Rechtswidrige Einwilligungserklärung - Datenschutzaufsichtsbehörde verhängt Bußgeld in Höhe von 2 Millionen Euro

Unlawful declaration of consent – data protection supervisory authority imposes a fine of 2 million euros

The General Data Protection Regulation sets out a whole series of conditions that must be met by an effective declaration of consent in accordance with Art. 6 Para.1 lit.a, 7 DSGVO. However, the fact that these requirements must also be observed in practice is now shown by the fine of 2 million euros imposed by the Austrian data protection supervisory authority.

Read more

Rekordbußgeld Amazon

Record fine for Amazon of 746 million euros

The Luxembourg National Data Protection Commission (CNPD) imposed a record fine of 746 million euros on Amazon Europe Core S.à r.l. based in Luxembourg. This emerges from the quarterly report of AMAZON.COM, Inc. dated June 30, 2021.

Read more

Datenschutzbußgeld wegen unzureichender Einbindung - Die Aufsichtsbehörden kontrollieren die Stellung des Datenschutzbeauftragten

Data protection fine for insufficient involvement – Supervisory authorities monitor the position of the data protection officer

Position of the data protection officer

Articles 38 and 39 of the General Data Protection Regulation provide legal guidelines for the cooperation between the controller and the data protection officer. In practice, there are some differences between the appointment of an internal and an external data protection officer. However, the following points in particular are mandatory in all cases:

  • Early involvement

The data protection officer must be involved at an early stage in all issues relating to the protection of personal data. This is an obligation on the part of the controller, who must ensure that the data protection officer is notified of his or her own accord. In this context, early means at a point in time at which the data protection officer’s assessments can still be properly taken into account in the planning of a processing operation.

  • Freedom from instructions

The data protection officer performs his or her duties in accordance with the General Data Protection Regulation without being bound by instructions. The data controller is therefore prohibited from influencing the content of the data protection officer’s advice and audit results.

  • Right to report

The data protection officer reports directly to the highest management level. It is therefore not permissible for the reports of the data protection officer to have to be reviewed and, if necessary, approved by subordinate units.

  • Advising data subjects

The tasks of the data protection officer also include advising data subjects on data processing and their rights under the General Data Protection Regulation. The controller is in turn obliged to actually enable this advisory activity. For example, he must provide the necessary resources and, as stipulated in Art. 37 (7) GDPR, publish the contact details of the data protection officer.

Pursuant to Art. 83 (4) (a) GDPR, a fine of up to 10 million euros or 2% of the annual turnover may be imposed for violations of the requirements of Art. 38 and 39 GDPR by the controller.

Data protection fine of 15,000 euros

The fact that these regulations are not toothless tigers, but are to be taken quite seriously and implemented in practice, is shown by the fine imposed by the data protection supervisory authority in Luxembourg. In the course of an inspection of a company, the authority found deficiencies in the implementation of Art. 38 and Art. 39 of the GDPR and imposed a fine of 15,000 euros.

Specifically, the supervisory authority found fault in particular with the fact that the data protection officer did not report to the highest management level in contravention of Art. 38 (3) of the GDPR, was not sufficiently qualified and was not appropriately involved in all issues relating to the protection of personal data.

Data protection fine: Amount

Especially when compared to the recent fine against Amazon (we reported), 15,000 euros does not seem particularly spectacular. However, when classifying the amount of the fine, it is important to note that the supervisory authority generally refers to the assessment criteria of Article 83 (2) of the GDPR in its statement regarding the amount of the fine. Therefore, it cannot be readily assessed here which factors may have been used to mitigate the penalty.

 Significance of the supervisory authority’s decision on the data protection fine

It should be noted that the data protection supervisory authorities examine all requirements for companies arising from the General Data Protection Regulation and, if necessary, also impose penalties. In addition, the mere appointment of the data protection officer is not sufficient. Rather, the data protection officer must also be enabled in practice to fulfill his or her auditing and advisory function comprehensively and free of instructions.


We will be happy to support you with any questions you may have about data protection. Simply call us at our headquarters in Hutthurm at +49 (0) 8505 91927 – 0 or at our branch in Munich at +49 (0) 89 413 2943 – 0 or use our contact form.

Anforderungen an die Erreichbarkeit des Datenschutzbeauftragten für Betroffene - Datenschutz - DSB - Datenschutzbeauftragter - DSGVO - DSGVO-Bußgeld - Geheimhaltung - Pflichten

Requirements for the availability of the Data Protection Officer

The Data Protection Officer (DPO) has been appointed, a corresponding forwarding via the e-mail address published in the data privacy statement, which directs the e-mail exclusively to the mailbox of the appointed DPO, has supposedly been set up. The availability of the data privacy officer for data subjects is thus permanently ensured. Really? Unfortunately, no! And the “no” can have unpleasant consequences for the data controller, i.e., for the company!

Read more

Datenschutz im Autohaus - Datenschutzgrundverordnung - Datenschutz - Daten - DSGVO - Autohaus - Autohäuser

Data protection in the car dealership

Data protection cannot be transferred 1 to 1 from one company to another. The implementation of the GDPR in car dealerships poses particular challenges for those responsible. In the following, we would like to discuss some of the special features of data protection in car dealerships.

Data protection in the car dealership is end customer business

In the end customer business, it is particularly important for companies to protect the rights of the data subjects. Customers may react angrily if they are dissatisfied. As a result, they often ask for their data to be deleted and no longer want to receive advertising from the dealership. Special attention must then be paid to ensuring that the right to erasure under Art. 17 GDPR is identified as such and forwarded to the responsible parties at the dealership. These must carefully examine whether the right can be fully complied with or whether, for example, the right can be exercised. Invoices are still subject to further retention.

Adhere to deadlines for data subject rights

The effort involved in checking deletion requests should not be underestimated. In doing so, the company should comply with the time limit set out in Art. 12 para. 3 DSGVO to respond to deletion requests always keep in mind. A month goes by quickly, especially if employees are not sufficiently trained and do not recognize requests for data subject rights as such or do not take them seriously at first and simply ignore them.

It is essential to train employees

For companies, it pays to train their employees on data protection. If such training is neglected, it may happen that employees ignore the rights of those affected or even treat customer data carelessly. The employees of the car dealerships have a lot to pay attention to in terms of data protection, especially in direct customer contact.

Copies of ID and salary slips

If the responsible company underestimates the importance of its employees in terms of data protection compliance, it can be costly. Copies of identity cards and salary statements and similar sensitive data are sometimes requested from customers in the context of a car purchase or a test drive, copied and then, in the worst case, openly filed in a transparent film on the sales desk in the showroom.

Various customer loyalty programs

The implementation of the GDPR in car dealerships also causes difficulties when using various customer loyalty programs. It is important to respect the right of objection of the data subjects according to Art. 21 para. 2 GDPR to be taken seriously in the case of direct marketing. It is fatal when car dealerships use different systems that do not communicate consistently with each other or are not properly maintained. If the dealership fails to clearly define responsibilities, advertising objections from customers may not be considered.


Storage of customer data in the showroom

The storage of customer data in the exhibition room is unfavourable. When implementing the GDPR in the dealership, those responsible should ensure that customer data is not stored there. Customer traffic in the exhibition space is constantly running and unauthorised persons may gain access to personal data such as purchase and lease agreements. In case of doubt, the sales staff should be provided with lockable cabinets so that documents can be quickly locked away in case of short-term need.


Screen lock in the showroom

The salesman’s workstations in the showrooms of the car dealership also pose a risk of fines if the workstations are not blocked when the employees leave. The staff’s argument that they only went away for a short time does not hold up. You are quickly distracted from your daily work, approached by another customer, still want to get documents from your colleague and in 5 seconds the unlicensed person will be able to use minutes to get data. Responsible persons should therefore pay attention to training employees. A written instruction is often not sufficient to adequately sensitize employees to the handling of customer data.

Data protection audit helps with self-assessment

If responsible parties are unsure about the implementation of the GDPR in the dealership, data protection audits can work wonders. They help in the detection of vulnerabilities. If you find in the audit that the processes that were supposedly implemented have been ignored or “adapted” by employees, you now have the chance to improve. In addition, data controllers often get the impression that it is sufficient if they have trained their employees and documented everything in terms of data protection. However, especially in the end customer business, many mistakes happen in the handling of personal data in everyday work. If problems only come to light as a result of customer complaints or with the supervisory authority, there is a risk of fines. A data protection audit can therefore help in advance to identify problems, raise the general awareness of all employees and avoid fines.

Data protection in the car dealership as a quality feature

Ultimately, the dealership’s customers will also appreciate the prudent handling of their data. Data protection is increasingly seen as a quality feature. If data protection is treated too laxly, customers quickly get the impression that they are not in the right hands, not only when it comes to data protection, but also when buying a car. However, anyone who handles customer data in a data-protection-compliant and professional manner will have an easy time gaining and maintaining the trust of their customers!

Book your data protection audit now and check how well you are really positioned.


Datenoffenlegung an Partnerunternehmen - DSGVO - DSGVO Bußgeld - Bußgeld - Datenschutz - Datenschutzverstoß - Datenschutzgrundverordnung - Daten

Disclosure of data to partner companies

For many companies, division of labour and cooperation are not only a matter of necessity, efficiency and cost reduction, but also a matter of course. What someone else can do better, he can usually do faster and cheaper, and if you sell to the same customers, there are synergies in the merger. In this respect, many companies think of many things when it comes to partnerships and cooperations with other companies – only data protection is often forgotten when it comes to the disclosure and transfer of data. It is often overlooked that cooperations with other companies require that personal data be disclosed to third parties. However, responsible companies should definitely check this data transfer in terms of data protection law and clearly define and regulate responsibilities in order to avoid fines.

Read more

Schmerzensgeld für unvollständige und verspätete Auskunft - DSGVO Bußgeld

GDPR violation: Compensation for incomplete and late information

Violations of the GDPR can cost companies dearly. The first thing that usually comes to mind are the high regulatory fines that are widely reported in the press. But not only high fines from the supervisory authorities threaten defaulting companies with incorrect information – compensation for pain and suffering can also be due, as the judgment of the Düsseldorf Labor Court of March 5, 2020 showed (Az. 9 Ca 6557/18). The reasoning for the judgment contained some fundamental statements regarding immaterial damages in connection with the violation of the GDPR.
Read more

Verarbeitungstätigkeiten - Was gibt es zu beachten?

Processing activities – what should be considered?

“More paperwork, more documentation. That is just a hindrance and does not help anyone ”. Most likely react in this way or something similar when it comes to keeping a record of the processing activities that, according to Article 30 GDPR, must be kept in every organization and company as soon as personal data is processed. Article 83 GDPR creates an additional “monetary incentive” to act. Who would like to receive a fine because data protection has not been complied with? The loss of image due to publications is often greater than the resulting financial damage.
Read more

Datenschutzrechtliche Risikofaktoren - DSGVO-Bußgelder bei nicht Einhaltung dieser Regelungen

Data protection risk factors: former employees and dissatisfied customers

In the day-to-day work of a data protection officer, you have to do a lot of persuading and repeatedly fight for compliance with the GDPR. Companies often shy away from costs and effort when making necessary adjustments. Business leaders generally question the GDPR, the demands of which are far too exaggerated. In the following we take a closer look at the topic of “data protection risk factors”:
Read more

Web-Checks - DSGVO-Check - Ist ihre Website Sicher?

GDPR check – is your website GDPR compliant?

Could you safely say that your website is compliant with data protection regulations? Because anyone looking for data protection deficiencies on the Internet will quickly find what they are looking for. Everything is included, from the inadequate cookie banner to the poorly accessible data protection declaration. But what is the cause of this? Do companies not want to meet their legal obligations or do they not even know that they are doing something wrong? You can find out in our GDPR check!
Read more