EUR 1,1 Million GDPR Fine Imposed on Volkswagen
In a decision published on 26 July 2022, Austrian data protection authority established that Volkswagen was in violation of Articles 13, 28, 35 and 30 of the GDPR.
The problem was initially discovered by the Austrian police when Volkswagen’s test car was stopped for a traffic control. The police noticed an unusual extension on the vehicle, which turned out to be cameras that recorded traffic around the vehicle in order to test and train the driving assistance system for avoiding traffic accidents.
However, there was no sign on the vehicle, so other drivers were not informed that their personal data were being processed, who was processing the data, for what purpose and how long the data would be stored. More violations were found in the lack of a data protection impact assessment (DPIA) and data processing agreement with the service provider that carried out the test drives.
Lastly, in the register of processing activities, there was no description of technical and organizational security measures which have to be implemented pursuant to Article 32 of the GDPR.
Besides these low-severity violations, no issues were identified with regard to collection and further processing of personal data. In line with Article 83 of the GDPR, when determining the amount of the fine, the supervising authority also considered the meaningful purpose of recording (increasing road safety), and the fact that Volkswagen cooperated during the proceeding and immediately remedied the defects.
The problem was initially discovered by the Austrian police when Volkswagen’s test car was stopped for a traffic control. The police noticed an unusual extension on the vehicle, which turned out to be cameras that recorded traffic around the vehicle in order to test and train the driving assistance system for avoiding traffic accidents.
However, there was no sign on the vehicle, so other drivers were not informed that their personal data were being processed, who was processing the data, for what purpose and how long the data would be stored. More violations were found in the lack of a data protection impact assessment (DPIA) and data processing agreement with the service provider that carried out the test drives.
Lastly, in the register of processing activities, there was no description of technical and organizational security measures which have to be implemented pursuant to Article 32 of the GDPR.
Besides these low-severity violations, no issues were identified with regard to collection and further processing of personal data. In line with Article 83 of the GDPR, when determining the amount of the fine, the supervising authority also considered the meaningful purpose of recording (increasing road safety), and the fact that Volkswagen cooperated during the proceeding and immediately remedied the defects.