LfDI (Lower Saxony) - Volkswagen

From GDPRhub
LfDI - Volkswagen
Authority: LfDI (Lower Saxony)
Jurisdiction: Germany
Relevant Law: Article 13 GDPR
Article 28 GDPR
Article 30 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Published: 26.07.2022
Fine: 1,100,000 EUR
Parties: Volkswagen Aktiengesellschaft
National Case Number/Name: Volkswagen
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: lfd.niedersachsen.de (in DE)
Initial Contributor: n/a

The DPA of Lower Saxony fined Volkswagen €1,100,000 for violating Articles 13, 28, 35 and 30 GDPR by, among others, conducting test-drives of its vehicle with cameras attached without informing the other road users.

English Summary


A company (the processor) performed test-drives for Volkswagen (the controller). With these test-drives, Volkswagen wanted to check if its driver assistance system worked well so that more traffic accidents could be prevented in the future. There were cameras attached to the test vehicle to, among others, record the surrounding traffic situation for the purpose of error analysis. The vehicle was stopped in 2019 by the Austrian police near Salzburg. Due to the cross-border processing of personal data, the DPA involved other concerned DPAs in the cooperation procedure under Article 60 GDPR before issuing a decision.


First, the DPA held that Article 13 GDPR was violated as there were no magnetic signs with a camera symbol and the other prescribed information on the vehicle to inform the other road users of the processing of personal data.

Second, the DPA found that Volkswagen violated Article 28 GDPR by not concluding a processing agreement with the company carrying out the test-drives.

Third, the DPA held that Volkswagen violated Article 35 GDPR by not carrying out a data protection impact assessment prior to the processing.

Lastly, the DPA considered that Volkswagen infringed Article 30 GDPR by not listing its technical and organisational security measures in the records of its processing activities.

For these reasons, the DPA imposed a fine of €1,100,000 on Volkswagen. A relevant consideration in assessing the fine was the fact that Volkswagen cooperated with the DPA and immediately remedied the situation.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

The State Commissioner for Data Protection (LfD) Lower Saxony has imposed a fine of 1.1 million euros on Volkswagen Aktiengesellschaft in accordance with Article 83 of the General Data Protection Regulation (GDPR). The reason is data protection violations in connection with the use of a service provider for research trips for a driver assistance system to avoid traffic accidents. The company has cooperated extensively with the LfD Lower Saxony and accepted the fine notice.
A test vehicle from the company was stopped for a traffic check by the Austrian police near Salzburg in 2019. The police officers noticed unusual attachments on the vehicle, which turned out to be cameras on site. The vehicle was used to test and train the functionality of a driver assistance system to avoid traffic accidents. The traffic situation around the vehicle was recorded, among other things for error analysis.
Due to an accident, the vehicle was missing magnetic signs with a camera symbol and the other mandatory information for those affected by data protection law, in this case the other road users. According to Article 13 DS-GVO, they must be informed, among other things, about who is carrying out the processing, for what purpose and how long the data will be stored. Further investigation also revealed that Volkswagen had not concluded an order processing contract with the company that carried out the journeys. This would have been required under Article 28 GDPR. Furthermore, no data protection impact assessment according to Article 35 GDPR was carried out, with which possible risks and their containment must be assessed before such processing begins. Finally, there was no explanation of the technical and organizational protective measures in the list of processing activities, which constituted a violation of the documentation requirements under Article 30 GDPR.
These four low-severity violations, none of which are ongoing, are the subject of the fine. Volkswagen immediately remedied the defects that are not related to series vehicles as part of the previous test procedure.
"The actual research trips were not objectionable in terms of data protection law," says state data protection officer Barbara Thiel. "We have no concerns about the resulting collection and further processing of personal data." In particular, it was taken into account that the processing serves to optimize a driver assistance system to prevent accidents and thus increase road safety.
Due to the cross-border processing of personal data, the LfD involved other affected European data protection supervisory authorities in the cooperation procedure according to Article 60 DS-GVO before the fine was issued.
Press release as PDF download