EDPB adopts final version of Guidelines on the calculation of administrative fines following public consultation
During its latest plenary, the EDPB adopted a final version of the Guidelines on the calculation of administrative fines following public consultation. These guidelines aim to harmonise the methodology data protection authorities (DPAs) use to calculate fines and include harmonised ‘starting points’. Hereby, three elements are considered: the categorisation of infringements by nature, the seriousness of the infringement and the turnover of a business.
The guidelines set out a 5-step methodology, taking into account the number of instances of sanctionable conduct, possibly resulting in multiple infringements; the starting point for the calculation of the fine; aggravating or mitigating factors; legal maximums of fines; and the requirements of effectiveness, dissuasiveness and proportionality.
Following public consultation, an annex was added with a reference table summarising the methodology and two examples of practical application. As explained in the reading guide, the table and the examples are for illustration purposes only and have to be read in conjunction with the Guidelines.
The guidelines are an important addition to the framework the EDPB is building for more efficient cooperation among DPAs on cross-border cases, a strategic priority for the EDPB.
Also following public consultation, the EDPB adopted a final version of the Guidelines on the application of Art. 65(1)(a). The guidelines aim to delineate the main stages of the Art. 65 procedure and to clarify the competence of the EDPB when adopting a legally binding decision on the basis of Art. 65(1)(a) GDPR. Following public consultation, the guidelines were amended to introduce clarifications and reflect recent developments, such as the adoption of the EDPB Guidelines on the application of Art. 60 GDPR and changes to the EDPB Rules of Procedure. In addition, an executive summary was added.
Anu Talus elected new Chair of the European Data Protection Board
The EDPB has elected Anu Talus as the new Chair of the European Data Protection Board (EDPB) to replace outgoing Chair Andrea Jelinek. She was elected with 19 votes out of 27, in two rounds.
Anu Talus is the head of the Finnish Data Protection Authority (DPA), a function she will as of today combine with the role of EDPB Chair.
EDPB Chair, Anu Talus said: “I am honoured and grateful to be elected EDPB Chair and I see it as a token of appreciation by my fellow heads of DPA. As a closely integrated network of DPAs, the EDPB has the important task of ensuring that 450 million Europeans enjoy the same level of data protection, regardless of where they live.”
“Part of the newly adopted EU digital legislation overlaps with the GDPR. Going forward, it is crucial to ensure that the legal framework related to the data protection is coherent, that the competences of the EDPB are safeguarded and that fragmentation is avoided. Grey areas are in no one’s favour, not the individuals whose personal data we protect, nor economic operators who need legal certainty.”
Outgoing Chair, Andrea Jelinek said: “The new EDPB Chair has exciting challenges ahead and Anu has solid foundations to build upon. In the past five years, the GDPR has become a global landmark as the world’s most comprehensive data protection law. I am confident that the EDPB, this unique body with great responsibilities and a far-reaching impact, will benefit greatly from the expertise of Anu.”
According to Art. 73 GDPR, the Board elects one Chair and two Deputy Chairs amongst its members by simple majority and through a secret ballot. Their term of office shall be five years, renewable once. The Chair of the EDPB oversees all the tasks of the Board and ensures their timely performance. She represents the Board.
The EDPB also elected Irene Loizidou Nikolaidou (CY DPA) as new Deputy Chair to replace outgoing Deputy Chair Ventsislav Karadjov.
EDPB Deputy Chair Aleid Wolfsen (NL) was elected on 15 May 2019; his term will normally end on 15 May 2024.
The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPB is established by the General Data Protection Regulation (GDPR).
The EDPB is supported in its work by the EDPB Secretariat. The Secretariat performs its tasks under the Chair's instructions. It provides analytical, administrative and logistical support to the Board; it organises all the Board’s meetings and manages IT platforms used by DPAs to cooperate. In addition, the Secretariat has a major role in supplying legal analysis.