Tag Archive for: GDPR-penalty

Datenschutzbußgeld aufgrund Verstöße von Art. 38 & 39 DSGVO - verhängt von der Datenschutzaufsichtsbehörde Luxemburg - Datenschutz - Daten - Bußgeld - Data protection - Datenschutzbeauftragter - Datenschutzkoordinator - DSB - DSK - Aufsichtsbehörde - Datenschutzgrundverordnung - DSGVO - BDSG neu - TTSDG

VIDEO: Data protection fine due to breaches of Art. 38 & 39 GDPR – imposed by the data protection supervisory authority Luxembourg

During an audit of a company, deficiencies in the implementation of Art. 38 and Art. 39 GDPR were identified and a fine of 15,000 euros was imposed.
Read more

Die 10 wichtigsten Neuerungen/Regelungen des TTDSGs - TTDSG - Datenschutz - Telekommunikationsgesetzt - TGK - Telemediendatenschutzgesetz - Personenbezogene Daten - Auftragsverarbeiter - Web - Webvideokonferenzsysteme - Zoom - Teams - Webex

VIDEO: The 10 most important innovations/regulations of the TTDSG

The new Telecommunications Telemedia Data Protection Act came into force on 01.12.2021. You can find out everything you need to know about the new law in our YouTube video.
Read more

Bußgeldverfahren wegen unzureichender Einbindung des Datenschutzbeauftragten – DSB muss stets richtig und umfassend eingebunden werden!

GDPR fine – fine proceedings due to insufficient involvement of the data protection officer

The Luxembourg data protection authority has imposed a GDPR fine in several cases on companies that fail to meet its standards for the position of data protection officers (DPOs) and is tightening its requirements for DPOs in the process. German authorities could follow these requirements.
Read more

Rechtswidrige Einwilligungserklärung - Datenschutzaufsichtsbehörde verhängt Bußgeld in Höhe von 2 Millionen Euro

Unlawful declaration of consent – data protection supervisory authority imposes a fine of 2 million euros

The General Data Protection Regulation sets out a whole series of conditions that must be met by an effective declaration of consent in accordance with Art. 6 Para.1 lit.a, 7 DSGVO. However, the fact that these requirements must also be observed in practice is now shown by the fine of 2 million euros imposed by the Austrian data protection supervisory authority.

Read more

Rekordbußgeld Amazon

Record fine for Amazon of 746 million euros

The Luxembourg National Data Protection Commission (CNPD) imposed a record fine of 746 million euros on Amazon Europe Core S.à r.l. based in Luxembourg. This emerges from the quarterly report of AMAZON.COM, Inc. dated June 30, 2021.

Read more

Datenschutzbußgeld wegen unzureichender Einbindung - Die Aufsichtsbehörden kontrollieren die Stellung des Datenschutzbeauftragten

Data protection fine for insufficient involvement – Supervisory authorities monitor the position of the data protection officer

Position of the data protection officer

Articles 38 and 39 of the General Data Protection Regulation provide legal guidelines for the cooperation between the controller and the data protection officer. In practice, there are some differences between the appointment of an internal and an external data protection officer. However, the following points in particular are mandatory in all cases:

  • Early involvement

The data protection officer must be involved at an early stage in all issues relating to the protection of personal data. This is an obligation on the part of the controller, who must ensure that the data protection officer is notified of his or her own accord. In this context, early means at a point in time at which the data protection officer’s assessments can still be properly taken into account in the planning of a processing operation.

  • Freedom from instructions

The data protection officer performs his or her duties in accordance with the General Data Protection Regulation without being bound by instructions. The data controller is therefore prohibited from influencing the content of the data protection officer’s advice and audit results.

  • Right to report

The data protection officer reports directly to the highest management level. It is therefore not permissible for the reports of the data protection officer to have to be reviewed and, if necessary, approved by subordinate units.

  • Advising data subjects

The tasks of the data protection officer also include advising data subjects on data processing and their rights under the General Data Protection Regulation. The controller is in turn obliged to actually enable this advisory activity. For example, he must provide the necessary resources and, as stipulated in Art. 37 (7) GDPR, publish the contact details of the data protection officer.

Pursuant to Art. 83 (4) (a) GDPR, a fine of up to 10 million euros or 2% of the annual turnover may be imposed for violations of the requirements of Art. 38 and 39 GDPR by the controller.

Data protection fine of 15,000 euros

The fact that these regulations are not toothless tigers, but are to be taken quite seriously and implemented in practice, is shown by the fine imposed by the data protection supervisory authority in Luxembourg. In the course of an inspection of a company, the authority found deficiencies in the implementation of Art. 38 and Art. 39 of the GDPR and imposed a fine of 15,000 euros.

Specifically, the supervisory authority found fault in particular with the fact that the data protection officer did not report to the highest management level in contravention of Art. 38 (3) of the GDPR, was not sufficiently qualified and was not appropriately involved in all issues relating to the protection of personal data.

Data protection fine: Amount

Especially when compared to the recent fine against Amazon (we reported), 15,000 euros does not seem particularly spectacular. However, when classifying the amount of the fine, it is important to note that the supervisory authority generally refers to the assessment criteria of Article 83 (2) of the GDPR in its statement regarding the amount of the fine. Therefore, it cannot be readily assessed here which factors may have been used to mitigate the penalty.

 Significance of the supervisory authority’s decision on the data protection fine

It should be noted that the data protection supervisory authorities examine all requirements for companies arising from the General Data Protection Regulation and, if necessary, also impose penalties. In addition, the mere appointment of the data protection officer is not sufficient. Rather, the data protection officer must also be enabled in practice to fulfill his or her auditing and advisory function comprehensively and free of instructions.


We will be happy to support you with any questions you may have about data protection. Simply call us at our headquarters in Hutthurm at +49 (0) 8505 91927 – 0 or at our branch in Munich at +49 (0) 89 413 2943 – 0 or use our contact form.

Anforderungen an die Erreichbarkeit des Datenschutzbeauftragten für Betroffene - Datenschutz - DSB - Datenschutzbeauftragter - DSGVO - DSGVO-Bußgeld - Geheimhaltung - Pflichten

Requirements for the availability of the Data Protection Officer

The Data Protection Officer (DPO) has been appointed, a corresponding forwarding via the e-mail address published in the data privacy statement, which directs the e-mail exclusively to the mailbox of the appointed DPO, has supposedly been set up. The availability of the data privacy officer for data subjects is thus permanently ensured. Really? Unfortunately, no! And the “no” can have unpleasant consequences for the data controller, i.e., for the company!

Read more

Datenschutz im Autohaus - Datenschutzgrundverordnung - Datenschutz - Daten - DSGVO - Autohaus - Autohäuser

Data protection in the car dealership

Data protection cannot be transferred 1 to 1 from one company to another. The implementation of the GDPR in car dealerships poses particular challenges for those responsible. In the following, we would like to discuss some of the special features of data protection in car dealerships.

Data protection in the car dealership is end customer business

In the end customer business, it is particularly important for companies to protect the rights of the data subjects. Customers may react angrily if they are dissatisfied. As a result, they often ask for their data to be deleted and no longer want to receive advertising from the dealership. Special attention must then be paid to ensuring that the right to erasure under Art. 17 GDPR is identified as such and forwarded to the responsible parties at the dealership. These must carefully examine whether the right can be fully complied with or whether, for example, the right can be exercised. Invoices are still subject to further retention.

Adhere to deadlines for data subject rights

The effort involved in checking deletion requests should not be underestimated. In doing so, the company should comply with the time limit set out in Art. 12 para. 3 DSGVO to respond to deletion requests always keep in mind. A month goes by quickly, especially if employees are not sufficiently trained and do not recognize requests for data subject rights as such or do not take them seriously at first and simply ignore them.

It is essential to train employees

For companies, it pays to train their employees on data protection. If such training is neglected, it may happen that employees ignore the rights of those affected or even treat customer data carelessly. The employees of the car dealerships have a lot to pay attention to in terms of data protection, especially in direct customer contact.

Copies of ID and salary slips

If the responsible company underestimates the importance of its employees in terms of data protection compliance, it can be costly. Copies of identity cards and salary statements and similar sensitive data are sometimes requested from customers in the context of a car purchase or a test drive, copied and then, in the worst case, openly filed in a transparent film on the sales desk in the showroom.

Various customer loyalty programs

The implementation of the GDPR in car dealerships also causes difficulties when using various customer loyalty programs. It is important to respect the right of objection of the data subjects according to Art. 21 para. 2 GDPR to be taken seriously in the case of direct marketing. It is fatal when car dealerships use different systems that do not communicate consistently with each other or are not properly maintained. If the dealership fails to clearly define responsibilities, advertising objections from customers may not be considered.


Storage of customer data in the showroom

The storage of customer data in the exhibition room is unfavourable. When implementing the GDPR in the dealership, those responsible should ensure that customer data is not stored there. Customer traffic in the exhibition space is constantly running and unauthorised persons may gain access to personal data such as purchase and lease agreements. In case of doubt, the sales staff should be provided with lockable cabinets so that documents can be quickly locked away in case of short-term need.


Screen lock in the showroom

The salesman’s workstations in the showrooms of the car dealership also pose a risk of fines if the workstations are not blocked when the employees leave. The staff’s argument that they only went away for a short time does not hold up. You are quickly distracted from your daily work, approached by another customer, still want to get documents from your colleague and in 5 seconds the unlicensed person will be able to use minutes to get data. Responsible persons should therefore pay attention to training employees. A written instruction is often not sufficient to adequately sensitize employees to the handling of customer data.

Data protection audit helps with self-assessment

If responsible parties are unsure about the implementation of the GDPR in the dealership, data protection audits can work wonders. They help in the detection of vulnerabilities. If you find in the audit that the processes that were supposedly implemented have been ignored or “adapted” by employees, you now have the chance to improve. In addition, data controllers often get the impression that it is sufficient if they have trained their employees and documented everything in terms of data protection. However, especially in the end customer business, many mistakes happen in the handling of personal data in everyday work. If problems only come to light as a result of customer complaints or with the supervisory authority, there is a risk of fines. A data protection audit can therefore help in advance to identify problems, raise the general awareness of all employees and avoid fines.

Data protection in the car dealership as a quality feature

Ultimately, the dealership’s customers will also appreciate the prudent handling of their data. Data protection is increasingly seen as a quality feature. If data protection is treated too laxly, customers quickly get the impression that they are not in the right hands, not only when it comes to data protection, but also when buying a car. However, anyone who handles customer data in a data-protection-compliant and professional manner will have an easy time gaining and maintaining the trust of their customers!

Book your data protection audit now and check how well you are really positioned.


Datenoffenlegung an Partnerunternehmen - DSGVO - DSGVO Bußgeld - Bußgeld - Datenschutz - Datenschutzverstoß - Datenschutzgrundverordnung - Daten

Disclosure of data to partner companies

For many companies, division of labour and cooperation are not only a matter of necessity, efficiency and cost reduction, but also a matter of course. What someone else can do better, he can usually do faster and cheaper, and if you sell to the same customers, there are synergies in the merger. In this respect, many companies think of many things when it comes to partnerships and cooperations with other companies – only data protection is often forgotten when it comes to the disclosure and transfer of data. It is often overlooked that cooperations with other companies require that personal data be disclosed to third parties. However, responsible companies should definitely check this data transfer in terms of data protection law and clearly define and regulate responsibilities in order to avoid fines.

Read more

Schmerzensgeld für unvollständige und verspätete Auskunft - DSGVO Bußgeld

GDPR violation: Compensation for incomplete and late information

Violations of the GDPR can cost companies dearly. The first thing that usually comes to mind are the high regulatory fines that are widely reported in the press. But not only high fines from the supervisory authorities threaten defaulting companies with incorrect information – compensation for pain and suffering can also be due, as the judgment of the Düsseldorf Labor Court of March 5, 2020 showed (Az. 9 Ca 6557/18). The reasoning for the judgment contained some fundamental statements regarding immaterial damages in connection with the violation of the GDPR.
Read more