LfDI (Lower Saxony) - Volkswagen

From GDPRhub
Revision as of 08:19, 17 August 2022 by Ea (talk | contribs)
LfDI - Volkswagen
LogoDE-NI.jpg
Authority: LfDI (Lower Saxony)
Jurisdiction: Germany
Relevant Law: Article 13 GDPR
Article 28 GDPR
Article 30 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 26.07.2022
Fine: 1100000 EUR
Parties: Volkswagen Aktiengesellschaft
National Case Number/Name: Volkswagen
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: lfd.niedersachsen.de (in DE)
Initial Contributor: n/a

The DPA of Lower Saxony fined Volkswagen €1,100,000 for violating Articles 13, 28, 35 and 30 GDPR in relation to research trips.

English Summary

Facts

A service provider performed research trips for Volkswagen. With these research trips they wanted to check if the assistance system for the driver worked so that accidents in the traffic can be avoid through it. During the research trips there were cameras on the car that filmed what happened in the traffic. During a traffic control in Austria in 2019 the police took note of such a car. There were no hints on the car in sense of Art. 13 GDPR. The DPA also found out that VW violated Art. 28 and Art. 35 GDPR as VW had neither concluded an order processing contract with the service provider nor made a data protection impact assessment. VW has not declared the technical and organizational protection measures in its processing list according to Art. 30 GDPR.

VW stopped the violations immediately in the process.

Holding

The Data Protection Commissioner Barbara Thiel held that there are no doubts regarding the actual research trips itself. Important for that was that the data processing aimed for avoiding accidents and insofar for the security on the road.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

The State Commissioner for Data Protection (LfD) Lower Saxony has imposed a fine of 1.1 million euros on Volkswagen Aktiengesellschaft in accordance with Article 83 of the General Data Protection Regulation (GDPR). The reason is data protection violations in connection with the use of a service provider for research trips for a driver assistance system to avoid traffic accidents. The company has cooperated extensively with the LfD Lower Saxony and accepted the fine notice.
A test vehicle from the company was stopped for a traffic check by the Austrian police near Salzburg in 2019. The police officers noticed unusual attachments on the vehicle, which turned out to be cameras on site. The vehicle was used to test and train the functionality of a driver assistance system to avoid traffic accidents. The traffic situation around the vehicle was recorded, among other things for error analysis.
Due to an accident, the vehicle was missing magnetic signs with a camera symbol and the other mandatory information for those affected by data protection law, in this case the other road users. According to Article 13 DS-GVO, they must be informed, among other things, about who is carrying out the processing, for what purpose and how long the data will be stored. Further investigation also revealed that Volkswagen had not concluded an order processing contract with the company that carried out the journeys. This would have been required under Article 28 GDPR. Furthermore, no data protection impact assessment according to Article 35 GDPR was carried out, with which possible risks and their containment must be assessed before such processing begins. Finally, there was no explanation of the technical and organizational protective measures in the list of processing activities, which constituted a violation of the documentation requirements under Article 30 GDPR.
These four low-severity violations, none of which are ongoing, are the subject of the fine. Volkswagen immediately remedied the defects that are not related to series vehicles as part of the previous test procedure.
"The actual research trips were not objectionable in terms of data protection law," says state data protection officer Barbara Thiel. "We have no concerns about the resulting collection and further processing of personal data." In particular, it was taken into account that the processing serves to optimize a driver assistance system to prevent accidents and thus increase road safety.
Due to the cross-border processing of personal data, the LfD involved other affected European data protection supervisory authorities in the cooperation procedure according to Article 60 DS-GVO before the fine was issued.
Press release as PDF download