DP News – Week 34. EDPB provides more guidance on the calculation of administrative fines.
Further to the Guidelines 04/2022 “On the calculation of administrative fines under the GDPR”, the EDPB handled a practical case and published a ‘binding decision’ under the GDPR Article 65(1)(a), where it provided for some practical interpretation of the fine calculation rules.
The dispute resolved centres on the disagreement between Poland’s supervisory authority (‘supervisory authority concerned’) and its France’s counterpart CNIL (‘lead supervisory authority’). After receiving 11 complaints in 2018/19 (with some of them transmitted by other supervisory authorities), CNIL issued the decision against Accor SA, a company operating in the hospitality sector. Accor SA was accused of ‘failure to respect the right to object to marketing activities and difficulties encountered in exercising the right of access’.
When calculating the amount of fine, CNIL took into account ‘the economic context caused by the Covid-19 health crisis’ and ‘its consequences on ACCOR’s financial situation’, which […] reported a 54% drop in its turnover between 2019 and 2020 due to the health crisis linked to the Covid-19 pandemic’. With this in mind, CNIL reduced the fine to 100’000 EUR. It referred to Article 83(2)(k) GDPR and opined that “even though the turnover of the controller is a significant element when determining the amount of the fine, it should go together with all the other criteria provided for by Article 83(2) of the GDPR’’.
That became a point of disagreement with Poland’s DPA which was of the opinion that CNIL should not grant a reduction due to a lack of evidence that the fine, ‘even several times higher’, may impact the controller’s solvency, ‘despite the loss of turnover incurred by ACCOR during the Covid-19 pandemic’.
In its ‘binding decision’, the EDPB pointed out that a ‘lead supervisory authority’, ‘may reduce the fine on the basis of the inability to pay principle but only in very exceptional circumstances’. This might be the case where ‘the relevant turnover for the calculation of the fine does not, on its own, adequately reflect its financial capacity due to exceptional and recent sectoral economic circumstances which directly and substantially affect its activities’.
Finally, the EDPB outlined that CNIL should have taken into account the turnover of the preceding year (2021), while ‘the drop in the turnover of ACCOR as a mitigating factor under Article 83(2)(k) GDPR’ should not be factored in. The EDPB explains that ‘the mere finding that an undertaking is in an adverse or loss-making financial situation does not automatically warrant a reduction of the amount of the fine’.
With this in mind, the EDPB instructed CNIL ‘to reassess the elements it relied upon to calculate the amount of the fine in order to ensure it meets the criterion of dissuasiveness under Article 83(1) GDPR, taking account, in particular, of the relevant turnover of ACCOR’.