A recent fine imposed on Volkswagen by a German Data Protection Commissioner, for multiple GDPR violations amounted to €1.1 million.
The State Commissioner for Data Protection in the German state of Lower Saxony (LfD Lower Saxony) has imposed a fine of €1.1 million on Volkswagen Aktiengesellschaft in accordance with GDPR Article 83. The fine is as a result of multiple data protection violations in connection with the use of a service provider for research trips, for testing a driver assistance system which aids in avoiding traffic accidents. Due to the cross-border processing of personal data, other affected data protection supervisory authorities across Europe were involved in the decision making process before this fine was issued, in accordance with Article 60 DS-GVO. Volkswagen has cooperated extensively with the LfD Lower Saxony and accepted the fine. The company also immediately remedied the defects that are not related to series vehicles as part of the previous test procedure.
During a traffic stop, law enforcement observed cameras on a vehicle which lacked signage informing affected persons of the recording.
In 2019, a test vehicle from the company was observed during a traffic stop by Austrian law enforcement near Salzburg. The officers noticed unusual attachments, which turned out to be cameras on the vehicle, which was, at the time, being used to test and train the functionality of a driver assistance system to avoid traffic accidents. These cameras recorded the traffic conditions around the vehicle, among other things for the purposes of error analysis. However, due to a prior accident, the vehicle was missing magnetic signs with a camera symbol and the other mandatory information, intended to communicate with other road users. According to Article 13 DS-GVO, those affected by data protection law must be informed, among other things, about who is carrying out the processing, for what purpose and for how long the data will be stored. This was not being done in this case, resulting in a violation of data protection law.
Volkswagen failed to conclude an order processing contract with a subcontractor and to perform a data protection impact assessment.
Upon further investigation, it was also revealed that Volkswagen failed to conclude an order processing contract with the company carrying out these journeys. This is required under Article 28 GDPR. Among other stipulations, GDPR Article 28 stipulated that a “processor shall not engage another processor without prior specific or general written authorisation of the controller.” In addition, the company also neglected to perform a data protection impact assessment as required under Article 35 GDPR. Article 35 states that “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.