A recent fine imposed on Volkswagen by a German Data Protection Commissioner, for multiple GDPR violations amounted to €1.1 million.
The State Commissioner for Data Protection in the German state of Lower Saxony (LfD Lower Saxony) has imposed a fine of €1.1 million on Volkswagen Aktiengesellschaft in accordance with GDPR Article 83. The fine is as a result of multiple data protection violations in connection with the use of a service provider for research trips, for testing a driver assistance system which aids in avoiding traffic accidents. Due to the cross-border processing of personal data, other affected data protection supervisory authorities across Europe were involved in the decision making process before this fine was issued, in accordance with Article 60 DS-GVO. Volkswagen has cooperated extensively with the LfD Lower Saxony and accepted the fine. The company also immediately remedied the defects that are not related to series vehicles as part of the previous test procedure.
During a traffic stop, law enforcement observed cameras on a vehicle which lacked signage informing affected persons of the recording.
In 2019, a test vehicle from the company was observed during a traffic stop by Austrian law enforcement near Salzburg. The officers noticed unusual attachments, which turned out to be cameras on the vehicle, which was, at the time, being used to test and train the functionality of a driver assistance system to avoid traffic accidents. These cameras recorded the traffic conditions around the vehicle, among other things for the purposes of error analysis. However, due to a prior accident, the vehicle was missing magnetic signs with a camera symbol and the other mandatory information, intended to communicate with other road users. According to Article 13 DS-GVO, those affected by data protection law must be informed, among other things, about who is carrying out the processing, for what purpose and for how long the data will be stored. This was not being done in this case, resulting in a violation of data protection law.
Volkswagen failed to conclude an order processing contract with a subcontractor and to perform a data protection impact assessment.
Upon further investigation, it was also revealed that Volkswagen failed to conclude an order processing contract with the company carrying out these journeys. This is required under Article 28 GDPR. Among other stipulations, GDPR Article 28 stipulated that a “processor shall not engage another processor without prior specific or general written authorisation of the controller.” In addition, the company also neglected to perform a data protection impact assessment as required under Article 35 GDPR. Article 35 states that “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.
Hamburg Commissioner for Data Protection and Freedom of Information has announced an end to pandemic related data collection and storage.
Many of the legal measures implemented to contain the coronavirus pandemic have recently come to an end in Hamburg as the hotspot regulation in Hamburg expired on April 30, 2022. While these regulations are being lifted, several obligations and powers to collect personal data are gradually being removed. Companies and public authorities in Hamburg are now expected to stop all pandemic related data collection and are encouraged to use this phase of the pandemic as an opportunity to take stock of their “corona data”. Companies are asked to check their existing databases and delete all data which is considered no longer required. Storing data in the event of a possible future worsening is now considered unnecessary and is no longer possible with the legal basis ceasing to apply.
Employee data which was collected under the 3G rule in Germany is required to be deleted.
The obligation to delete data particularly applies to all employers who have previously queried the status of their employees under the German “3G rule”. This rule required employees to provide health data, particularly their COVID-19 status with regard to vaccination, recovery, or negative test results. Entertainment centers, like restaurants or cinemas, for example, are also now required to delete any contact data of any guests that may have been recorded in the context of the pandemic.
The Hamburg Commissioner for Data Protection and Freedom of Information says that special categories of data, collected in the context of the pandemic must now be deleted.
There has now been an official call to delete all sensitive health data which was collected throughout Germany, in the context of the pandemic now that the regulations which provided the legal basis for the collection and storage of this data has expired. Thomas Fuchs, the Hamburg Commissioner for Data Protection and Freedom of Information was quoted in a recent report, as saying “In the last two years we have experienced an exceptional situation in many respects. Special categories of data were also collected on a large scale. These were significant encroachments on fundamental rights, which can be justified in the context of the pandemic. With the expiry of the legal powers, this collected data must now be deleted. In some cases, we observe attempts to maintain surveillance practices or to retain collected data for other purposes and contingencies. Here it is important to do educational work and, if necessary, to intervene in a supervisory manner.”
New German law recently adopted, regulates eprivacy and data protection in telecommunications and telemedia.
Last month, German parliament adopted a new law regulating eprivacy and data protection in telecommunications and telemedia. Previously, the laws regulating German data protection contained partially contradictory provisions, which led to legal uncertainty on various matters. In the past, data protection and privacy inquiries were typically split between two laws, the Telemedia Act and Telecommunications Act, until May 20th when the Data Protection Act was passed. This act aims to unify the country’s rules and bring them in line with the EU’s GDPR. This new law, commonly known as TTDSG, could however be superseded by European law soon, as discussions on the new ePrivacy Regulation intensify.
Fibre optics use and development stand to benefit from this new German law.
Germany currently lags behind most EU countries in the arena of fibre optics use and development with only 4.7% of broadband being fibre optic connections. Many European countries like Sweden, Lithuania and Spain have their fibre optic connections falling somewhere between 69% and 75% of broadband. Fiber optics provide a dedicated synchronous Internet bandwidth, which is not shared with any other Internet client. Fiber is generally faster and more reliable, allowing faster downloads. The Telecommunications Act sets clear standards for the entitlements to Internet access based on “80% of the Internet speed used by consumers in upload and download,” according to MP Falko Mohrs. The amendment not only solidifies the legal right to internet access, but also contains a list of other services. These include interference-free accommodation of video conferencing, which is imperative to citizens’ abilities to participate in the digital world. By introducing this benchmark, Mohrs believes that the fibre-isation of the country is being driven forward. The benchmark is set and reviewed annually in collaboration with the country’s network agency.
German court: Facebook data practices breach competition law due to its data collection practices from its suite of apps and through external websites.
Germany strikes Facebook’s business model as the German Competition Authority has launched an inquiry into the data collection practices of the social media and data collection giant with their local court. This is the first major country in the EU to ever launch any legal action against the company especially since the recent implementation of the GDPR. To be specific Facebook’s ability to provide detailed marketing data to companies who would pay for this information is now hindered greatly as the company is being limited in the collection of data and its integration from their full suite of apps. In its recent article, Politico reported that the Bundeskartellamt has ruled that German citizens will have to explicitly and knowingly consent to cross-app data integration by Facebook.
While Facebook hasn’t been found guilty of data protection malpractice by the GDPR,their practices breached Germany’s national privacy policies
Cambridge Analytica revelations showed that this data integration had a marked effect on many important political outcomes such as Brexit and US 2016 elections. These targeted ads may cause more harm than perceived and Germany is the first to seek to protect its citizens from this. Facebook hasn’t been found guilty of data protection malpractice by the GDPR, as it is important to note the decision was made via Germany’s national privacy policies not the EU’s. The EU is still keeping a watchful eye on the proceedings as Facebook has the opportunity to fight the decision or suspend the case, and a decision has yet to be made. The GDPR states that data subjects need to provide “freely given, specific, informed and unambiguous” consent where data is used for commercial purposes.
Facebook is the only company thus far, found to be in breach of Germany’s competition law.
So far the Bundeskartellamt has only targeted Facebook with this wave of action due to its wide monopoly on Social Media in Germany, as it records over eighty percent of monthly active users on social media in the nation state. YouTube, Twitter and Snapchat were all seen as secondary and were not subject to any legal action. These companies however will be taking note of these changes in policy as it could affect how they operate in the future and may prevent an integrated platform to the likes of Facebook (at least in Germany) due to these restrictions. Facebook will need to implement the decision over the next 12 months.
The EU may be forced to implement new protocols for the GDPR.
Companies with existing competition and data privacy lawsuits, and open decisions such as Google and Amazon are keenly affected by this type of legislature change as well. If a major detriment to these data integration practices can be found by the Bundeskartellamt, the EU may be forced to implement new protocols for the GDPR and police these data collection services more diligently as some have already been accused of seeking consent in deceptive fashions, being unclear in data use or vaguely outlining the detail or extent of data being collected. The impact it could possibly have on E-commerce in the European sphere is definitely something worth paying attention to. Especially since the GDPR is one of the more universally referenced examples of a good starting point for current standard in Data protection policy.
According to Cristina Contero Almagro, Partner in Aphaia, “Combining data from different sources requires at least to put in place a Data Protection Impact Assessment first. Apart from that, it is deemed profiling, so it may be subject to Article 22 GDPR requirements, plus additional guarantees should be applied due to its commercial purpose”.