The Lower Saxony Data Protection Authority has imposed a €1.1 million financial penalty on Volkswagen for violations of four Articles of the EU General Data Protection Regulation (GDPR).
The fine relates to violations of the GDPR by Volkswagen during the testing of its new driving assistance system in 2019. During test drives, cameras were attached to a vehicle which recorded images from the surroundings. The footage was used for testing and training the system. The aim of the systems was to improve driver safety by helping to prevent traffic accidents.
The vehicle was stopped by law enforcement in Austria during a test when officers saw strange attachments to the vehicle. The Lower Saxony Data Protection Authority investigated and determined the testing violated the GDPR as the cameras were recording footage that included the personal data of EU data subjects, and that information was processed without the data subjects being informed. Before any processing of personal data, individuals must be informed about who is processing the information, for what purpose the processing is taking place, and for how long the data will be processed and stored. Signs were not used to confirming that cameras were being used, which violated Article 13 of the GDPR.
Volkswagen used a service provider to conduct the tests but was discovered not to have entered into a data processing agreement with the service provider, which was in violation of Article 28 of the GDPR. A data protection impact assessment is required by Article 35 of the GDPR to determine whether the processing of data was likely to result in a high risk to the rights and freedoms of natural persons. The impact assessment had not been carried out prior to the test being performed.
Article 30 of the GDPR requires technical and organizational protection measures to be documented in the records of processing activities, but there was no explanation detailed in the records. When the Lower Saxony Data Protection Authority notified Volkswagen of these violations, steps were immediately taken to address the issues, and Volkswagen cooperated fully with the investigation.
These were considered to be low-severity violations of the GDPR, and the Lower Saxony Data Protection Authority said that it did not object to the tests and the collection and processing of data, but that whenever personal data is collected and processed, compliance with the GDPR is necessary. The decision to impose a financial penalty was taken after consultation with other Data Protection Authorities in Europe. Volkswagen did not contest the penalty.