How are fines calculated under the GDPR?

Answer:

Fines under the GDPR are calculated based on Guidelines 02/2022 of the European Data Protection Board (EDPB). The EDPB is responsible for adopting such guidelines under Article 70(1)(k) of the GDPR. The guidelines for fines were adopted in version 2.1 on May 24, 2023.

Legally, the guidelines are not binding on supervisory authorities. However, since the EDPB is the cooperation body of the national data protection authorities, they are in fact highly relevant. We have a whole page explaining the method how such fines are calculated.