In our response to the EDPB’s Guidelines on calculation of fines, we note that the EDPB appears to emphasise setting GDPR fines at a level that effectively deters future non-compliance whilst we would prefer similar attention to ensuring the proportionality of GDPR penalties. This would require admitting mitigating effects to the absence of (any) previous infringements, the ordinary cooperation with Data Protection Authorities and the cessation or termination of the infringement as soon as the supervisory authority intervenes, among others.

We also invite the EDPB to clarify example 1a , that describes the collection and storage of creditworthiness data by a financial institution. The example generates the perception that such activities might be unlawful, which is not justified.