Cemre Apaydın


The New German Fining Policy under GDPR and differences from The Dutch Fining Policy

The Fining Policy was[1] published on 14 October 2019 by the German Data Protection Authority (Datenschutzbehörde). The authority agreed with this policy a new way of calculating administrative fines imposed on data breaches in accordance with GDPR[2].

The penalties to be paid when data breaches occur are determined under this policy. The enterprise making the data breach is obliged to pay the fine determined according to the annual turnover and the quality of the data breach.

First of all, it is necessary to examine the Dutch Fining Policy, which was published on 14 March 2019 as the first example of the fining policy for data breaches; The Dutch Data Protection Authority (the Dutch Authority) has established a four-stage fine bandwidths model for data breaches. The Dutch Authority foresees a basic fine for each data breach, but within of the quality, specific characteristics and other circumstances of the breach, it may increase or decrease this basic fine within the bandwidths. The Dutch Authority may impose higher penalties than the band intervals if it considers it “not appropriate” for the specified penalty. In this case, it is regulated in the policy that the punishment imposed under GDPR[3] can authorize each individual case to be “effective, proportionate and dissuasive.”

Similar to the Dutch Authority, the German Data Protection Authority categorized administrative fines under the GDPR in its policy. By issuing this policy, the German Authority has developed a company-oriented fines system different from the Dutch Authority, ensuring transparency in penalties and penalties based on the value of each company.

Unlike the Dutch Authority, the German Authority has developed a five-step system of fines for GDPR violations. With these five-step method, it is aimed to impose fines on a case-by-case basis and transparency.

The german Policy has developed a system that is not included in the Dutch Policy, companies are classified as; micro, small, medium-sized enterprises (SMEs) or large-scale companies.[4]

In accordance with the policy, companies are included in one of the four groups as the first step and secondly, the average annual turnover is determined. In the third step, the German Authority determines the “daily rate”  by dividing 360 days the calculated annual turnover. In the fourth step, the infringement of the quality of the case and the damage caused by the data infringement under GDPR; minor, avarage, severe and very severe infringements. The authority creates a “fine corridor” by calculating the severity of the infrigment with the daily rate determined in the previous step. In the last step, by assessing the quality of the data breach offense and the data subject affected and the consequences within the scope of the GDPR, the Authority may change the fine according to the nature, scope and purpose of the illegal processing, the number of data subjects involved, the degree of data subject to the transaction, and the degree to which other subjects are exposed.[5]

Although there are similarities in the Dutch and German fining policies, the main differences are great. As can be seen, the focus point of the Dutch Monetary Criminal Policy is the type of data breach and the nature of the case. Accordingly, the band spacing is drawn up or down completely in line with the nature of the violation. This policy primarily aims to impose a fine in accordance with the substantive elements. It has not introduced any regulations regarding companies that have committed data breaches. In addition, the German fine policy is also focused on companies that perform data breach cases. It is based not only on the nature of the data breach but also on the size of the Company that has committed the breach.

With the new system introduced by the German Fining Policy, the amount of fines for GDPR infrigments increases. The company classifications defined in the policy are based solely on the turnover of the companies, and it is seen that there is no classification regarding the activity fields of the companies. Basically, the fines calculated on the annual turnover of the companies have great risks for the companies. With the policy, it is planned that the fines to be given to the companies in each case will be transparent, proportionate and dissuasive.


[1] https://www.datenschutzkonferenz-online.de/media/ah/20191016_bu%C3%9Fgeldkonzept.pdf

[2] General Data Protection Regulation

[3] Article 83, GDPR

[4] Which is imported by Recital 150, GDPR

[5] https://www.dataprotectionreport.com/2019/10/german-data-protection-authorities-publishes-a-new-gdpr-model-for-fines/