During the calculation of the amount of the fine to be imposed, the supervisory authority was tasked with assessing the seriousness of this case. As a starting point, the supervisory authority noted that an infringement of Article 12 GDPR is listed among the infringements of Article 83(5) GDPR and therefore falls within the higher tier of Article 83 GDPR. Secondly, the supervisory authority assessed the circumstances of the case. In that regard, the supervisory authority carefully analysed the nature of the infringement. Even though the timely right to access to personal data is one of the cornerstones of the data subject rights, the supervisory authority considered that the infringement was of limited seriousness in this respect, given that all requests were handled eventually and with a limited delay. Considering the purpose of the processing, the supervisory authority found that the processing of personal data was not the core business of the online store, but still an important ancillary in fulfilling its objective of selling goods online. The supervisory authority considered this to increase the seriousness of the infringement. On the other hand, the level of damage suffered by the data subjects was considered minimal, as all access requests were handled within 6 months. Taking all the above into account (nature of the infringement, purpose of the processing and level of damage), the supervisory authority concludes that the infringement is considered to be at a low level of seriousness. The supervisory authority will determine the starting amount for further calculation at a point between 0 and 10% of the legal maximum included in Article 83(5) GDPR.
4.3 - Turnover of the undertaking with a view to imposing an effective, dissuasive and proportionate fine 64.
The GDPR requires each supervisory authority to ensure that the imposition of administrative fines is effective, proportionate and dissuasive in each individual case (Article 83(1) GDPR). The application of these principles of European Union law can have far-reaching consequences in individual cases, as the starting points that the GDPR offers for calculating administrative fines apply to micro-enterprises and multinational corporations alike. In order to impose a fine that is effective, proportionate and dissuasive in all cases, supervisory authorities are expected to tailor administrative fines within the entire range available up until the legal maximum. This can lead to significant increases or decreases of the amount of the fine, depending on the circumstances of the case.
65.
The EDPB considers that it is fair to reflect a distinction of the size of the undertaking in the starting points identified below and therefore takes into account its turnover 26.However, this does not dismiss a supervisory authority from the responsibility to carry out a review of effectiveness, dissuasiveness and proportionality at the end of the calculation (see Chapter 7). The latter covers all the circumstances of the case, including e.g. the accumulation of multiple infringements, increases and decreases for aggravating and mitigating circumstances and financial/socio-economic circumstances. It is, however, incumbent upon the supervisory authority to ensure that the same circumstances are not counted twice. In particular, supervisory authorities should not, under Chapter 7, repeat the increases or decreases relative to the turnover of the company, but rather revisit their evaluation of the appropriate starting amount.
66.
For the reasons outlined above, the supervisory authority may consider adjusting the starting amount corresponding to the seriousness of the infringement in cases where this infringement is committed by an 26
See also EDPB Binding Decision 1/2021, paras. 411 and 412: “[Insofar] the turnover of an undertaking is not exclusively relevant for the determination of the maximum fine amount in accordance with Article 83(4)-(6) GDPR, but it may also be considered [as one relevant element among others] for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article 83(1) GDPR.” The turnover of the undertaking concerned is further elaborated on in Chapter 6.2 of these Guidelines.
Adopted - version for public consultation
22