In a press release published on 26 July 2022, the Lower Saxony State Commissioner for Data Protection announced its decision to fine Volkswagen AG (VW) €1.1 million due to several data protection violations.
The violations were noticed during a routine traffic check in Salzburg, Austria, in 2019. While inspecting the test vehicle, the police officers noticed several cameras installed on the vehicle. These recorded traffic events around the vehicle, enabling the assistance systems installed in the vehicle to be analysed and improved.
In principle, data protection authorities do not object to this type of recording, which serves among other things to improve road safety and prevent accidents. However, it is allowed only if and to the extent that the data protection regulations are complied with. In VW's case, the data protection commissioner identified four minor violations that justified a fine.
The first infringement was the inadequate marking of the test vehicle, which should have been equipped with magnetic information signs to inform other road users about the recording. Further, the information signs should have contained the information specified in article 13 of the General Data Protection Regulation (GDPR). This should inform the road user about:
- the name of the person responsible;
- the purpose of the recording; and
- any applicable right of objection.
Likewise, VW should have concluded a data processing agreement with the company that carried out the drive. This specifies rights and obligations when dealing with the collected data.
Further, when testing new technologies (in this case, for example, the extensive camera technology and sensor technology of the vehicle), a data protection impact assessment must be carried out in accordance with article 35 of the GDPR. The risks to personal data arising from the use of the technology are to be weighed up and contained.
Finally, the record of processing activities pursuant to article 30 of the GDPR was also defective. This is an internal company document in which all processing operations that involve the use of personal data must be recorded. In addition, protective measures should also be noted here to prevent misuse of the collected data.
Although VW has cooperated extensively with the data protection authorities in clarifying the allegations, it has still been fined €1.1 million. This sum results from the fine calculation method of in article 83 of the GDPR. This states that certain violations should be sanctioned depending on the previous year's turnover (in the case of VW, the turnover for 2021 was €250 billion). As a result, data protection violations can become expensive very quickly, even for large companies. The case also shows the importance of data processing agreements, records of processing activities and data protection impact assessments in practice.
For further information on this topic please contact Thomas Hertl at Arnecke Sibeth Dabelstein by telephone (+49 69 979885-252) or email ([email protected]). The Arnecke Sibeth Dabelstein website can be accessed at www.asd-law.com.