The Lower Saxony data protection authority has sentenced VW to a million fine for data protection violations in the context of research trips with cameras.
Research drives for a driver assistance system to avoid traffic accidents are expensive for Volkswagen. The Wolfsburg-based carmaker has to pay a fine of 1.1 million euros because the group and a service provider used in the VW test vehicle did not take data protection very seriously and used surveillance cameras without the necessary identification. The Lower Saxony data protection officer Barbara Thiel ultimately recognized several violations of the General Data Protection Regulation (GDPR) and therefore imposed the not inconsiderable penalty.
The Austrian police checked the test vehicle near Salzburg in 2019 as part of the usual traffic surveillance. According to the Lower Saxony data protection authority, the officials noticed “unusual extensions” on the car, which turned out to be cameras on site. These were used, among other things, for error analysis and recorded the traffic situation around the vehicle.
Four GDPR violations
“Due to an oversight”, the car was missing warning magnetic signs with a camera symbol and the other prescribed information for those affected by data protection law, the supervisory authority said. According to Article 13 GDPR, the other road users should have been informed about the purpose of the data processing carried out and the period for the storage of the personal information.
Upon further investigation, the auditors found that Volkswagen had not entered into an order processing agreement with the company that carried out the journeys. Such would have been necessary according to Article 28 GDPR. Furthermore, the responsible persons had not carried out a data protection impact assessment according to Article 35 DSGVO in order to assess possible risks and their containment in advance. Finally, there was no explanation of the technical and organizational protective measures in the list of processing activities, which the inspectors assessed as a violation of the documentation requirements under Article 30 GDPR.
The data protection authority speaks of a total of four violations “each with a low degree of severity”, all of which were quickly remedied: VW immediately eliminated the defects that were not related to series vehicles as part of the test procedure.
VW accepted penalty
“The actual research trips were not objectionable in terms of data protection law,” explained Thiel. “We have no objections to the resulting collection and further processing of personal data.” When determining the amount of the fine, the supervisory authority also took into account that the tests with the personal information served to optimize a driver assistance system, thereby potentially avoiding accidents and thus increasing road safety.
Due to the cross-border nature of the case, before the fine was issued, Thiel involved other affected European data protection supervisory authorities in the GDPR cooperation procedure, which ultimately supported the decision. According to data protection officers from Lower Saxony, VW has cooperated extensively and has already accepted the fine. The Hamburg data protection authority imposed the highest GDPR sanction in Germany to date at over 35 million euros in 2020 on the clothing retailer H&M. The EU-wide highest penalty hit Amazon Europe in Luxembourg with 746 million euros.
(axk)
