Volkswagen successfully defends itself against high GDPR fine and warnings

June 16, 2025

Categories:

Compliance, Data protection in Germany

The GDPR proceedings against Volkswagen come to a rather curious end. The automotive group has appealed against both a fine of 4.3 million euros and several warnings from the State Commissioner for Data Protection of Lower Saxony (LfD). The Regional Court of Hanover collected the fine again as it was unable to establish a serious GDPR violation. The public prosecutor's office ultimately had to withdraw the appeal against the judgment due to a missing signature. More interesting from a legal perspective, however, is the ruling by the Hanover Administrative Court. The court ruled in favor of VW in two out of five cases.

Reappraisal of the diesel scandal with data protection consequences

As part of the investigation into the diesel scandal, Volkswagen AG (VW) reached several settlements with criminal and civil authorities in the USA in order to end ongoing proceedings and prevent further legal risks. Part of these settlements was the establishment of a so-called monitorship: For this purpose, former US Deputy Attorney General Larry Thompson was appointed as an external compliance monitor. His task was to review and further develop the Group's existing compliance and control systems and monitor their implementation.

To fulfill this task, the monitor was given comprehensive access to VW documents and data, including personal information on former and active employees. This ranged from real names and personnel numbers to service-related evaluations. In the view of the State Commissioner for Data Protection of Lower Saxony (LfD), this access to data constituted a serious breach of data protection law. As a result, the LfD initiated supervisory proceedings against Volkswagen and identified five specific cases which it deemed to be infringements of the GDPR. It issued warnings against VW in accordance with Art. 58 para. 2 lit. b GDPR.

Warning 1: Clear name list with "direct knowledge" - inadmissible?

VW had sent the US monitor a list of 22 clear names, labeled "direct knowledge". As part of the fast lane process, VW transmitted pseudonymized data by transport-encrypted email. However, the LfD demanded end-to-end encryption. The court rejected this. The data was not particularly in need of protection and without a clear name, there was no concrete risk of re-identification, especially as the assignment key was not transmitted.

The court specifies the technical level of protection in accordance with Art. 32 GDPR and underlines the proportionality of pseudonymized data. Nevertheless, it must be taken into account that the state of the art and thus also the reasonable technical and organizational measures are constantly evolving. The decision must therefore not be generalized, but must always be understood in the light of the specific risk assessment.

Warning 2: Pseudonymized data in the "fast lane process" - no obligation for end-to-end encryption

As part of the fast lane process, VW transmitted pseudonymized data by transport-encrypted email. However, the LfD demanded end-to-end encryption. The court rejected this. The data was not particularly in need of protection and without a clear name, there was no concrete risk of re-identification, especially as the assignment key was not transmitted.

Warning 3: Violation of the obligation to provide information when transmitting data to the monitor

The court took a different view of the warning due to insufficient information provided to employees. VW had transmitted personal data of employees, including pseudonymized information, as part of the monitorship. The court clarified that this data is also considered personal data pursuant to Art. 4 No. 1 GDPR, as the monitor would have been able to request the assignment key to identify the data subjects with reasonable effort. Contrary to VW's opinion, there was therefore no anonymization.

The court also found that the transfer of the data by Volkswagen to the US monitor constituted a change of purpose within the meaning of Art. 6 (4) GDPR. The original data collection had served employment purposes, but the transfer in the context of the monitorship did not serve the direct purpose of implementing the employment relationship. VW was also unable to demonstrate that the further processing was in the legitimate interest of the employer without simultaneously violating the rights of the data subject.

Finally, the court criticized the way in which the persons concerned were informed. Although VW had published information about the monitorship on the intranet, there was a lack of specific, targeted and individual information for the employees concerned. The court deemed the mere posting of general information without active communication to be insufficient in terms of the transparency obligations under Art. 13 and 14 GDPR.

Assessment: The decision emphasizes the strict requirements for transparency obligations pursuant to Art. 13 GDPR. In the case of transfers to third parties, such as the US monitor, Art. 14 GDPR may also be relevant, especially if the information was not collected directly from the data subjects. The restrictive interpretation of the purpose limitation principle under Art. 5 para. 1 lit. b GDPR also becomes clear. From the perspective of the supervisory authority, it must also be acknowledged that cumulative re-identifiability through the combination of several pseudonymized data sets represents a risk that should not be underestimated.

Warning 4: Missing information during EPA audit

The fourth warning concerned data processing in the context of an additional audit carried out on the basis of an administrative agreement between VW and the US Environmental Protection Agency (EPA). The aim of this measure was to secure long-term access to public contracts in the USA. To this end, an auditor was appointed to further develop the internal compliance management system and check that it was being adhered to.

However, the LfD objected to the fact that VW once again transmitted personal data to this auditor, partly pseudonymized and partly with real names, without adequately informing the employees concerned about the type, scope and purpose of the data processing. In this case, too, the supervisory authority relied on the view that pseudonymization does not lead to depersonalization if a third party is able to assign the data to real persons with reasonable effort. The court followed this reasoning and also judged the information provided by VW to be inadequate. According to the court, general information or delayed information does not meet the requirements of Art. 13 and 14 GDPR.

Warning 5: Missing processing directory at the start of the audit

The fifth warning concerned VW's failure to create an independent processing directory in accordance with Art. 30 GDPR at the start of the EPO audit. VW argued that the existing register from the monitorship was sufficient. However, the court rejected this argument: although there were thematic overlaps, these were two formally independent data processing operations with different purposes and addressees.

Although the later completion of the list was taken into account in the judgment to mitigate the penalty, the court nevertheless deemed the warning to be lawful. The supervisory authority was therefore entitled to issue a warning to draw attention to the obligation to document and its importance for the verifiability of data protection processes.

Conclusion: The court makes it clear that a separate register pursuant to Art. 30 GDPR is required even in the case of formal proximity to other data processing operations, provided that the purpose or structure of the processing differs. From the perspective of the supervisory authorities, the lack of such a register is also an indication of structural deficits in data protection management.

Reading tip: BfDI imposes fines of 45 million euros on Vodafone

Differentiated standards for international compliance processes

The ruling illustrates the difficult balance between data protection requirements and international compliance obligations. On the one hand, the court agrees with the authority with regard to transparency and documentation obligations; on the other hand, it shows the limits of the authority to intervene in technically and legally justifiable measures on the part of companies.

The ruling means for companies:

Strengthening the balancing of interests and technical protective measures, provided these are well documented and proportionate.
Clarification of information obligations also for pseudonymized data, in particular for further processing for new purposes.
Obligation to provide independent documentation for delimitable processing contexts.

VW can apply for permission to appeal to the Higher Administrative Court of Lower Saxony.

Regional court collects high GDPR fine against Volkswagen

In parallel proceedings before the Hanover Regional Court, VW appealed against a fine of €4.3 million imposed by the LfD. The fine was levied in particular because Volkswagen was alleged to have breached its transparency obligations towards its employees.

"The Hanover Regional Court made it clear that, contrary to the LfD's argument, the disclosure of information in the context of the monitorship did not pose any significant risks for the employees concerned," reports VW's legal representative Tim Wybitul in a blog post on LinkedIn.

Curious: The public prosecutor's office lodged an appeal against the judgment of the regional court with the Higher Regional Court of Celle. However, the reasons for the appeal lacked the handwritten signature of the responsible public prosecutor, so the appeal had to be withdrawn. The judgment of the Hanover Regional Court is therefore final and VW does not have to pay a fine.

Source: VW partially disregarded data protection when dealing with the diesel scandal - Press release of the Administrative Court of Lower Saxony

Tags: