The Fining Guidance sets out a five step approach to calculating an appropriate fine, taking into account the assessment of seriousness of the infringement, the turnover of the controller or processor (where relevant), and any other aggravating or mitigating factors. This approach is not intended to be mechanistic. The overall assessment of the appropriate fine amount involves evaluation and judgement, taking into account all the relevant circumstances of the individual case.
Summary of responses
We received a range of detailed comments about the way we plan to calculate the level of fine, particularly in relation to the use of turnover as a means of determining the starting amount where the controller is an undertaking. In summary:
-
- Some respondents suggested a more equal distribution of the percentage starting amounts attributable to the levels of seriousness and that a degree of overlap between the bands may be appropriate.
- Other respondents noted that starting the range for an infringement with a low degree of seriousness at £0 would be inconsistent with the decision to impose a fine on the basis that imposing a fine of £0 would not be effective.
- One respondent was concerned that the approach might lead to a large multinational being fined at the level of the legal maximum even in circumstances where no real harm arises from the event.
- Several respondents commented on the use of turnover:
-
- noting that turnover is not necessarily an indicator of healthy finances;
- raising concerns that the use of forecasts about turnover might be too uncertain and that the ICO should adjust fines retrospectively;
- suggesting that the ICO should use turnover in the year of the relevant infringement (or an average turnover); and
- asking how the ICO would go about obtaining the necessary financial information, particularly for overseas companies or private companies.
-
ICO response
We do not propose to change the approach in the Fining Guidance in relation to the distribution of starting points for seriousness. As explained in paragraph 112 of the Fining Guidance, the purpose of this approach is to allow the ICO greater flexibility in deciding on the appropriate fine for more serious infringements. It also reflects that fact that, in the ICO’s view, it is unlikely that infringements with a low or medium degree of seriousness will require starting points exceeding 10% or 20% of the relevant legal maximums respectively.
We also do not propose to amend the bands to allow for overlap between the starting amounts for each category. This is because although each fine is considered on a case by case basis, the Fining Guidance aims to provide a degree of certainty about how the ICO generally approaches calculating a fine. We consider that providing for overlap between the bands would mean there is less clarity about the likely application of the guidance in practice. However, taking into account the comments received, we have removed the reference to £0 as the lowest starting amount to make clear that, having decided to impose a fine, it will not be set at zero.
The ICO notes the concern raised that multinational companies risk being liable for the largest fines on the basis of the scale of their operations even if no real harm arises. However, the ICO considers that the Fining Guidance ensures that the ICO retains flexibility in determining an appropriate fine based on the individual circumstances of the case and notes that the level of damage suffered is one of a range of factors taken into account in the assessment of the appropriate fine.
We agree with the point that turnover (or revenue) does not necessarily always provide sufficient information about an organisation’s financial health. However, the use of an organisation's turnover reflects the wording of the legislation and provides a means of calculating the starting point of a fine to account for material differences in the size of organisations. The Fining Guidance ensures that the ICO will take the overall financial position of the organisation into account when considering whether the level of fine at the end of step four is effective, proportionate and dissuasive in the individual circumstances of each case. As explained in the Fining Guidance (in footnote 99), while the ICO will generally take into account annual turnover as the primary indicator of its size and financial position, we will also consider other financial indicators where relevant, such as profits, net assets or dividends.
In relation to the comment about the risks of using forecast revenue or projections, the ICO notes that the Fining Guidance is clear that the ICO will generally base turnover figures on audited accounts. It is only where such accounts are not available or do not reflect the true scale of the organisation that the ICO may use management accounts or forecast figures to adjust the turnover figure. The ICO’s use of sources other than audited accounts for this purpose will be based on an assessment of the robustness of the available evidence. We note that the Fining Guidance (paragraph 125) already indicates that, if necessary, the ICO will obtain financial information using information notices, but we have amended the guidance to make it clear that this may involve the use of our statutory information gathering powers.
The ICO also considers that the use of the organisation’s turnover for the financial year preceding the ICO’s decision provides an appropriate level of certainty. Further, it is consistent with the references to “preceding financial year” in section 155 DPA 2018 and Article 83 UK GDPR, as well as with the EDPB’s decisional practice (see EDPB Binding Decision 1/2021, paragraph 298). However, if there is evidence that an organisation has obtained an economic or financial benefit as a result of the infringement then this may be regarded as an aggravating factor leading to an uplift in the amount of the fine.