EU Enforcement Update: Volkswagen Fined 1.1 Million Euros for GDPR Violations During Test Drives

August.02.2022

On 26 July 2022, the Lower Saxony data protection authority ("Lower Saxony DPA") announced that it has imposed a fine of 1.1 million euros on Volkswagen ("VW") due to GDPR violations.

It found that VW has violated data protection regulations when it tested a driving assistance system while using a service provider in 2019. VW has accepted the fine.

VW conducted vehicle outings using a test car, on which cameras were attached, for testing and training a driving assistance system designed for preventing traffic accidents. The cameras recorded the traffic around the car, inter alia, for error analysis. In 2019, the car was stopped by Austrian police near Salzburg for a traffic check, as police officers had noticed the unusual attachments.

Following an investigation, the Lower Saxony DPA found that VW had violated the GDPR in four ways:

  1. Signs with a camera symbol and the other prescribed information for the data subjects (the other road users) were missing due to an oversight. This violated Article 13 GDPR, pursuant to which, when data is processed, the data subjects must be informed, inter alia, about who is carrying out the processing as well as the purpose of the processing and the period for which the personal data will be stored.
  2. VW did not enter a data processing agreement with the service provider who carried out the test. This constituted a violation of Article 28 GDPR.
  3. In breach of Article 35 GDPR, no data protection impact assessment had been carried out, in which the possible risks and their mitigation should have been assessed before data processing began.
  4. There was no explanation of the technical and organizational protection measures in the records of processing activities. This constituted a breach of the requirements under Article 30 GDPR.

VW immediately remedied these violations and cooperated fully with the Lower Saxony DPA.

The Lower Saxony DPA deemed these violations to have a low level of severity. It also pointed out that it has no objections to the collection and processing of personal data during such test drives, also taking into consideration that the processing serves to optimize a driving assistance system designed to prevent accidents and increase road safety.

Despite this rather mild assessment, the Lower Saxony DPA—after cooperating with the other European data protection authorities concerned pursuant to Article 60 GDPR—imposed the substantial fine of 1.1 million euros on VW. This shows that even GDPR violations of relatively low severity may nevertheless lead to substantial fines by data protection authorities.