During test drives, VW attached cameras to special test vehicles that recorded what was happening around the car. In the absence of appropriate notices, this practice violated data protection law. The responsible authority in Lower Saxony therefore imposed a fine of 1.1 million euros.
Test drives with unmarked cameras
The aim of the test drives was to develop a driving assistance system to help prevent accidents. In principle, such test drives with camera recording are perfectly permissible. However, one of the requirements is that the vehicle must be clearly marked. Specifically, a clearly recognizable camera symbol and other information, primarily concerning the purpose of the data processing and the period for which the data obtained in the process is to be stored, must be present on the vehicle.
The lack of this information was noticed when the test vehicle came under traffic control in Salzburg. The police had noticed the cameras installed during this check. During the further investigation of the case, other data protection violations were also discovered. For example, there was no order processing agreement between VW and the company that carried out the test drives. Such a contract is required under the GDPR, as both companies collect and process personal data. A data protection impact assessment could also not be demonstrated. This is mandatory and serves to identify potential data protection risks and possible countermeasures. Last but not least, a declaration of the technical and organizational protection measures in the list of processing activities was also missing – thus violating the documentation obligation stipulated in the GDPR.
Low severity of violations
Barbara Thiel, the data protection commissioner for Lower Saxony, therefore stated that there were a total of four data protection violations, but also pointed out that all of these violations were found to be “of low severity in each case.” VW had corrected all of the deficiencies immediately. Furthermore, only the test vehicle was affected, not the company’s series products, so that this was an isolated violation.
The fact that the test drives served the purpose of increasing road safety was also taken into account as a mitigating factor. Thiel stated on the record that the test drives themselves were unobjectionable under data protection law: “The actual research drives were not objectionable under data protection law. We have no objections to the collection and further processing of personal data in the process.
The case shows that the GDPR does not only affect the digital space – and that not only companies like Meta can be affected by fines.