LfDI (Baden-Württemberg) - 0523.1-2/3: Difference between revisions
mNo edit summary |
No edit summary |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 7: | Line 7: | ||
|DPA_With_Country=LfDI (Baden-Württemberg) | |DPA_With_Country=LfDI (Baden-Württemberg) | ||
|Case_Number_Name= | |Case_Number_Name=Fine EUR 300,000 against VfB Stuttgart 1893 AG | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1=LfDI | |Original_Source_Name_1=LfDI | ||
|Original_Source_Link_1=https:// | |Original_Source_Link_1=https://fragdenstaat.de/anfrage/bugeldbescheid-wegen-datenschutzverstoen-beim-vfb-stuttgart/603646/anhang/bugeldbescheid-vfb-stuttgart.pdf | ||
|Original_Source_Language_1=German | |Original_Source_Language_1=German | ||
|Original_Source_Language__Code_1=DE | |Original_Source_Language__Code_1=DE | ||
| Line 20: | Line 20: | ||
|Date_Published=10.03.2021 | |Date_Published=10.03.2021 | ||
|Year= | |Year= | ||
|Fine= | |Fine=300,000 | ||
|Currency=EUR | |Currency=EUR | ||
| Line 48: | Line 48: | ||
}} | }} | ||
The Baden-Württemberg DPA (LfDI) issued a fine of €300,000 on the soccer club VfB Stuttgart 1893 AG for neglectful breach of | The Baden-Württemberg DPA (LfDI) issued a fine of €300,000 on the soccer club VfB Stuttgart 1893 AG for neglectful breach of the accountability principle under Article 5(2) GDPR. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
In order to pursue the spin-off of the professional soccer department from "VfB Stuttgart 1893 e.V.", a registered association under German law, into a stock corporation ("VfB Stuttgart 1893 AG"), VfB Stuttgart 1893 e.V. transferred several tens of thousands of personal data of club members to an external service provider between 2016 and 2017. This included data of underage members who would have reached the age of 18 at the time of a general meeting at which a decision on the spin-off would be made. The soccer club also transferred an Excel spreadsheet with over 100,000 data records to the service provider after the GDPR came into force. | |||
At least until the time of the decision by the LfDI, VfB Stuttgart failed to provide a contractual basis for its cooperation with the service provider. Until then, it had not been documented by whom the service provider had originally been commissioned, what specific powers it had within VfB Stuttgart, and to what extent it had been given access to the personal data of members and employees. | |||
===Holding=== | ===Holding=== | ||
==== Limitation of the proceedings to one Violation ==== | |||
The LfDI limited the proceedings to a violation of Article 5(2) GDPR. Further proceedings regarding potential other violations of the GDPR were provisionally terminated pursuant to § 46 of the German Act on Regulatory Offences (OWiG) in conjunction with § 154(2) the German Code of Criminal Procedure (StPO). | |||
==== Violation of Article 5(2) GDPR ==== | |||
The LfDI decided that there was a violation of the accountability obligation according to Article 5(2) GDPR. | |||
This was based on the fact that due to an insufficient documentation of the contractual relationship with the external service provider and its powers within the club, the lawfulness of the data processing operations carried out could not be sufficiently verified or proven. | |||
For the assessment of the legal situation, it was irrelevant whether the above-mentioned data records had been sent to an internal VfB e-mail address of the service provider or to one of its external e-mail addresses. | |||
The infringement was attributed to VfB Stuttgart 1893 AG on the basis of the functional company concept applicable under the GDPR. Knowledge of the transactions by the Board of Management was not relevant. The LfDI assumed negligence. | |||
==== Fine Assessment ==== | |||
For the assessment of the fine, the LfDI, which applied the fine framework from Article 83(4) GDPR, initially relied on an understanding reached with the club during the investigation. According to this, it promised that the fine would be between approximately EUR 300,000 and 400,000, provided that the association confessed. | |||
Initially, the LfDI came to the conclusion that a fine in the middle of the aforementioned range would be appropriate. | |||
In favor of the controller, it was taken into account that | |||
# the breach was only negligent, | |||
# VfB Stuttgart simplified the investigation with a high level of cooperation and internal clarification efforts, and | |||
# the club made efforts to improve its data protection and data security management at an early stage and before the fine proceedings. | |||
Explicitly not to be taken into consideration was the worsened economic situation as a result of the Covid pandemic. | |||
To the detriment of VfB AG, it was taken into account that a significant number of individuals were affected and that their data had been transferred to a third party without a verifiable legal basis. | |||
However, the LfDI ultimately decided to impose a fine in the lower range (EUR 300,000) on the condition that VfB Stuttgart engage in social activities for young people in a manner determined by the LfDI. The club could choose between participating in an existing data protection project at schools, designing and conducting data protection training courses for the youth teams, or - if the aforementioned is not possible - making a donation to a non-profit organization in the field of data protection to be named by the LfDI. | |||
==Comment== | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
Revision as of 12:58, 16 June 2021
| LfDI - Fine EUR 300,000 against VfB Stuttgart 1893 AG | |
|---|---|
 | |
| Authority: | LfDI (Baden-Württemberg) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 5(2) GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | 10.03.2021 |
| Fine: | 300,000 EUR |
| Parties: | VfB Stuttgart 1893 AG |
| National Case Number/Name: | Fine EUR 300,000 against VfB Stuttgart 1893 AG |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | German |
| Original Source: | LfDI (in DE) |
| Initial Contributor: | Lejla Rizvanovik |
The Baden-Württemberg DPA (LfDI) issued a fine of €300,000 on the soccer club VfB Stuttgart 1893 AG for neglectful breach of the accountability principle under Article 5(2) GDPR.
English Summary
Facts
In order to pursue the spin-off of the professional soccer department from "VfB Stuttgart 1893 e.V.", a registered association under German law, into a stock corporation ("VfB Stuttgart 1893 AG"), VfB Stuttgart 1893 e.V. transferred several tens of thousands of personal data of club members to an external service provider between 2016 and 2017. This included data of underage members who would have reached the age of 18 at the time of a general meeting at which a decision on the spin-off would be made. The soccer club also transferred an Excel spreadsheet with over 100,000 data records to the service provider after the GDPR came into force.
At least until the time of the decision by the LfDI, VfB Stuttgart failed to provide a contractual basis for its cooperation with the service provider. Until then, it had not been documented by whom the service provider had originally been commissioned, what specific powers it had within VfB Stuttgart, and to what extent it had been given access to the personal data of members and employees.
Holding
Limitation of the proceedings to one Violation
The LfDI limited the proceedings to a violation of Article 5(2) GDPR. Further proceedings regarding potential other violations of the GDPR were provisionally terminated pursuant to § 46 of the German Act on Regulatory Offences (OWiG) in conjunction with § 154(2) the German Code of Criminal Procedure (StPO).
Violation of Article 5(2) GDPR
The LfDI decided that there was a violation of the accountability obligation according to Article 5(2) GDPR.
This was based on the fact that due to an insufficient documentation of the contractual relationship with the external service provider and its powers within the club, the lawfulness of the data processing operations carried out could not be sufficiently verified or proven.
For the assessment of the legal situation, it was irrelevant whether the above-mentioned data records had been sent to an internal VfB e-mail address of the service provider or to one of its external e-mail addresses.
The infringement was attributed to VfB Stuttgart 1893 AG on the basis of the functional company concept applicable under the GDPR. Knowledge of the transactions by the Board of Management was not relevant. The LfDI assumed negligence.
Fine Assessment
For the assessment of the fine, the LfDI, which applied the fine framework from Article 83(4) GDPR, initially relied on an understanding reached with the club during the investigation. According to this, it promised that the fine would be between approximately EUR 300,000 and 400,000, provided that the association confessed.
Initially, the LfDI came to the conclusion that a fine in the middle of the aforementioned range would be appropriate.
In favor of the controller, it was taken into account that
- the breach was only negligent,
- VfB Stuttgart simplified the investigation with a high level of cooperation and internal clarification efforts, and
- the club made efforts to improve its data protection and data security management at an early stage and before the fine proceedings.
Explicitly not to be taken into consideration was the worsened economic situation as a result of the Covid pandemic.
To the detriment of VfB AG, it was taken into account that a significant number of individuals were affected and that their data had been transferred to a third party without a verifiable legal basis. However, the LfDI ultimately decided to impose a fine in the lower range (EUR 300,000) on the condition that VfB Stuttgart engage in social activities for young people in a manner determined by the LfDI. The club could choose between participating in an existing data protection project at schools, designing and conducting data protection training courses for the youth teams, or - if the aforementioned is not possible - making a donation to a non-profit organization in the field of data protection to be named by the LfDI.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Fine proceedings against VfB Stuttgart 1893 AG end with the imposition of a fine. LfDI Stefan Brink: “In addition to the noticeable fine, VfB is making significant organizational and technical improvements in data protection. In addition, happily, those responsible are planning to become involved in clarifying data protection issues in the future, with which young people in particular are to be addressed. " The State Commissioner for Data Protection and Freedom of Information, Stefan Brink, concludes the proceedings against VfB Stuttgart 1893 AG and imposes a fine of 300,000 euros for negligent breach of accountability under data protection law in accordance with Art. 5 (2) GDPR. The responsible persons at VfB Stuttgart 1893 eV and VfB Stuttgart 1893 AG supported the educational and investigative measures of the state commissioner, promoted them on their own initiative and cooperated extensively with the authority of the state commissioner. In addition to paying the fine and the costly restructuring and improvement of its data protection management, VfB Stuttgart 1893 AG, in coordination with the LfDI, is taking measures to make young people aware of data protection issues. The VfB is promoting the “Data Protection Goes to School” project by supporting public relations work for regional school days of action and by making videos suitable for children and young people to raise awareness of data protection issues. In addition, the VfB designs training courses for the youth soccer teams U10 to U21 on the subject of “data protection among young people”. LfDI Stefan Brink: “By issuing this notice of fines, we are concluding a procedure that was also unusual for us as a supervisory authority. It was not only the subject of our proceedings that was unusual, but above all the public and media interest associated with it. Unusual was also the extent of the interest in clarification evidenced by the involvement of Esecon and the willingness of the VfB to cooperate with our authority. " This procedure results in a good chance, continues Stefan Brink, that VfB Stuttgart will be better positioned in the future when it comes to dealing fairly with members' data. “Even if we weren't able to fully investigate all publicly discussed processes with a view to the statute of limitations, the result that has now been mutually agreed is convincing: In addition to the noticeable fine, the VfB ensures considerable organizational and technical improvements in terms of data protection. In addition, happily, those responsible are planning to become involved in clarifying data protection issues in the future, with which young people in particular are to be addressed. " The investigations against VfB Stuttgart 1893 eV and VfB Stuttgart 1893 AG are concluded with the issuance of the notice of fines.
