By Dave McKay | August 19, 2022
Volkswagen Fined €1,100,000 For Silly Mistakes
A third-part hired by Volkswagen conducted some vehicle test-drives for them. Volkswagen were the data controller, the third-party were their data processor. The vehicles in question were testing anew type of driver-assist. Specifically, the system used video input to robotic vision units to monitor what the traffic around the car, so that it could gauge whether corrective action needed to be taken.
The vehicle was driven across the border into Austria, and was stopped by police near Salzburg. Crossing the border meant that multiple Data Protection Authorities were involved.
Volkswagen were found to be in breach of several GDPR Articles:
- 13: Information to be provided where personal data are collected from the data subject
- 28: Data Processors
- 30: Records of processing activities
- 35: Data protection impact assessment
All of this was so easily avoidable.
The transgressions were:
- Article 13 was violated because the public were not informed that the recording was taking place. Magnetic signs stuck to the car with a camera symbol and other required information on them would have been sufficient.
- Article 28 was violated because there was no controller-processor data processing agreement in place between Volkswagen and the third-party processor.
- Article 35 was violated because Volkswagen didn’t do a data protection impact assessment before the data gathering began.
- Article 30 was violated because Volkswagen’s technical and organisational security measures were not listed in its records of its processing activities.
All in all, a costly set of elementary errors.
Source: Niedersachsen