HmbBfDI (Hamburg) - Mitarbeiterexzess live on Twitch.tv
| HmbBfDI - Mitarbeiterexzess live on Twitch.tv | |
|---|---|
 | |
| Authority: | HmbBfDI (Hamburg) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 4 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Mitarbeiterexzess live on Twitch.tv |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | German |
| Original Source: | Hamburg Data Protection Authority (in DE) |
| Initial Contributor: | CBMPN |
The Hamburg DPA (HmbBfDI) imposed a fine on an employee of a financial institution who misused customer data to find the home address of a fellow player in an online first-person shooter video game.
English Summary
Facts
The incident occurred during a live-streamed session of the first-person shooter game Valorant on Twitch.tv. The streamer (controller), who also filmed himself, became increasingly frustrated with an opposing player (data subject) and made verbal threats. He then declared his intent to find the data subject's home address and confront him physically the next day.
The controller had access to the opponent’s real name and, due to his position at a financial institution, could access the company's customer database. He proceeded to search the database for the opponent’s information while streaming, providing intermittent updates on his progress. Although he avoided revealing specific personal data on stream, he explicitly stated that he had retrieved them. His search was ultimately successful, as he confirmed his intent to visit the data subject's home. However, no physical confrontation took place.
Holding
The HmbBfDI determined that the controller had misused his employer-given access to customer data, making him the responsible party under GDPR. This constituted an employee excess case, where business resources were used for private purposes.
The DPA imposed a fine under €10,000, considering the controller's financial standing, which he had openly discussed on stream.
The deliberate nature of the violation was an aggravating factor, as the controller was aware of the confidentiality obligations tied to customer data. The fine was accepted, and the case is legally binding.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Employee excess live on Twitch.tv
The HmbBfDI has imposed a fine on an employee of a credit institution who had requested personal data from an opponent in a video game live on the twitch.tv platform in order to visit him personally.
The live streaming video portal Twitch (twitch.tv) of Amazon.com, Inc. is primarily used to broadcast video games and interact with viewers in chat. Registered users can create their own channel and broadcast
132 Annual Report on Data Protection 2023 - HmbBfDI
typically gameplay of various video games. In some cases, the players ("streamers") film themselves in order to improve interaction with their viewers. They comment on the game action via the chat function and can interact with other viewers and the streamer.
During the reporting period, such a video game broadcast gave rise to the initiation of administrative offence proceedings by the HmbBfDI: A streamer had broadcast gameplay of the video game Valorant, a free-to-play first-person shooter from Riot Games, and filmed himself doing so. In the video game Valorant, two groups of five players each compete against each other and try to eliminate each other. During the course of the game, the streamer became increasingly annoyed with a player from an opposing group and made verbal insults typical of the scene. After further emotionalisation, the streamer then announced his decision to find out where his opponent lived and to visit him the next day, threatening physical violence.
The streamer was able to find out where the other player lived for two reasons: Firstly, he was given the opponent's real name by one of his viewers. On the other hand, he held a prominent position in a credit institution and therefore had access to the credit institution's customer database. The streamer then carried out such a query of the customer database. In particular, viewers of the stream were able to follow how the streamer carried out research on his iPad over a considerable period of time and regularly reported interim results on research successes. The streamer avoided disclosing specific personal data of the opponent from the database query, citing the fact that he was not allowed to reveal too much during the broadcast. Nevertheless, he made it explicitly clear that he had retrieved extensive personal data. The fact that the research was actually successful was also shown by the announced home visit the following day. Contrary to the Twitch streamer's announcements, there was no physical altercation.
The HmbBfDI imposed a fine in the mid-four-figure range on the streamer. Due to the misuse of the access rights granted by his employer, he was to be considered the person responsible. In this respect, it is an employee excess in which employees use business or official resources for their own (private) purposes and thus become responsible.
The financial circumstances were to be used as the basis for the fine. These had to be estimated due to a lack of concrete information. The streamer had expressed objective indications for the estimate several times within his stream and repeatedly emphasized how well he was doing financially, especially in relation to his opponent.
The intentional nature of the offense also had to be taken into account. The streamer knew that the employer's customer data was subject to banking secrecy and may only be used for business purposes. He accepted the fine and the decision is legally binding.
