The GDPR proceedings against Volkswagen end rather curiously. The automotive group is both against a Fine of 4.3 million euros as well as against several warnings issued by the State Commissioner for Data Protection. Data protection Lower Saxony (LfD). The Regional Court of Hanover Fine was overturned as it was unable to establish a serious GDPR violation. The public prosecutor's office ultimately had to withdraw its appeal against the ruling due to a missing signature. More interesting from a legal perspective, however, is the ruling by the Hanover Administrative Court. The court ruled in favor of VW in two out of five cases.
Reappraisal of the diesel scandal with data protection consequences
As part of the investigation into the diesel scandal, Volkswagen AG (VW) reached several settlements with criminal and civil authorities in the USA in order to end ongoing proceedings and prevent further legal risks. Part of these settlements was the establishment of a so-called monitorship: For this purpose, former US Deputy Attorney General Larry Thompson was appointed as an external compliance monitor. His task was to review and further develop the Group's existing compliance and control systems and monitor their implementation.
To fulfill this task, the monitor was given comprehensive access to VW documents and data, including personal information on former and active employees. This ranged from real names and personnel numbers to service-related evaluations. In the view of the State Commissioner for Data Protection of Lower Saxony (LfD), this access to data constituted a serious breach of data protection law. As a result, the LfD initiated supervisory proceedings against Volkswagen and identified five specific cases that it considered to be violations of the GDPR was assessed. For this, he issued warnings in accordance with Art. 58 Para. 2 lit. b GDPR against VW.
Warning 1: Clear name list with "direct knowledge" - inadmissible?
VW had sent the US monitor a list of 22 clear names, labeled "direct knowledge". As part of the fast lane process, VW transmitted pseudonymized data by transport-encrypted email. However, the LfD demanded end-to-end encryption. The court rejected this. The data was not particularly in need of protection and without a clear name, there was no concrete risk of re-identification, especially as the assignment key was not transmitted.
The court specifies the technical level of protection in accordance with Art. 32 GDPR and underlines the proportionality of pseudonymized data. Nevertheless, it must be taken into account that the State of the art and thus also continuously develop the reasonable technical and organizational measures. The decision must therefore not be generalized, but must always be understood in the light of the specific risk assessment.
Warning 2: Pseudonymized data in the "fast lane process" - no obligation for end-to-end encryption
As part of the fast lane process, VW transmitted pseudonymized data by transport-encrypted email. However, the LfD demanded end-to-end encryption. The court rejected this. The data was not particularly in need of protection and without a clear name, there was no concrete risk of re-identification, especially as the assignment key was not transmitted.
The court specifies the technical level of protection in accordance with Art. 32 GDPR and underlines the proportionality of pseudonymized data. Nevertheless, it must be taken into account that the State of the art and thus also continuously develop the reasonable technical and organizational measures. The decision must therefore not be generalized, but must always be understood in the light of the specific risk assessment.
Warning 3: Violation of the obligation to provide information when transmitting data to the monitor
The court took a different view of the warning for inadequate information of the employees. VW had, within the framework of the monitorship personal data of employees, including pseudonymized information. The court clarified that this data is also protected under Art. 4 No. 1 GDPR as personal data as the monitor would have been able to request the allocation key to identify the persons concerned with reasonable effort. Contrary to VW's opinion, there was therefore no Anonymization before.
The court also found that Volkswagen's disclosure of the data to the US monitor constituted a change of purpose within the meaning of Art. 6 (4) GDPR. GDPR represented. The original data collection had served employment purposes, the Transmission in the context of the monitorship did not, however, serve the direct purpose of implementing the employment relationship. VW was also unable to demonstrate that the further processing was in the legitimate interest of the employer without simultaneously violating the Rights of data subjects withstood.
Finally, the court criticized the way in which the persons concerned were informed. Although VW had published information about the monitorship on the intranet, there was a lack of specific, targeted and individual information for the employees concerned. The court judged the mere posting of general information without active communication to be insufficient in terms of the transparency obligations under Art. 13 and 14 GDPR.
Assessment: The decision emphasizes the strict requirements for transparency obligations pursuant to Art. 13 GDPR. For transmissions to Thirdlike the US Monitor, Art. 14 GDPR may be relevant, especially if the information was not collected directly from the data subjects. The restrictive interpretation of the purpose limitation principle under Art. 5 para. 1 lit. b also becomes clear GDPR. From the perspective of Supervisory authority it should also be noted that cumulative re-identifiability through the combination of several pseudonymized data records represents a risk that should not be underestimated.
Warning 4: Missing information during EPA audit
The fourth warning concerned data processing in the context of an additional audit carried out on the basis of an administrative agreement between VW and the US Environmental Protection Agency (EPA). The aim of this measure was to secure long-term access to public contracts in the USA. To this end, an auditor was appointed to further develop the internal compliance management system and check that it was being adhered to.
However, the LfD objected to the fact that VW once again personal data partly pseudonymized, partly with clear names to this auditor without sufficiently informing the employees concerned about the type, scope and purpose of the data processing. In this case, too, the Supervisory authority to the view that the Pseudonymization does not lead to depersonalization if a third party is able to assign the data to real persons with reasonable effort. The court followed this reasoning and also judged the information provided by VW to be inadequate. General notices or delayed information satisfy the requirements of Art. 13 and 14 GDPR in the opinion of the court.
Warning 5: Missing processing directory at the start of the audit
The fifth warning concerned VW's failure to submit an independent audit report at the beginning of the EPA audit. Processing directory pursuant to Art. 30 GDPR to be created. VW argued that the existing list from the monitorship was sufficient. However, the court rejected this argument: although there were thematic overlaps, these were two formally independent data processing operations with different purposes and addressees.
Although the fact that the list was made up later was taken into account in the judgment to mitigate the penalty, the court nevertheless deemed the warning to be lawful. The Supervisory authority was therefore entitled to issue a warning about the obligation to Documentation and their significance for the verifiability of data protection processes.
Conclusion: The court makes it clear that a separate list pursuant to Art. 30 GDPR is necessary even in the case of formal proximity to other data processing operations, provided that the purpose or structure of the Processing differentiate. From the perspective of the supervisory authorities, the lack of such a register is also an indication of structural deficits in data protection management.
Reading tip: BfDI imposes fines of 45 million euros on Vodafone
Differentiated standards for international compliance processes
The ruling illustrates the difficult balance between data protection requirements and international compliance obligations. On the one hand, the court agrees with the authority with regard to transparency and documentation obligations; on the other hand, it shows the limits of the authority to intervene in technically and legally justifiable measures on the part of companies.
The ruling means for companies:
- Strengthening the balancing of interests and technical protective measures, provided these are well documented and proportionate.
- Clarification of the Duty to inform also in the case of pseudonymized data, in particular in the case of further processing for new purposes.
- Commitment to independent Documentation for delimitable processing contexts.
VW can apply for permission to appeal to the Higher Administrative Court of Lower Saxony.
Regional court collects high GDPR fine against Volkswagen
In parallel proceedings before the Hanover Regional Court, VW took legal action against a Fine of the LfD in the amount of 4.3 million euros. The Fine was raised in particular because Volkswagen is alleged to have breached its transparency obligations towards its employees.
"The Hanover Regional Court made it clear that, contrary to the LfD's argument, the disclosure of information in the context of the monitorship did not pose any significant risks for the employees concerned," reports VW's legal representative Tim Wybitul in a blog post on LinkedIn.
Curious: The public prosecutor's office lodged an appeal against the judgment of the regional court with the Higher Regional Court of Celle. However, the reasoning lacked the handwritten signature of the responsible public prosecutor, so that the Complaint had to be withdrawn again. The judgment of the Hanover Regional Court is therefore final and VW does not have to pay any Fine pay.
German 
English 
Italian 
French