In a press release published on July 26, 2022, the Lower Saxony State Commissioner for Data Protection announced that a fine of 1.1 million euros had been imposed on VW due to several data protection violations.

The violations were noticed during a routine traffic check in Salzburg, Austria, in 2019. While inspecting the test vehicle, the police officers noticed several cameras installed on the vehicle. These recorded traffic events around the vehicle, enabling the assistance systems installed in the vehicle to be analyzed and improved.

In principle, this type of recording, which serves among other things to improve road safety and prevent accidents, is not objected to by data protection authorities. However, only if and to the extent that the data protection regulations are complied with. In VW’s case, the data protection commissioner identified four minor violations that justify a fine:

The first infringement is the inadequate marking of the test vehicle. It should have been equipped with magnetic information signs to inform other road users about the recording. Furthermore, the information signs should have contained the information specified in Article 13 of the GDPR. This should inform the road user about the name of the person responsible, the purpose of the recording and any right of objection.

Likewise, VW should have concluded a data processing agreement with the company that carried out the drive. This specifies the rights and obligations in dealing with the collected data.

Furthermore, when testing new technologies (in this case, for example, extensive camera technology and sensor technology of the vehicle), a data protection impact assessment must be carried out in accordance with Art. 35 of the GDPR. The risks to personal data arising from the use of the technology are to be weighed up and contained.

Finally, the record of processing activities pursuant to Article 30 of the GDPR was also defective. This is an internal company document in which all processing operations involving the use of personal data must be recorded. In addition, protective measures should also be noted here to prevent misuse of the collected data.

Although VW has cooperated extensively with the data protection authorities in clarifying the allegations, a fine of 1.1 million euros was nevertheless imposed. This sum results from the fine calculation method of Art. 83 DS-GVO. This states that certain violations should be sanctioned depending on the previous year’s turnover (in the case of Volkswagen AG, this is 250 billion euros). As a result, data protection violations can become expensive very quickly, even for large companies. The case also shows the importance of data processing agreements, records of processing activities and data protection impact assessments in practice.