EU Enforcement Update: Volkswagen Fined 1.1 Million Euros for GDPR Violations During Test Drives

August.02.2022

On 26 July 2022, the Lower Saxony data protection authority ("Lower Saxony DPA") announced that it has imposed a fine of 1.1 million euros on Volkswagen ("VW") due to GDPR violations.

It found that VW has violated data protection regulations when it tested a driving assistance system while using a service provider in 2019. VW has accepted the fine.

VW conducted vehicle outings using a test car, on which cameras were attached, for testing and training a driving assistance system designed for preventing traffic accidents. The cameras recorded the traffic around the car, inter alia, for error analysis. In 2019, the car was stopped by Austrian police near Salzburg for a traffic check, as police officers had noticed the unusual attachments.

Following an investigation, the Lower Saxony DPA found that VW had violated the GDPR in four ways:

Signs with a camera symbol and the other prescribed information for the data subjects (the other road users) were missing due to an oversight. This violated Article 13 GDPR, pursuant to which, when data is processed, the data subjects must be informed, inter alia, about who is carrying out the processing as well as the purpose of the processing and the period for which the personal data will be stored.
VW did not enter a data processing agreement with the service provider who carried out the test. This constituted a violation of Article 28 GDPR.
In breach of Article 35 GDPR, no data protection impact assessment had been carried out, in which the possible risks and their mitigation should have been assessed before data processing began.
There was no explanation of the technical and organizational protection measures in the records of processing activities. This constituted a breach of the requirements under Article 30 GDPR.

VW immediately remedied these violations and cooperated fully with the Lower Saxony DPA.

The Lower Saxony DPA deemed these violations to have a low level of severity. It also pointed out that it has no objections to the collection and processing of personal data during such test drives, also taking into consideration that the processing serves to optimize a driving assistance system designed to prevent accidents and increase road safety.

Despite this rather mild assessment, the Lower Saxony DPA—after cooperating with the other European data protection authorities concerned pursuant to Article 60 GDPR—imposed the substantial fine of 1.1 million euros on VW. This shows that even GDPR violations of relatively low severity may nevertheless lead to substantial fines by data protection authorities.

Authors

Henry Wu Managing Associate, Technology Transactions, Propriété intellectuelle

Dusseldorf

See my bio

D:+49 211 3678 7168
E: [email protected]

Practice:

Technology Transactions
Propriété intellectuelle
Patents
Trade Secrets Litigation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Henry Wu Managing Associate

Dusseldorf

Henry represents clients on business transactions involving IP and data protection aspects, including licensing and technology transfers, mergers and acquisitions, venture and other strategic transactions that involve the commercialization of IP.

He also advises his clients on strategic IP protection and enforcement, in particular in the field of patent, trademark and copyright law.

Prior to joining Orrick, Henry was an attorney with a law firm focusing on trademark, competition and media law.

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Dusseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Dusseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia conseille en matière de conformité au règlement RGPD et aux autres réglementations liées à la protection des données en lien avec les régulateurs concernés en France et dans l'UE.

Spécialiste de l'économie des plateformes et des secteurs de l’internet et des nouvelles technologies, elle conseille une clientèle d’opérateurs étrangers qui souhaitent s'implanter en France ainsi que des entreprises françaises dans leur développement à l'étranger.

En outre, lors d’opérations de fusions-acquisitions comportant des enjeux technologiques importants et complexes, elle intervient dans la rédaction et la négociation d’accords portant sur le transfert de données, l’informatique, les logiciels, le contenu et les licences de marque.

Avant de rejoindre Orrick, elle a travaillé pendant dix-sept ans pour de grandes sociétés des secteurs de l’Internet et des réseaux sociaux, dont le Financial Times, CBS Interactive et Twitter et a collaboré au sein d’un cabinet d’avocats français de premier plan.

Kelly Hagedorn Partner, Cyber, Privacy & Data Innovation, Conformité & Règlementation

Londres

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Conformité & Règlementation
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

Londres

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Related Areas

Markets

Germany