Below an overview of the only comprehensive fining methodologies that were published so far by EU DPAs (specifically, by the Dutch, Danish, and Latvian DPAs), as well as the relevant draft Statutory guidance issued by the UK DPA (ICO) in 2020. Therefore, this analysis will also show how the approach of the ICO in this matter will likely continue to differ from that of the EDPB and EU DPAs. It is divided into two sections that take a deep dive into (i) how those DPAs propose to apply the criteria set out in Article 83(1) to (3) GDPR in practice – highlighting where they diverge from the 2018 EDPB guidelines – and (ii) how they propose to standardize the amounts of the fines imposed against controllers or processors in their jurisdictions.
