Setting fines, guidelines and the Law Enforcement Directive
The WP29 (adopted by the EDPB) and the EDPB's 2022 guidelines steer how fines are calculated. A fine is not a mere mathematical exercise. Minor infringements may draw a reprimand instead of a fine; intentional breaches are generally more severe than negligent ones; a resource shortage cannot legitimise a breach. The EDPB sets a five-step calculation method. The Law Enforcement Directive (LED) mirrors the GDPR's supervision regime for the public-sector law-enforcement community - but without the lead authority concept and without financial penalties.
Minor infringements (no significant risk to rights, or not touching the essence of the obligation) may be met with a reprimand instead of a fine
Intentional breaches (authorised by management, against DPO advice, or in disregard of policy) are generally more severe than unintentional ones
A breach cannot be legitimised by claiming a shortage of resources
No additional credit for simply meeting the law's requirements, including merely fulfilling breach-notification duties
Multiple breaches straddling both tiers can be taken at the higher level
GDPR vs Law Enforcement Directive (LED) - supervision & enforcement
Feature
GDPR
LED
Supervision regime
Full DPA tasks and powers
Mirrors the GDPR regime
Lead authority / one-stop shop
Yes (Arts 56, 60)
Absent (no lead-authority concept)
Cooperation & consistency mechanism
Yes (Arts 60–66)
Absent (the related mechanisms do not apply)
Financial penalties (fines)
Yes (Art 83)
No financial penalties
🔑 Calculating a fine is not a maths exercise
The EDPB stresses the calculation of a fine is no mere mathematical exercise - the circumstances of the specific case drive the final amount, which can vary between any minimum and the legal maximum. The five-step method is structured but not formulaic.
Key terms - quick answers
What is “Reprimand”?
A lighter response that may replace a fine for a minor infringement, or where a fine would be a disproportionate burden on a natural person.
What is “Five-step calculation”?
The EDPB's method: identify processing operations; set a starting point (nature/seriousness + turnover); weigh aggravating/mitigating features; establish the maximum; ensure the fine is effective, proportionate and dissuasive.
What is “Law Enforcement Directive”?
The LED - mirrors the GDPR's supervision and enforcement regime for public-sector law enforcement, but with NO lead authority and NO financial penalties.