR contain lists of criteria that are not identical with Article 83(2)(2) GDPR. However, ''Kotschy’s'' assessment of the main critereria is not consistent with “selections” by the Recitals. Recital 148 sentence 3 GDPR, for example, lists all criteria except (f) and (g). (k) is also mentioned, which would make the catch-all criterion appear more important than two explicitly listed, but not mentioned criteria. This is certainly not intended. The enumeration in Recital 150 sentence 2 GDPR is also very abstract and only includes parts of the criteria, different from Recital 148 sentence 3 GDPR. A general rule cannot be derived from this.</ref>  
The provision itself says nothing about the relationship between the criteria described, in particular whether they should be weighted differently. Consequently, an abstract graded relationship should not be assumed. This is also in line with the ever-present requirement of a case-by-case assessment.<ref>''Kotschy'' explains (unconvincingly, we find) that the main criteria are (a), (b), (c), (e) and (f). This is neither further substantiated (''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020)), nor can it be deduced from the Recitals. Recitals 148 and 150 GDPR contain lists of criteria that are not identical with Article 83(2)(2) GDPR. However, ''Kotschy’s'' assessment of the main critereria is not consistent with “selections” by the Recitals. Recital 148 sentence 3 GDPR, for example, lists all criteria except (f) and (g). (k) is also mentioned, which would make the catch-all criterion appear more important than two explicitly listed, but not mentioned criteria. This is certainly not intended. The enumeration in Recital 150 sentence 2 GDPR is also very abstract and only includes parts of the criteria, different from Recital 148 sentence 3 GDPR. A general rule cannot be derived from this.</ref>  


The catalogue of assessment criteria is not exhaustive. Article 83(2)(2)(k) GDPR contains an explicit catch-all provision .<ref>Cf. ''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref> Whether criteria other than those expressly named can only be taken into account to a significantly lesser extent so as not to counteract the decision of the legislator<ref>''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref> may be doubted in this generalized manner. By introducing letter (k), the legislator has made it clear that the assessment criteria are not exhaustively listed. The significance of criteria that are not explicitly mentioned is rather to be measured according to general legal methodology, in particular by a systematical comparison with the listed criteria.
The catalogue of assessment criteria is not exhaustive. Article 83(2)(2)(k) GDPR contains an explicit catch-all provision .<ref>Cf. ''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref> Whether criteria other than those expressly named can only be taken into account to a significantly lesser extent so as not to counteract the decision of the legislator<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref> may be doubted in this generalized manner. By introducing letter (k), the legislator has made it clear that the assessment criteria are not exhaustively listed. The significance of criteria that are not explicitly mentioned is rather to be measured according to general legal methodology, in particular by a systematical comparison with the listed criteria.


Also in the application of these criteria, the discussion about the question of which area of law the fine should be assigned to becomes virulent. In principle, there are better reasons to apply the principles of criminal law here, in particular the prohibition of double punishment from Article 4 of the Additional Protocol to the ECHR as well as the ''nemo tenetur'' principle from Article 6(1) ECHR, albeit with limited scope. As a result, various criteria may not be taken into account in their entirety or only in a mitigating rather than aggravating manner.
Also in the application of these criteria, the discussion about the question of which area of law the fine should be assigned to becomes virulent. In principle, there are better reasons to apply the principles of criminal law here, in particular the prohibition of double punishment from Article 4 of the Additional Protocol to the ECHR as well as the ''nemo tenetur'' principle from Article 6(1) ECHR, albeit with limited scope. As a result, various criteria may not be taken into account in their entirety or only in a mitigating rather than aggravating manner.
Line 384: Line 384:


====== Recital 150(4) GDPR: "general level of income in the Member State " and "economic situation of the person" ======
====== Recital 150(4) GDPR: "general level of income in the Member State " and "economic situation of the person" ======
According to Recital 150 sentence 4 GDPR, the "''general level of income in the Member State'' " and the "''economic situation of the person''" should also be taken into account when assessing fines on persons who are not undertakings. There is no doubt that these criteria can also be taken into account via letter (k). Moreover, ''Frenzel'' rightly points out that these criteria must be taken into account anyway in the context of the proportionality principle (appropriateness), which must always be carried out pursuant to Article 83(1) GDPR.<ref>''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 13 (Beck 2021, 3rd ed.) (accessed 10 August 2021).</ref>  
According to Recital 150 sentence 4 GDPR, the "''general level of income in the Member State'' " and the "''economic situation of the person''" should also be taken into account when assessing fines on persons who are not undertakings. There is no doubt that these criteria can also be taken into account via letter (k). Moreover, ''Frenzel'' rightly points out that these criteria must be taken into account anyway in the context of the proportionality principle (appropriateness), which must always be carried out pursuant to Article 83(1) GDPR.<ref>''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 13 (Beck 2021, 3rd ed.) (accessed 10 August 2021).</ref>  


=== (3) Fine Framework for Multiple Violations by the Same or Linked Processing Operations ===
=== (3) Fine Framework for Multiple Violations by the Same or Linked Processing Operations ===
Line 391: Line 391:
With Article 83(3) GDPR, the legislator has decided in favour of the principle of absorption and against the principle of accumulation for processing operations that are identical or linked.<ref>Cf. ''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020); also Jahnel, Datenschutz-Grundverordnung, Article 83, margin number 12 (Jan Sramek Verlag 2021).</ref>  
With Article 83(3) GDPR, the legislator has decided in favour of the principle of absorption and against the principle of accumulation for processing operations that are identical or linked.<ref>Cf. ''Kotschy'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020); also Jahnel, Datenschutz-Grundverordnung, Article 83, margin number 12 (Jan Sramek Verlag 2021).</ref>  


The term "linked" is to be understood narrowly. This already follows from the systematic equivalence with the term "same". Any other interpretation would open up potential for abuse by artificially linking processing operations. Otherwise, the protective purpose of the provision to ensure consistent enforcement of the GDPR through dissuasion would be weakened.<ref>Cf. only ''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 31 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref>  
The term "linked" is to be understood narrowly. This already follows from the systematic equivalence with the term "same". Any other interpretation would open up potential for abuse by artificially linking processing operations. Otherwise, the protective purpose of the provision to ensure consistent enforcement of the GDPR through dissuasion would be weakened.<ref>Cf. only ''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 31 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref>  


''Nemitz'' correctly points out that such a fine must then in any case be higher pursuant to Article 83(2)(a) GDPR because of the multiple infringement than if only a single infringement had been committed in an individual case.<ref>''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 32 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref>
''Nemitz'' correctly points out that such a fine must then in any case be higher pursuant to Article 83(2)(a) GDPR because of the multiple infringement than if only a single infringement had been committed in an individual case.<ref>''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 32 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref>


However, the legal concept of the principle of accumulation applies to unlinked processing insofar as fines may be imposed independently of each other. In this respect, the dissuasive function and thus the effective enforcement of the GDPR is guaranteed.  
However, the legal concept of the principle of accumulation applies to unlinked processing insofar as fines may be imposed independently of each other. In this respect, the dissuasive function and thus the effective enforcement of the GDPR is guaranteed.  
Line 416: Line 416:
Recourse to this Recital is also relevant. The English version of the GDPR does not contain a legal definition of the term "undertaking" in Article 4 GDPR. However, it is problematic that the German ("Unternehmen"), French ("entreprise") and Spanish ("empresa") versions, for example, use the same term in [[Article 4 GDPR|Articles 4(18)]], 83 and in Recital 150 sentence 3 GDPR. In this respect, a position must be taken on the question of why, exceptionally, the Recital and not the supposed legal definition should be followed.
Recourse to this Recital is also relevant. The English version of the GDPR does not contain a legal definition of the term "undertaking" in Article 4 GDPR. However, it is problematic that the German ("Unternehmen"), French ("entreprise") and Spanish ("empresa") versions, for example, use the same term in [[Article 4 GDPR|Articles 4(18)]], 83 and in Recital 150 sentence 3 GDPR. In this respect, a position must be taken on the question of why, exceptionally, the Recital and not the supposed legal definition should be followed.


There are better reasons for interpreting the term “undertaking” in the sense of Articles 101 and 102 TFEU. It must be admitted that the Recitals are not binding and that it was unclean of the legislator not to include the reference to Articles 101 and 102 TFEU in the GDPR text. However, the term defined in [[Article 4 GDPR|Article 4(18) GDPR]] is used in various places in the GDPR and thus has a wide scope of application. An exception should be made to this scope for Article 83 GDPR. This intention can clearly be derived from Recital 150 sentence 3 GDPR, which is "more specific" in this respect.<ref>Instead of many ''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 42 (Beck 2018, 2nd ed.).</ref> This interpretation is supported by a teleological argument. Due to its general and special preventive function described above, the fine is intended to contribute to the comprehensive protection of individuals from unlawful data processing. Against large, multinational global corporations, especially in the internet sector, this can only succeed if the sanctions are also noticeable. If those companies could outsource data processing to low-turnover subsidiaries and thus reduce the fine, this goal would not be achieved.<ref>''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 43 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref> This can be countered by the fact that under general principles of company law, it may also be possible to achieve liability without interpreting the undertaking in the sense of competition law.<ref>This is also recognised by ''Nemitz'', in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 44 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref> However, this would lead to extensive, long-lasting and complex (especially judicial) individual case proceedings, which would run counter to the overarching objective of Article 83 GDPR, namely the effective enforcement of the GDPR. In this respect, the need for a broad definition of a company follows from the regulatory background alone.
There are better reasons for interpreting the term “undertaking” in the sense of Articles 101 and 102 TFEU. It must be admitted that the Recitals are not binding and that it was unclean of the legislator not to include the reference to Articles 101 and 102 TFEU in the GDPR text. However, the term defined in [[Article 4 GDPR|Article 4(18) GDPR]] is used in various places in the GDPR and thus has a wide scope of application. An exception should be made to this scope for Article 83 GDPR. This intention can clearly be derived from Recital 150 sentence 3 GDPR, which is "more specific" in this respect.<ref>Instead of many ''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 42 (Beck 2018, 2nd ed.).</ref> This interpretation is supported by a teleological argument. Due to its general and special preventive function described above, the fine is intended to contribute to the comprehensive protection of individuals from unlawful data processing. Against large, multinational global corporations, especially in the internet sector, this can only succeed if the sanctions are also noticeable. If those companies could outsource data processing to low-turnover subsidiaries and thus reduce the fine, this goal would not be achieved.<ref>''Boehm'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 43 (Beck 2019, 1st ed.) (accessed 10 August 2021).</ref> This can be countered by the fact that under general principles of company law, it may also be possible to achieve liability without interpreting the undertaking in the sense of competition law.<ref>This is also recognised by ''Nemitz'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 44 (Beck 2018, 2nd ed.) (accessed 10 August 2021).</ref> However, this would lead to extensive, long-lasting and complex (especially judicial) individual case proceedings, which would run counter to the overarching objective of Article 83 GDPR, namely the effective enforcement of the GDPR. In this respect, the need for a broad definition of a company follows from the regulatory background alone.


The term "undertaking" in the sense of Articles 101 and 102 TFEU is not legally defined. However, the term should be sufficiently clarified by CJEU case law. The concept of an undertaking under EU law is based on the so-called functional entity principle - in contrast to the so-called legal entity principle. According to this principle, the concept of an enterprise is to be understood broadly. It is to be understood as any entity carrying out economic activities, irrespective of its legal form, the number of individual associated persons (natural or legal) and the way it is financed, as long as it does not only occasionally or temporarily participate in economic transactions.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 10 (Beck 2020, 36th ed.) (accessed 10 August 2021) with reference to ECJ, 10 April 2014, Siemens AG Österreich, C-231/11 P, C-232/11 P, C-233/11 P, margin numbers 42 to 44 (available here https://curia.europa.eu/juris/document/document.jsf;jsessionid=D73E4F8734EFE27D8FEEDA5D07B4BF3B?text=&docid=150784&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=5642258) and ECJ, 23 April 1991, Höfner and Elser, C-41/90, margin number 21 (available here https://curia.europa.eu/juris/showPdf.jsf?text=&docid=97109&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5642258); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 40 (Beck 2019, 1st ed.) (accessed 10 August 2021) with reference to ECJ, 16 March 2004, AOK-Bundesverband, C-264/01, C-306/01, C-354/01 and C-355/01, margin number 46 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=48994&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=5642258).</ref>
The term "undertaking" in the sense of Articles 101 and 102 TFEU is not legally defined. However, the term should be sufficiently clarified by CJEU case law. The concept of an undertaking under EU law is based on the so-called functional entity principle - in contrast to the so-called legal entity principle. According to this principle, the concept of an enterprise is to be understood broadly. It is to be understood as any entity carrying out economic activities, irrespective of its legal form, the number of individual associated persons (natural or legal) and the way it is financed, as long as it does not only occasionally or temporarily participate in economic transactions.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 10 (Beck 2020, 36th ed.) (accessed 10 August 2021) with reference to ECJ, 10 April 2014, Siemens AG Österreich, C-231/11 P, C-232/11 P, C-233/11 P, margin numbers 42 to 44 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=D73E4F8734EFE27D8FEEDA5D07B4BF3B?text=&docid=150784&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=5642258 here]) and ECJ, 23 April 1991, Höfner and Elser, C-41/90, margin number 21 (available [https://curia.europa.eu/juris/showPdf.jsf?text=&docid=97109&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=5642258 here]); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 40 (Beck 2019, 1st ed.) (accessed 10 August 2021) with reference to ECJ, 16 March 2004, AOK-Bundesverband, C-264/01, C-306/01, C-354/01 and C-355/01, margin number 46 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=48994&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=5642258 here]).</ref>


==== Fine Framework ====
==== Fine Framework ====
Line 433: Line 433:
There is no provision for deprivation of profits in the case of infringements of the GDPR. However, according to Article 83(2)(2)(k) GDPR, financial benefits gained from the infringement can be taken into account when deciding on the amount of the administrative fine (see above).  
There is no provision for deprivation of profits in the case of infringements of the GDPR. However, according to Article 83(2)(2)(k) GDPR, financial benefits gained from the infringement can be taken into account when deciding on the amount of the administrative fine (see above).  


Only insofar as Member States enact national regulations on sanctions (cf. [[Article 84 GDPR]]), a deprivation of profits is possible according to Recital 149 sentence 1 GDPR. Contrary to the wording, this can take place not only on the basis of criminal law, but also on the basis of administrative law.<ref>''Bergt'', in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 9 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref>
Only insofar as Member States enact national regulations on sanctions (cf. [[Article 84 GDPR]]), a deprivation of profits is possible according to Recital 149 sentence 1 GDPR. Contrary to the wording, this can take place not only on the basis of criminal law, but also on the basis of administrative law.<ref>''Bergt'', in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 9 (Beck 2020, 3rd ed.) (accessed 10 August 2021).</ref>


==== Principle of Certainty ====
==== Principle of Certainty ====
Various violations of Article 83 (4), (5) and (6) GDPR against the principle of certainty (''nulla poena sine lege certa'') are discussed. For the fundamental question of the extent to which the principle of certainty applies to Article 83 GDPR, please refer to the above remarks on the classification of the fine. The direct application of Article 49 CFR is doubtful; however, the requirement of certainty can also be derived from Article 7 ECHR.<ref>In this respect potentially inaccurate ''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 5 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref>
Various violations of Article 83 (4), (5) and (6) GDPR against the principle of certainty (''nulla poena sine lege certa'') are discussed. For the fundamental question of the extent to which the principle of certainty applies to Article 83 GDPR, please refer to the above remarks on the classification of the fine. The direct application of Article 49 CFR is doubtful; however, the requirement of certainty can also be derived from Article 7 ECHR.<ref>In this respect potentially inaccurate ''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 5 (Beck 2020, 36th ed.) (accessed 10 August 2021).</ref>


Firstly, this is linked to the infringements listed in paragraphs 4 and 5, which are in some cases supposedly too broad.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); ''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021).</ref> <ref>Some authors state that the offenses leading to a fine are in part too broad. This is exemplified by the reference in Article 83(5)(a) GDPR, an infringement with the highest possible fine framework, to all processing principles mentioned in Article 5 GDPR (''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); ''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021)). Emphasis is placed, for example, on the obligation under Article 5(1)(a) var. 2 GDPR to process data fairly (''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021)).
Firstly, this is linked to the infringements listed in paragraphs 4 and 5, which are in some cases supposedly too broad.<ref>''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); ''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021).</ref> <ref>Some authors state that the offenses leading to a fine are in part too broad. This is exemplified by the reference in Article 83(5)(a) GDPR, an infringement with the highest possible fine framework, to all processing principles mentioned in Article 5 GDPR (''Holländer'', in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); ''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021); ''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021)). Emphasis is placed, for example, on the obligation under Article 5(1)(a) var. 2 GDPR to process data fairly (''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021)).


Insofar as a fine should indeed only be based on unfair data processing, this view is to be endorsed. The reference to Article 5(1)(a) var. 2 GDPR to this effect is likely to violate the principle of certainty. However, this does not lead to the overall unlawfulness of the other references in Article 83(4), (5) and (6) GDPR (ambiguous ''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021)). In principle, it should again be taken into account that the principles of criminal law do not apply with the same scope to administrative fines (see above). In addition, it should be practically rare for a fine to be imposed (only) for a breach of individual processing principles, as these are specified and specifically regulated in many places in the GDPR. Thus, a breach of "lawfulness" under Article 5(1)(a) var. 1 GDPR is always also a breach of the much more specific Article 6 GDPR. Overall, it is likely to be necessary to demand with ''Gola'' that the general clause of Article 5 GDPR be interpreted narrowly and that only clear violations be subsumed under it (''Gola'' in Gola, DS-GVO, Article 83 GDPR, margin number 26 (Beck 2018, 2nd ed.) (accessed 10 August 2021)). Moreover, this problem will be increasingly compensated by the forthcoming application of the law, in particular by judicial decisions concretising the law (cf. ''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021)). In this context, it is often overlooked that many of the provisions subject to fines have emerged from the Directive 95/46/EC and are therefore likely to have already been sufficiently specified by case law (''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 53 (Beck 2019, 1st ed.) (accessed 10 August 2021)).</ref>
Insofar as a fine should indeed only be based on unfair data processing, this view is to be endorsed. The reference to Article 5(1)(a) var. 2 GDPR to this effect is likely to violate the principle of certainty. However, this does not lead to the overall unlawfulness of the other references in Article 83(4), (5) and (6) GDPR (ambiguous ''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021)). In principle, it should again be taken into account that the principles of criminal law do not apply with the same scope to administrative fines (see above). In addition, it should be practically rare for a fine to be imposed (only) for a breach of individual processing principles, as these are specified and specifically regulated in many places in the GDPR. Thus, a breach of "lawfulness" under Article 5(1)(a) var. 1 GDPR is always also a breach of the much more specific Article 6 GDPR. Overall, it is likely to be necessary to demand with ''Gola'' that the general clause of Article 5 GDPR be interpreted narrowly and that only clear violations be subsumed under it (''Gola'' in Gola, DS-GVO, Article 83 GDPR, margin number 26 (Beck 2018, 2nd ed.) (accessed 10 August 2021)). Moreover, this problem will be increasingly compensated by the forthcoming application of the law, in particular by judicial decisions concretising the law (cf. ''Frenzel'', in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021)). In this context, it is often overlooked that many of the provisions subject to fines have emerged from the Directive 95/46/EC and are therefore likely to have already been sufficiently specified by case law (''Boehm'', in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 53 (Beck 2019, 1st ed.) (accessed 10 August 2021)).</ref>

Revision as of 16:32, 31 August 2021

Article 83 - General conditions for imposing administrative fines
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 83 - General conditions for imposing administrative fines


1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects' rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted underCHAPTER IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

Relevant Recitals

Recital 13: Harmonisation of Protection and Advantages for Small and Medium-Sized Enterprises
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.

Recital 148: Penalties
In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.

Recital 149: Criminal Penalties by and for Infringements of National Rules
Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation. However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

Recital 150: Administrative Fines
In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

Recital 151: Administrative Fines in Denmark and Estonia
The legal systems of Denmark and Estonia do not allow for administrative fines as set out in this Regulation. The rules on administrative fines may be applied in such a manner that in Denmark the fine is imposed by competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure, provided that such an application of the rules in those Member States has an equivalent effect to administrative fines imposed by supervisory authorities. Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

Recital 152: Implementation of a National Penalty System if Necessary
Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties, criminal or administrative, should be determined by Member State law.

Commentary

Article 83 GDPR introduces the most important sanction of the GDPR, the administrative fine. In particular, according to Recital 148 sentence 1 GDPR, this is intended to “strengthen the enforcement" of the GDPR.

Article 83 GDPR first introduces the sanction of an administrative fine and designates the competent authority.

The provision contains a list of all infringements that are subject to a fine.

It introduces an obligation for supervisory authorities to make a decision on a case-by-case basis, taking into account the minimum triad of “effective, dissuasive, proportionate”. On the one hand, this decision is to be made for the question of whether a fine is to be imposed, whereby the discretion is “intended”. On the other hand, the amount of the fine is also to be assessed according to this. Article 83 GPDR contains a non-exhaustive list of criteria to be considered at both levels of the decision.

Article 83 GDPR also contains two different fine frameworks, which are only defined by upper limits. Different rules apply to the so-called undertaking than to other controllers and processors. Among other things, a relative approach is introduced there, which is linked to the total worldwide annual turnover.

In addition, Article 83 GDPR contains an opening clause that allows Member States to provide for fines for public authorities and bodies.

Moreover, an explicit duty to provide adequate procedural safeguards is introduced.

Finally, for jurisdictions that do not provide for an administrative fine, a duty of modified, equally effective application of Article 83 GDPR is introduced.

(1) Legal Nature, Minimum-Triad and Case-by-Case Assessment

Fine as the Most Important Sanction and Legal Nature

Article 83(1) GDPR initially introduces the fine as the most important sanctioning instrument. This follows in particular from the relationship of the fine to the measures mentioned in Article 58(2) GDPR (see comment on Article 83(2)(1) GDPR below).

The legal nature of the administrative fine is not clear.

The fine is obviously (at least also) of an administrative nature. Article 83 GDPR explicitly refers to administrative fines in various places. Recital 150 GDPR also supports this classification (“administrative fines”). Moreover, the supervisory authority is competent as an administrative body. It follows in particular from Article 55(3) GDPR that supervisory authorities are not considered by the GDPR to belong to the judiciary. Article 79 GDPR also speaks of "administrative or non-judicial remedies".[1]

However, the fine also has elements of criminal law. Admittedly, it cannot be classified as criminal in the narrower sense. The EU lacks the legislative competence to enact regulations in criminal law.[2] However, a classification as criminal in the broader sense is appropriate. Kotschy, applying the Engel criteria of the ECHR, concludes that fines are "criminal within the wider, autonomous meaning of Article 6 ECHR", but not in the "criminal" sense of EU law.[3] This means that the imposition of fines must in any case respect the core principles of criminal law, e.g. the principles nemo tenetur se ipsum accusare, ne bis in idem and nulla poena sine lege (in particular nulla poena sine lege certa). This will be dealt with in the following while discussing the relevant provisions. However, Bergt rightly points out that the application of these criminal law principles to an administrative sanction cannot necessarily have the same scope as a criminal sanction in the narrower sense.[4]

Supervisory Authority as the Competent Body

The competent body for issuing administrative fines is the supervisory authority. This can be derived from Article 83(1) GDPR (“Each supervisory authority shall ensure [...]”). Such power is also confirmed by Article 58(2)(i) GDPR: "Each supervisory authority" shall be empowered to impose a fine. Another confirmation in this sense is brought by Recital 150 sentence 1 GDPR. It states that "each supervisory authority should have the power to impose administrative fines" in order "to strengthen and harmonise ". Finally, a pan-European system of sanctions can only function if all potentially competent supervisory authorities issue the same decisions in case of doubt. In order to make this possible at all, each supervisory authority must have the power to impose fines. Member States that do not provide for administrative fines are therefore obliged to a modified, comparably effective application of Article 83 GDPR, Article 83(9) (see below). The competence of the supervisory authority is determined in accordance with Articles 55 et seq. GDPR.

Violation as a Basic Requirement

The basic requirement for a fine is an infringement of the provisions listed in paragraphs 4, 5 and 6.

The wording "infringements of this Regulation" in paragraph 1 is not precise. Article 83(5)(d) GDPR also provides for fines for breaches of obligations pursuant to Member State law adopted under Chapter IX.

Minimum Triad (Discretion)

One of the main elements of the provision is the minimum triad to the fine on the discretionary side. The fine should be (a) effective, (b) proportionate and (c) dissuasive. This triad of requirements should be seen as the guiding principle not only for the issuing of a fine (Recitals 151 sentence 4 and 152 sentence 1 GDPR) but also for other types of sanctions, according to Article 84(1)(2) GDPR.

The elements of effectiveness and dissuasiveness cannot be clearly distinguished from each other or merge into each other.[5]

However, it seems clear that, by using the term “dissuasive”, the fine shall have a preventive function. In this context, it should be noted that dissuasion is not only to be related to specific prevention for the data controller or processor concerned. Rather, according to the GDPR's overriding objective of effectiveness, the fine is also intended to pursue general prevention objectives.[6]

To be dissuasive the fine must be so severe that the person responsible will refrain from further infringements, especially infringements of the same nature. The actual economic capacity of companies must be taken into account and used as a basis for orientation.[7] Insofar as it is argued that only the economic significance of the data processing, and not the overall economic performance, is to be used to measure the dissuasive effect,[8] this view must be rejected. This opinion is justified by considerations of economic efficiency, according to which it is sufficient to make specific data processing unprofitable. This view disregards the sanction character of a fine. The fine cannot be seen as an "high price" for data processing. Even fines in stricter criminal law are based on both the economic performance of the actor and the economic (in)value of the criminal conduct.

Furthermore, the fine alone must ensure effective sanctioning of data protection violations with sufficient dissuasive effect. In particular, this prohibits the supervisory authorities from making the assessment of the amount of the fine dependent on or coordinated with any claims for damages under Article 82 GDPR. Otherwise, the effectiveness of the fine would no longer be ensured.[9]

The terms dissuasive and effective also introduce a lower limit for the fine. It must not be merely symbolic in nature.[10]

The principle of proportionality enshrined in EU primary law in Article 5(4) TEU and Article 52(1)(2) CFR is reflected in secondary law.[11] A measure is proportionate if it pursues a legitimate aim, it is suitable and necessary to achieve this aim and the measure is also appropriate.

Case-by-case Assessment

The provision also stipulates that the minimum triad must be met "in each individual case". In this respect, a case-by-case assessment is required. This contrasts with the basic objective of the GDPR to achieve a uniform application of the law and also enforcement. Despite the case-by-case examination, comparable infringements are therefore also to be punished comparably. This interpretation is supported in particular by Article 70(1)(k) GDPR, which assigns the EDPB the task of drawing up guidelines concerning the setting of administrative fines.[12]

(2) Discretion on Whether and How to Impose a Fine; Relation to Corrective Measures

A clear systematic distinction between sentence 1 and sentence 2 is required to understand this provision. For a more detailed explanation, see Resolution Discretion with “Obligation” to Impose a Fine in Normal Cases.

Sentence 2 is the only provision in Article 83 GDPR that seeks to decide on the discretion to impose fines. In addition to a discretion regarding the amount of the fine (see Discretion Regarding the Amount of a Fine), the supervisory authority has first to decide “whether” to impose a fine at all. In doing so, it is generally obliged to impose a fine unless there is an exceptional, atypical case that does not justify the imposition of a fine (in Germany so-called Intended Discretion, see Resolution Discretion with “Obligation” to Impose a Fine in Normal Cases).

Sentence 1 is only designed to decide on the relation between corrective measures and fine. It does not seem to say anything about the supervisory authority’s power to impose a fine the corresponding discretion. This decision is independent from the sentence 2 decision.

Sentence 1: Relation to Corrective Measures

Sentence 1 first provides guidance on the relationship between the fine and other measures under Article 58(2)(a) to (h) and (j) GDPR. It specifies that fines should be imposed either "in addition to" or "instead of" these measures.

Since there is no option such as "not in addition to", it follows from this provision that as soon as the requirements of one of the measures are fulfilled and such a measure can be issued without discretionary error, a fine must (also) be issued as a rule (see below under Resolution Discretion with “Obligation” to Impose a Fine in Normal Cases). The consideration that a remedial measure may in itself lead to the achievement of data protection compliance may not in itself lead to a deviation from this rule.

An exception to this principle is only to be made for the reprimand under Article 58(2)(b) GDPR. The reference in Article 83(2)(1) GDPR is to be reduced teleologically in this respect. It is in line with the purpose of a reprimand to give the infringer a last chance to become compliant before the more invasive measure of a fine is imposed. In this respect, the objective of a reprimand could not be achieved if the authority had to or should impose a fine at the same time or instead of a reprimand. The legislator was also aware of this alternative relationship, as can be seen from Recitals 148 sentence 2 and 150 sentence 7 GDPR. The guidelines developed by the WP29 and endorsed by the EDPB also assume that the supervisory authority can issue a reprimand instead of a fine.[13]

Sentence 2: Discretion on Whether and How to Impose a Fine

Sentence 2 grants the competent supervisory authority a so-called intended discretionary decision ("whether" to impose a fine) as well as a discretionary choice regarding the amount of the fine (“how” to impose a fine). The provision provides a non-exhaustive list of criteria when deciding.

Resolution Discretion with “Obligation” to Impose a Fine in Normal Cases

The supervisory authority must first decide whether to impose a fine at all. The discretionary power granted in this respect is, however, intended.[14] This means that in the event of an infringement, the authority must in principle impose a fine, unless there is an exceptional, atypical case that does not justify the imposition of a fine. The discretion is "intended" in that the legislator generally wants a fine, but allows exceptions in deviating cases. In exercising its discretionary power, the authority must take into account the minimum triad in the specific case (see above) and - in particular for the purpose of evaluating whether a minor infringement has occurred - also the criteria listed in Article 83(2)(2) GDPR (see below).

The fact that the authority has a resolution discretion follows firstly from the wording of Article 83(2)(2) GDPR, which is unambiguous in this respect. A view according to which the authority has an obligation to impose a fine,[15] is to be rejected.

According to Article 83(2)(2) GDPR, the supervisory authority is not only entitled to decide on the amount of the fine. Rather, it says the following: "When deciding whether to impose an administrative fine […]". Insofar as the opposing view refers to the wording of Article 83(2)(1), Recital 148 sentence 1 GDPR and Article 83(4) and (5) GDPR ("shall ... impose"), which deviates from this,[16] this is not convincing. The primary regulatory objective of Article 83(2)(1) GDPR (and of Recital 148 sentence 1 GDPR) is to regulate the relationship of fines to other measures. There is no evidence that the provision is intended to introduce a simultaneous "incidental" obligation to impose fines. Rather, the decision on "whether" and "how" to impose a fine is explicitly regulated in the second sentence. Certainly, this is not completely convincing systematically, since the legislator could have made independent paragraphs out of sentences 1 and 2 in order to support the interpretation adopted here. However, the wording of paragraphs 4 and 5 cannot justify a different interpretation, as they only want to introduce the catalogue of infringements to be sanctioned and the respective fine frameworks, and explicitly refer to Article 83(2)(2) GDPR for the decision on "whether" and "how". Having said this, it is also irrelevant that the wording "may impose fines" initially provided for in the Council draft on Article 83(2)(1) as well as (4) and (5) GDPR was replaced by "shall impose fines".[17] Recital 148 sentence 2 GDPR, which mentions two examples in which the imposition of a fine is to be waived ("minor infringement"; "disproportionate burden to a natural person"), also speaks in favour of the view taken here. If there was no discretion, these exceptions could hardly be taken into account according to administrative law dogma, especially since the Recitals are not binding. That the phrasing in Article 83(2)(2) GDPR and Recital 149 sentence 2 GDPR are mere drafting errors must be rejected as an unfounded assertion in this respect.[18]

Contrary to Holländer's opinion, the wording in Recital 150 sentence 1 GDPR is not sufficient in itself to establish a discretionary power.[19] What has been said about the wording above applies accordingly here. The Recital primarily seeks to specify the requirement of a supervisory authority's power to intervene and does not in itself make any statement about the discretion to decide.

The discretionary power granted is "intended".[20] A deviating view that provides for a free discretion to decide must also be rejected.[21] It is clear from the preceding discussion that the imposition of a fine should be the rule. This follows in particular from the relationship of the fine to other measures under Article 58(2) GDPR (see above, Article 83(2)(1) GDPR and Recital 148 sentence 1 GDPR), which can be made fruitful at this point. Furthermore, according to Recital 148 sentence 2 GDPR, a fine should only be waived in clearly defined exceptional cases. Overall, the intended discretion is the most flexible solution. Only when it is applied can the intentions of the legislator resulting from Article 83 and the Recitals be implemented in a dogmatically clean manner. It leads to the authority imposing a fine as a rule on the one hand. On the other hand, it is the only way to exceptionally refrain from imposing a fine.

As already stated in the discussion on the teleological reduction of Article 83(2)(1) GDPR with regard to a reprimand, a fine may not be imposed if the supervisory authority issues a reprimand. Since the requirements of a fine and a reprimand under Article 58(2) GDPR overlap, the "intended discretion" is again the only way to allow the supervisory authority not to impose a fine without ignoring the legislator's intention to generally have to impose a fine.

Discretion Regarding the Amount of a Fine

The assessment of the amount of the fine is also at the discretion of the authority. Here, too, the authority has to weigh up the individual case, taking into account the minimum triad from paragraph 1 and the criteria mentioned in paragraph 2 sentence 2.

Of course, the general discretionary limits must be observed here. This should apply in particular to the principle of equal treatment, compliance with which can ideally be achieved by following EDPB guidelines under Article 70(1)(k) GDPR.[22] Such guidelines have not yet been issued. However, the EDPB endorsed (https://edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en) the WP29 Guidelines on the application and setting of administrative fines, which also refer to the importance of "equivalence".[23]

The provision itself says nothing about the relationship between the criteria described, in particular whether they should be weighted differently. Consequently, an abstract graded relationship should not be assumed. This is also in line with the ever-present requirement of a case-by-case assessment.[24]

The catalogue of assessment criteria is not exhaustive. Article 83(2)(2)(k) GDPR contains an explicit catch-all provision .[25] Whether criteria other than those expressly named can only be taken into account to a significantly lesser extent so as not to counteract the decision of the legislator[26] may be doubted in this generalized manner. By introducing letter (k), the legislator has made it clear that the assessment criteria are not exhaustively listed. The significance of criteria that are not explicitly mentioned is rather to be measured according to general legal methodology, in particular by a systematical comparison with the listed criteria.

Also in the application of these criteria, the discussion about the question of which area of law the fine should be assigned to becomes virulent. In principle, there are better reasons to apply the principles of criminal law here, in particular the prohibition of double punishment from Article 4 of the Additional Protocol to the ECHR as well as the nemo tenetur principle from Article 6(1) ECHR, albeit with limited scope. As a result, various criteria may not be taken into account in their entirety or only in a mitigating rather than aggravating manner.

The individual criteria are listed and commented on below:

(a)   the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

The elements of this criterion should be largely self-explanatory. The term “damage” is likely to be synonymous with the term used in Article 82 GDPR. It also follows explicitly that the civil liability for damages or its successful enforcement should not lead to a reduction of the fine (but rather to the opposite).

(b)   the intentional or negligent character of the infringement;

With the help of this provision, the extent to which the controller or processor has acted responsibly after the occurrence of a violation, in particular whether and which remedial measures they have taken, can be assessed in a mitigating and aggravating manner.[27]

(c)   any action taken by the controller or processor to mitigate the damage suffered by data subjects;

With the help of this provision, the extent to which the controller or processor has acted responsibly after the occurrence of a violation, in particular whether and which remedial measures they have taken, can be assessed in a mitigating and aggravating manner.[28]

As a rule, voluntary compensation for damage can only be taken into account in a way that mitigates the penalty. Such compensation can (indirectly) constitute an admission of guilt, so that a violation of the nemo tenetur principle can be present if the lack of compensation is taken into account in an aggravating manner.

(d)   the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

This criterion is intended to penalize technical negligence in data protection or the lack of special preventive measures. For the technical and organisational measures, reference is made to the comments on Article 25 and Article 32 GDPR.

(e)   any relevant previous infringements by the controller or processor;

On the one hand, this criterion is intended in particular to ensure that repeat offenders receive higher penalties in order to ensure the dissuasive effect of the fine. The wording, on the other hand, does not allow for a reduction of the penalty for first-time offenders. However, supervisory authorities may take this into account in the context of letter (k).

(f)    the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

This criterion has similarities with letter (c), as it also depends on positive (insightful) post-offense behaviour. However, it must be taken into account that an official measure was required to persuade the person responsible to a positive post-offense behaviour. In addition, the nemo tenetur principle must also be taken into account here.

(g)   the categories of personal data affected by the infringement;

This criterion first takes into account the importance of the special categories of personal data within the meaning of Article 9 GDPR. The special protection of Article 10 GDPR should also be taken into account when assessing fines.  However, this criterion should also allow for higher fines in case of types of data that do not fall under Articles 9, 10 GDPR are processed. Thus, other data, especially of financial nature, may be objectively or subjectively sensitive and justify an increased penalty.

(h)   the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

Here, too, a basic principle of criminal law is reflected, according to which a voluntary notification of an infringement should in principle lead to a mitigation of the penalty. Inversely, the nemo tenetur principle must also be sufficiently taken into account here.

(i)    where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

As a rule, the application of this criterion is likely to result in an increase in penalties. If the controller or processor has already been subject to measures under Article 58(2) GDPR, the controller or processor is forewarned and should already be induced to adapt its behaviour.

However, this criterion is only applicable to a limited extent if a fine is imposed under Article 83(5) Var. 1 or (6) GDPR, as otherwise there could be a violation of ne bis in idem.

(j)    adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

First of all, it clearly follows from this criterion that a fine may also be imposed even if the conduct leading to the infringement complied with approved codes of conduct. The more specific the approved code of conduct and the closer the infringement to be punished is to this code of conduct, the less this criterion may be taken into account. Otherwise, there would be a violation of the prohibition of contradictory conduct by the authority. The approval of codes of conduct establishes a certain trust worthy of protection on the part of the controller or the processor.

(k)   any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

The last criterion listed contains a catch-all provision. Please refer to the above comments on the non-exhaustive nature of the criteria.

At the same time, another economic criterion is introduced. In this context, the applied regulation technique is not entirely comprehensible. If a concrete example can be given for another criterion to be taken into account in the assessment of the fine, the legislator could have simply listed it as another written criterion. However, this does not necessarily lead to the conclusion that the economic criterion is a less relevant assessment criterion.

Recital 150(4) GDPR: "general level of income in the Member State " and "economic situation of the person"

According to Recital 150 sentence 4 GDPR, the "general level of income in the Member State " and the "economic situation of the person" should also be taken into account when assessing fines on persons who are not undertakings. There is no doubt that these criteria can also be taken into account via letter (k). Moreover, Frenzel rightly points out that these criteria must be taken into account anyway in the context of the proportionality principle (appropriateness), which must always be carried out pursuant to Article 83(1) GDPR.[29]

(3) Fine Framework for Multiple Violations by the Same or Linked Processing Operations

If there are violations of several provisions through the same or linked processing operations, only the largest relevant amount specified for will be taken as a basis.

With Article 83(3) GDPR, the legislator has decided in favour of the principle of absorption and against the principle of accumulation for processing operations that are identical or linked.[30]

The term "linked" is to be understood narrowly. This already follows from the systematic equivalence with the term "same". Any other interpretation would open up potential for abuse by artificially linking processing operations. Otherwise, the protective purpose of the provision to ensure consistent enforcement of the GDPR through dissuasion would be weakened.[31]

Nemitz correctly points out that such a fine must then in any case be higher pursuant to Article 83(2)(a) GDPR because of the multiple infringement than if only a single infringement had been committed in an individual case.[32]

However, the legal concept of the principle of accumulation applies to unlinked processing insofar as fines may be imposed independently of each other. In this respect, the dissuasive function and thus the effective enforcement of the GDPR is guaranteed.

(4) Fine Framework for Less Severe Violations

Paragraph 4 specifies the respective infringements subject to a fine and introduces (as paragraph 5) two further central terms for the assessment of the fine: the "undertaking" and the "total worldwide annual turnover". It also (as paragraph 5) sets the fine range by naming an upper limit. In this respect, paragraphs 4, 5 and 6 fulfill the task mentioned in Recital 150 sentence 2 GDPR.

Listed Violations

Paragraph 4 applies to the following offenses:

(a)    the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b)    the obligations of the certification body pursuant to Articles 42 and 43;

(c)    the obligations of the monitoring body pursuant to Article 41(4).

For the scope of the obligations (subject to fines) listed by the aforementioned provisions, please refer to the commentaries on the respective provisions.

Undertaking

The term "undertaking" corresponds to the EU competition law concept of an undertaking in the sense of Articles 101 and 102 TFEU. This follows from Recital 150 sentence 3 GDPR, which explicitly provides for this.

Recourse to this Recital is also relevant. The English version of the GDPR does not contain a legal definition of the term "undertaking" in Article 4 GDPR. However, it is problematic that the German ("Unternehmen"), French ("entreprise") and Spanish ("empresa") versions, for example, use the same term in Articles 4(18), 83 and in Recital 150 sentence 3 GDPR. In this respect, a position must be taken on the question of why, exceptionally, the Recital and not the supposed legal definition should be followed.

There are better reasons for interpreting the term “undertaking” in the sense of Articles 101 and 102 TFEU. It must be admitted that the Recitals are not binding and that it was unclean of the legislator not to include the reference to Articles 101 and 102 TFEU in the GDPR text. However, the term defined in Article 4(18) GDPR is used in various places in the GDPR and thus has a wide scope of application. An exception should be made to this scope for Article 83 GDPR. This intention can clearly be derived from Recital 150 sentence 3 GDPR, which is "more specific" in this respect.[33] This interpretation is supported by a teleological argument. Due to its general and special preventive function described above, the fine is intended to contribute to the comprehensive protection of individuals from unlawful data processing. Against large, multinational global corporations, especially in the internet sector, this can only succeed if the sanctions are also noticeable. If those companies could outsource data processing to low-turnover subsidiaries and thus reduce the fine, this goal would not be achieved.[34] This can be countered by the fact that under general principles of company law, it may also be possible to achieve liability without interpreting the undertaking in the sense of competition law.[35] However, this would lead to extensive, long-lasting and complex (especially judicial) individual case proceedings, which would run counter to the overarching objective of Article 83 GDPR, namely the effective enforcement of the GDPR. In this respect, the need for a broad definition of a company follows from the regulatory background alone.

The term "undertaking" in the sense of Articles 101 and 102 TFEU is not legally defined. However, the term should be sufficiently clarified by CJEU case law. The concept of an undertaking under EU law is based on the so-called functional entity principle - in contrast to the so-called legal entity principle. According to this principle, the concept of an enterprise is to be understood broadly. It is to be understood as any entity carrying out economic activities, irrespective of its legal form, the number of individual associated persons (natural or legal) and the way it is financed, as long as it does not only occasionally or temporarily participate in economic transactions.[36]

Fine Framework

The provision contains the lower of the two fine frameworks provided for in the GDPR.

The upper limit is EUR 10 million or, in the case of an undertaking, 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The sum of the annual turnover of all individual persons who are to be understood as an "undertaking" according to the above definition is to be taken as a basis. The GDPR and other EU law do not specify a concrete calculation method. In this respect, the authority should have the prerogative to assess the calculation method, whereby it is obliged to apply it uniformly due to the principle of equal treatment. The supervisory authorities should be guided by the existing, largely (internationally) standardised rules for the determination of turnover under tax or accounting law. After all, the multitude of undertakings will calculate these figures anyway so that they can evaluate the amount of potential fines by themselves.

There is no lower limit for the fine.

How the fine is to be assessed without discretionary error is described under Discretion Regarding the Amount of a Fine.

There is no provision for deprivation of profits in the case of infringements of the GDPR. However, according to Article 83(2)(2)(k) GDPR, financial benefits gained from the infringement can be taken into account when deciding on the amount of the administrative fine (see above).

Only insofar as Member States enact national regulations on sanctions (cf. Article 84 GDPR), a deprivation of profits is possible according to Recital 149 sentence 1 GDPR. Contrary to the wording, this can take place not only on the basis of criminal law, but also on the basis of administrative law.[37]

Principle of Certainty

Various violations of Article 83 (4), (5) and (6) GDPR against the principle of certainty (nulla poena sine lege certa) are discussed. For the fundamental question of the extent to which the principle of certainty applies to Article 83 GDPR, please refer to the above remarks on the classification of the fine. The direct application of Article 49 CFR is doubtful; however, the requirement of certainty can also be derived from Article 7 ECHR.[38]

Firstly, this is linked to the infringements listed in paragraphs 4 and 5, which are in some cases supposedly too broad.[39] [40]

Secondly, the legal consequence side is also partly classified as indeterminate.[41] [42]

Thirdly, reference is made to legal ambiguities that would arise from the fact that the member states themselves are allowed to enact regulations that are punishable by law.[43][44]

(5) Fine Framework for More Severe Violations

Paragraph 5 then contains the more serious infringements, which are punishable by a higher fine. The upper limit of the fine is EUR 20 million or, in the case of an undertaking, 4% of the total worldwide annual turnover, whichever is higher.

Paragraph 5 covers the following offenses:

(a)    the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

(b)    the data subjects’ rights pursuant to Articles 12 to 22;

(c)    the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

(d)    any obligations pursuant to Member State law adopted under Chapter IX;

(e)    non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

For the scope of the obligations (subject to fines) listed by the aforementioned provisions, please refer to the commentaries on the respective provisions.

(6) Superfluous Fine Framework for Non-Compliance with Orders Pursuant to Article 58(2) GDPR

Paragraph 6 is a superfluous provision and has no independent scope of application. The entire regulatory content of this provision is already covered by Article 83(5)(e) GDPR, which also provides for the same legal consequences.[45]

(7) Opening Clause for Fines on Public Authorities and Bodies

Paragraph 7 contains an opening clause. Member States may provide by law whether and to what extent fines may also be imposed on public authorities and bodies established in the Member State concerned.

From the reverse conclusion to this provision and from Recital 150 sentence 6 GDPR, it follows first of all that the GDPR does not provide for fines against public authorities and bodies by itself. This clarification is necessary because Article 83 GDPR does not contain a clear description of the provision addressees. It predominantly focuses on "controllers and processors", which does not exclude public authorities and bodies (cf. Article 4(7) and (8) GDPR). The fact that public authorities and bodies cannot constitute an "undertaking" within the meaning of Articles 83(4), (5) and (6) GDPR does not lead to a general exclusion as norm addressee. Thereby, only the relative ground for calculating a fine based on the annual turnover is excluded.

The addition of "without prejudice to the corrective powers of supervisory authorities as referred to in Article 58(2)" GDPR underlines that the supervisory authorities are in principle entitled to those powers also against public authorities and bodies. However, this result can be reached by applying Articles 4, 58(2) GDPR, too.

However, the usefulness of a fine against public authorities is debatable. After all, a fine against public authorities and bodies may only lead to a shift of financial resources within the public budget.[46] Nevertheless, the threat of withdrawal of financial resources may also serve as an incentive. Informal statements by data protection officers seem to show that the lack of fines leads to data protection law not being taken seriously in public authorities and bodies, as the responsible employees do not expect any consequences for violations of the law.[47] However, the problem with fines against public authorities and bodies appears to be that public authorities and bodies, which are fundamentally established in the interest of citizens, lose the resources necessary to fulfill their tasks, which are in the interest of citizens. However, it is also rightly pointed out that fines may be necessary in particular in the public health sector due to the processing of particularly sensitive personal data and in the public registration system due to the processing of particularly lucrative personal data for control purposes.[48]

The opening clause does not only grant the decision on "whether" to impose fines on public authorities and bodies. Rather, the member states are entitled to a completely unguided decision on the amount of fines. Certainly, it should be noted that a link to the fine framework of Article 83(4), (5) and (6) GDPR is unlikely to make much sense.

(8) Appropriate Procedural Safeguards

Paragraph 8 requires that appropriate procedural safeguards under Union and Member State law must exist in the fine proceedings. This includes in particular effective judicial remedies and due process. Paragraph 8 corresponds in this respect to Recital 148 sentence 4 GDPR.

In any case, due process should refer to the administrative procedure. In this respect, a hearing, a statement of reasons for the decision, which also takes a position on the calculation method used, etc. is required in any case.[49]

Whether due process also refers to judicial remedies can be left open, as the word "effective" used there includes due process of law. For the judicial remedies, reference is made to Article 78 GDPR and its commentary.

The provision is aptly described by Moos/Schefzig as a "mandatory opening clause".[50] Paragraph 8 is likely to establish a comprehensive legislative obligation for all Member States, provided that the aforementioned criteria are not yet fulfilled in the respective Member State law. However, no new rules need to be created if the administrative procedure behind the imposition of fines fits into the Member State's administrative law doctrine. In this respect, paragraph 8 should establish a corresponding obligation of the Member States to check whether this is the case.

(9) Modified Application for Member States Without Administrative Fines

With paragraph 9, Article 83 GDPR provides for a further provision to ensure effective enforcement of data protection law across the EU (harmonisation and effectiveness).

It responds to the fact that in some Member States administrative fines are not allowed by law. According to Recital 151 GDPR, these are in any case Denmark and Estonia, whereby the respective legal peculiarities are outlined there. However, the fact that these two states are not mentioned by name in Article 83(9) GDPR ensures that Member States which, by 25 May 2018, either unknowingly did not provide for administrative fines or still provided for administrative fines but abolished them at a later date, cannot subsequently dispense with their obligations under Article 83 GDPR. According to a decision of the Slovenian Supreme Court of 16 March 2021, Slovenia seems not to allow for administrative fines either. As far as can be seen, Slovenia has not complied with the obligation under Article 83(9)(3) GDPR. Also, no fines have yet been imposed in Slovenia. This is highly questionable from an effectiveness point of view.

According to Article 83(9)(1) GDPR, in these cases a modified application of Article 83 GDPR must be made in such a way that a fine is initiated by the supervisory authority and imposed by the competent courts. Beyond this, these Member States are generally obliged to apply Article 83 GDPR in full (adapted to the absence of administrative fines).

It must be ensured that these remedies are effective and have the same effect as the fines imposed by the supervisory authorities. Article 83(9)(2) GDPR emphasises the importance of paragraph 1 once again: The Member States concerned are explicitly obliged to apply the minimum triad. This provision is likely to be declaratory in nature. After all, this obligation should already result from the obligation of modified application itself.

Finally, Article 83(9)(3) GDPR contains an information (25 May 2018) and update obligation vis-à-vis the Commission with regard to national legislation adopted in fulfilment of the obligation under Article 83(9)(1) GDPR. The purpose of this provision is that the Commission can also verify and track the effective enforcement of the GDPR in Member States without administrative fines.

Decisions

→ You can find all related decisions in Category:Article 83 GDPR

References

  1. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).
  2. Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 41 (Beck 2020, 36th ed.) (accessed 10 August 2021).
  3. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1184 (Oxford University Press 2020).
  4. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 44 (Beck 2020, 3rd ed.) (accessed 10 August 2021).
  5. Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  6. Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 7 (Beck 2021, 3rd ed.) (accessed 10 August 2021); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 19 (Beck 2019, 1st ed.) (accessed 10 August 2021).
  7. Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 22 (Beck 2020, 36th ed.) (accessed 10 August 2021).
  8. Moos/Schefzig, in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 26 (Beck 2019, 3rd ed.) (accessed 10 August 2021).
  9. Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 10 August 2021); also Moos/Schefzig, in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 24 (Beck 2019, 3rd ed.) (accessed 10 August 2021).
  10. Cf. Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 20 (Beck 2019, 1st ed.) (accessed 10 August 2021).
  11. Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 6 (Beck 2021, 3rd ed.) (accessed 10 August 2021).
  12. Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 9 (Beck 2018, 2nd ed.) (accessed 10 August 2021); Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 51 (Beck 2020, 3rd ed.) (accessed 10 August 2021).
  13. WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP253), 3 October 2017, p. 9.
  14. Correctly only Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 26 (Beck 2020, 36th ed.) (accessed 10 August 2021).
  15. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021); Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  16. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021).
  17. Cf. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021); cf. Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 14 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  18. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 30 to 32f (Beck 2020, 3rd ed.) (accessed 10 August 2021); Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 15 (Beck 2019, 1st ed.) (accessed 10 August 2021).
  19. Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 26.1 (Beck 2020, 36th ed.) (accessed 10 August 2021).
  20. See also Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 26 (Beck 2020, 36th ed.) (accessed 10 August 2021).
  21. Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 8 to 12 (Beck 2021, 3rd ed.) (accessed 10 August 2021); Moos, Schefzig, in Taeger, Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 28 (Beck 2019, 3rd ed.) (accessed 10 August 2021).
  22. Cf. Nemitz, in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 10 August 2021); see also Recital 150 sentence 5 GDPR.
  23. WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP253), 3 October 2017, especially p. 5.
  24. Kotschy explains (unconvincingly, we find) that the main criteria are (a), (b), (c), (e) and (f). This is neither further substantiated (Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020)), nor can it be deduced from the Recitals. Recitals 148 and 150 GDPR contain lists of criteria that are not identical with Article 83(2)(2) GDPR. However, Kotschy’s assessment of the main critereria is not consistent with “selections” by the Recitals. Recital 148 sentence 3 GDPR, for example, lists all criteria except (f) and (g). (k) is also mentioned, which would make the catch-all criterion appear more important than two explicitly listed, but not mentioned criteria. This is certainly not intended. The enumeration in Recital 150 sentence 2 GDPR is also very abstract and only includes parts of the criteria, different from Recital 148 sentence 3 GDPR. A general rule cannot be derived from this.
  25. Cf. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (Beck 2020, 3rd ed.) (accessed 10 August 2021).
  26. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 52 (Beck 2020, 3rd ed.) (accessed 10 August 2021).
  27. WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP253), 3 October 2017, p. 13.
  28. WP29, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (WP253), 3 October 2017, p. 13.
  29. Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 13 (Beck 2021, 3rd ed.) (accessed 10 August 2021).
  30. Cf. Kotschy, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 83 GDPR, p. 1189 (Oxford University Press 2020); also Jahnel, Datenschutz-Grundverordnung, Article 83, margin number 12 (Jan Sramek Verlag 2021).
  31. Cf. only Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 31 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  32. Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 32 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  33. Instead of many Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 42 (Beck 2018, 2nd ed.).
  34. Boehm, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 43 (Beck 2019, 1st ed.) (accessed 10 August 2021).
  35. This is also recognised by Nemitz, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 44 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  36. Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 10 (Beck 2020, 36th ed.) (accessed 10 August 2021) with reference to ECJ, 10 April 2014, Siemens AG Österreich, C-231/11 P, C-232/11 P, C-233/11 P, margin numbers 42 to 44 (available here) and ECJ, 23 April 1991, Höfner and Elser, C-41/90, margin number 21 (available here); Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 40 (Beck 2019, 1st ed.) (accessed 10 August 2021) with reference to ECJ, 16 March 2004, AOK-Bundesverband, C-264/01, C-306/01, C-354/01 and C-355/01, margin number 46 (available here).
  37. Bergt, in Kühling, Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 9 (Beck 2020, 3rd ed.) (accessed 10 August 2021).
  38. In this respect potentially inaccurate Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 5 (Beck 2020, 36th ed.) (accessed 10 August 2021).
  39. Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021).
  40. Some authors state that the offenses leading to a fine are in part too broad. This is exemplified by the reference in Article 83(5)(a) GDPR, an infringement with the highest possible fine framework, to all processing principles mentioned in Article 5 GDPR (Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); Frenzel, in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021); Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021)). Emphasis is placed, for example, on the obligation under Article 5(1)(a) var. 2 GDPR to process data fairly (Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021)). Insofar as a fine should indeed only be based on unfair data processing, this view is to be endorsed. The reference to Article 5(1)(a) var. 2 GDPR to this effect is likely to violate the principle of certainty. However, this does not lead to the overall unlawfulness of the other references in Article 83(4), (5) and (6) GDPR (ambiguous Frenzel, in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021)). In principle, it should again be taken into account that the principles of criminal law do not apply with the same scope to administrative fines (see above). In addition, it should be practically rare for a fine to be imposed (only) for a breach of individual processing principles, as these are specified and specifically regulated in many places in the GDPR. Thus, a breach of "lawfulness" under Article 5(1)(a) var. 1 GDPR is always also a breach of the much more specific Article 6 GDPR. Overall, it is likely to be necessary to demand with Gola that the general clause of Article 5 GDPR be interpreted narrowly and that only clear violations be subsumed under it (Gola in Gola, DS-GVO, Article 83 GDPR, margin number 26 (Beck 2018, 2nd ed.) (accessed 10 August 2021)). Moreover, this problem will be increasingly compensated by the forthcoming application of the law, in particular by judicial decisions concretising the law (cf. Frenzel, in Paal/Pauly, DS-GVO BDSG, Article 83 GDPR, margin number 24 (Beck 2021, 3rd ed.) (accessed 10 August 2021)). In this context, it is often overlooked that many of the provisions subject to fines have emerged from the Directive 95/46/EC and are therefore likely to have already been sufficiently specified by case law (Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 53 (Beck 2019, 1st ed.) (accessed 10 August 2021)).
  41. Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); Bergt, in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin numbers 44 to 49 (Beck 2020, 3rd ed.) (accessed 10 August 2021).
  42. Different points of reference are chosen. Holländer, for example, criticises the fact that the fine is relatively dependent on the undertaking’s turnover, whereas EU law does not provide for a method of determination and derives from this a lack of protection against arbitrariness (Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 6 (Beck 2020, 36th ed.) (accessed 10 August 2021); cf. Bergt, in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin numbers 44 to 49 (Beck 2020, 3rd ed.) (accessed 10 August 2021)). First of all, it should be considered that the principle of legal certainty is probably less valid on the side of legal consequences. After all, its primary intention is to show an individual which conduct contradicts the rules and is punishable (facts side). Of course, for reasons of the rule of law, the imposition of legal consequences must follow clearly recognisable standards with a defined maximum. However, it is not the task of the legislator to put controllers and processors in the position of evaluating economically whether a violation is worthwhile, i.e. whether the direct and indirect (financial) advantages definitely exceed a potential fine. There are no doubts as to the definiteness (Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 54 (Beck 2019, 1st ed.) (accessed 10 August 2021)). The undertaking is likely to be sufficiently determined by the ECJ case law on commercial law (see above). The small deviations of different calculation methods in relation to the annual turnover should also be negligible (see above). A "prudent trader" can be expected - if necessary with the help of legal counsel - "to foresee in a sufficiently precise manner the method of calculation and order of magnitude of the fines" (Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 54 (Beck 2019, 1st ed.) (accessed 10 August 2021) with reference to ECJ, 18 July 2013, Case C-501/11 P, margin number 58 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=140394&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=5645800). It is also not convincing to construct a violation of the principle of certainty from the relative calculation method (Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 7.1 (Beck 2020, 36th ed.) (accessed 10 August 2021)). As just explained, the variables relevant to the assessment are sufficiently determined, which alone should be decisive.
  43. Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021) with reference to Hohmann, in Roßnagel, Europäische Datenschutz-Grundverordnung, § 3 margin number 331 (Nomos 2017, 1st edition).
  44. The isolated view that it violates the principle of certainty that the Member States in part have considerable regulatory leeway, which makes it impossible for the individual to infer directly from Article 83 which conduct is sanctioned (Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 52 (Beck 2019, 1st ed.) (accessed 10 August 2021) with reference to Hohmann, in Roßnagel, Europäische Datenschutz-Grundverordnung, § 3 margin number 331 (Nomos 2017, 1st edition)), is negligible. It cannot be inferred from the principle of certainty that all punishable conduct must be discoverable at a central regulatory location. This would in any case not do justice to the sovereignty of the Member States within the European Union, which must be preserved. Only the respective member state regulations are to be examined from the perspective of the principle of certainty as soon as they have been enacted. As in any other area of law, the norm addressee is fundamentally obliged to inform himself about the provisions applicable to him (cf. ignorantia juris non excusat).
  45. Clearly insofar only Boehm, in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Article 83 GDPR, margin number 51 (Beck 2019, 1st ed.) (accessed 10 August 2021).
  46. Holländer, in BeckOK DatenschutzR, Article 83 GDPR, margin number 79.1 (Beck 2020, 36th ed.) (accessed 10 August 2021).
  47. Bergt, in Kühling/Buchner, DS-GVO BDSG, Article 83 GDPR, margin number 26 (Beck 2020, 3rd ed.) (accessed 10 August 2021).
  48. Nemitz, in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 47 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  49. Cf. Nemitz, in Ehmann/Selmayr, Datenschutz-Grundverordnung, Article 83 GDPR, margin number 12 (Beck 2018, 2nd ed.) (accessed 10 August 2021).
  50. Moos/Schefzig, in Taeger/Gabel, Datenschutzrecht, Article 83 DSGVO BDSG, margin number 119 (Beck 2019, 3rd ed.) (accessed 10 August 2021).