17.04.2024
An internal company guideline stipulated that a sick note only had to be submitted to the head of the respective department of the company.
An employee of the company complained to the competent data protection authority because he had to report his absences due to illness via e-mail in an e-mail distribution list with 25 colleagues and superiors.
The supervisor had also sent an e-mail to a mailing list in which several recipients listed all sick days.
The data protection authority found that such a comprehensive disclosure was not necessary and was therefore unlawful.

Industry: Company
Infringement: Art. 9 DSGVO, Art. 32 DSGVO
Fine: 75.000 EUR

Conclusion:
Even in the case of purely internal company e-mail traffic, it is essential to pay attention to employee rights. Particularly in highly sensitive areas, such as absenteeism and sick notes, disclosure to third parties should only be selected with the utmost care. If the mail server is in the public domain, it should not be used in these areas.

08.04.2024
A rucksack was stolen from a Spanish consultancy firm. Among other things, it contained a USB stick with unencrypted, sensitive data relating to a court case. The Spanish data protection authority has categorised the security measures for protecting this data as inadequate. The company should have protected the data on it with a password (e.g. "Bitlocker"). Due to this omission of necessary technical and organisational measures, the authority imposed two fines, resulting in a total fine of EUR 145,000.

Industry: Counselling
Infringement: Art. 5 Abs. 1 lit. f DSGVO und Art. 32 Abs. 1 DSGVO
Fine: 145.000 EUR

Conclusion:
With regard to the sensitivity of data, the security authorities apply various criteria for the necessary technical and organisational measures. Apart from this, any mobile data carriers with company data (e.g. laptop, USB stick, SD cards, external hard drives) should be protected against unauthorised access with a technical measure.

29.02.2024
Prior to the imposition of this fine on Enel Energia S.p.A., sanctions were imposed on another company that, among other things unlawful telemarketing for Enel Energia using illegally acquired data.
Subsequent investigations by the Italian data protection authority (GPDP) revealed significant security flaws in the CRM system used by the energy company. Unauthorised third parties were able to access data in the CRM system for years due to the lack or complete absence of security precautions, misusing it for illegal telemarketing and concluding contracts in the name of Enel Energia.
The data protection authority also criticised the fact that the company had not carried out a corresponding risk analysis when introducing the CRM system.

Industry: Energy
Infringement: Art. 5 Abs. 1 lit. f DSGVO, Art. 32 DSGVO, Art. 5 Abs. 2 DSGVO, Art. 24 Abs. 1 DSGVO, Art. 25 DSGVO, Art. 28 DSGVO
Fine: 79.107.101 EUR

Conclusion:
If third-party systems that provide and collect personal information in databases are integrated into the company structure, a technical security and risk analysis should be carried out before introducing such a system. This applies in particular to customer relationship management systems (CRM systems).

31.01.2024
Uber's European headquarters are located in the Netherlands. The French supervisory authority therefore handed over a collective action from the French League of Human Rights to the Dutch colleagues.
As part of an investigation by the authority, it was found that Uber makes it difficult for its drivers to assert their rights as data subjects. This applies in particular to the online form with which drivers can assert the transfer of their data in accordance with Art. 20 GDPR. This form was difficult to access and requests for information were answered in an incomprehensible manner, according to the authorities.
The Dutch authorities also criticised the fact that Uber's privacy policy was incomplete and lacked transparency. They justified this by stating that Uber does not inform its drivers about the storage period of personal data or about third country transfers and corresponding transfer mechanisms in accordance with Art. 44 et seq. GDPR.

Industry: Service company
Infringement: Art. 20 DSGVO, Art. 44 ff. DSGVO
Fine: 10.000.000 EUR

Conclusion:
This shows once again that if the rights of data subjects and information obligations on the part of employers are not presented transparently to everyone, this will be firmly sanctioned by the authorities.

23.01.2024
The French data protection authority (CNIL) has imposed a fine of EUR 32,000,000 on the Amazon company AMAZON FRANCE LOGISTIQUE for disproportionate employee monitoring.
Following complaints from employees and corresponding media reports, the data protection authority carried out several inspections at the logistics company. It was established that the employees in the warehouses are equipped with scanners so that certain work steps (storage or removal of goods) are recorded in real time. The mere use of these scanners was not criticised.
However, the authority criticised the amount and scope of data and indicators that are processed, as this leads to disproportionate monitoring of employees. The inactive duration of scanners was recorded, which had to be justified by the employees, and the speed measurement system for putting away items was also criticised as disproportionate. In addition, the duration of 31 days for storing the data collected via the scanners was unlawful.
Due to insufficient information regarding the handheld scanners and the video surveillance installed in the warehouses, the Amazon company was also sanctioned for violations of the information obligations under Art. 13 GDPR.

Industry: Logistics
Infringement: Art. 13 DSGVO
Fine: 32.000.000 EUR

Conclusion:
This also shows that a company has the right to document certain routines and work steps by collecting data. But this must be communicated transparently by the employer, with all its obligations and the rights of the employees, must also be communicated to them transparently.
In addition, the amount of data collected and the storage period should only be to an extent that is conducive to monitoring. Otherwise, the suspicion of complete surveillance is aroused.

06.11.2023
The French data protection authority decided to conduct investigations into compliance with data protection regulations at two unnamed public bodies.
The investigations revealed that geolocalisation systems were installed in the service and construction vehicles, which enabled comprehensive monitoring of vehicle activities. In addition to determining the location, the journey time and the assessment of whether the vehicle was used unscheduled was also recorded.
By combining this with the employees' work schedules, it was possible to determine which employee used which vehicle.
During interviews, it became apparent that those responsible had not adequately informed employees about the processing of their personal data. In addition, there was a lack of information on the legal basis for data processing and the rights of data subjects, and the data protection officer was not known.

Industry: Logistics
Infringement: Art. 13 DSGVO, Art. 5 Abs. 1 lit. b DSGVO
Fine: 2.500 EUR

Conclusion:
After all, it is in the interests of the owners and not reprehensible to monitor company vehicles of any type using geolocalisation systems.
However, employees must be adequately informed about the legal basis for data processing and their personal rights with regard to the data obtained from the monitoring!

24.10.2023
The Italian data protection authority has fined a local health authority in Naples 30,000 euros for failing to adequately protect the personal and health data of 842,000 patients and employees from hacker attacks. The health authority was the victim of a ransomware attack that used a virus to gain restricted access to the healthcare organisation's database and demanded a ransom to restore the systems. The local health authority informed the data protection authority about the security breach, in accordance with the Personal Data Protection Act, which immediately launched an investigation into the incident to find out what technical and organisational measures taken by the local health authority before and after the attack. During the investigation, the data protection authority identified several important critical points. For example, it was failed to take appropriate measures to quickly detect a data breach and ensure network security, which also constitutes a security, which is also a violation of the principle of data protection through technology. Access to the network via VPN was via an authentication process based solely on the use of a username and password. In addition, the lack of network segmentation meant that the virus was able to spread throughout the entire IT infrastructure. When assessing the fine for the data breach, it played a particular role for the data protection authority that data from which information about the health status of a very large number of registered users could be obtained, as well as the lack of willingness and uncooperative attitude of the health authority concerned.

Industry: Healthcare
Infringement: Art. 5 Abs. 1 lit. f DSGVO, Art. 25 DSGVO, Art. 32 DSGVO
Fine: 30.000 EUR

Conclusion:
The best possible technical protection of one's own IT infrastructure should not only be in the operator's own interest. This case shows that the protection of an IT infrastructure requires constant review in order to quickly integrate technical innovations or new quickly integrated into it. Otherwise, in addition to a ransom, you will also be penalised with a fine.

23.10.2023
The Italian data protection authority imposed a fine on a hospital chain after an employee of Azienda Usl Toscana Sud Est put up an information poster in the entrance area of the emergency department. The poster showed a medical employee sitting at a computer with an emergency log on the screen containing the personal data, including health data, of a real person. When asked by the authority, the hospital chain explained that the publication of the data was due to pure carelessness and that the poster had only been public for a few weeks.

Industry: Healthcare
Infringement: Art. 5 Abs. 1 lit. a, c und f DSGVO, Art. 9 DSGVO, Art. 25 DSGVO, Art. 2-septies (8)
Fine: 20.000 EUR

Conclusion:
The publication of self-created photos avoids the problem of copyright. But this case shows:
Check self-created photos before publication. If the persons depicted are identifiable, you will need a declaration of consent (from all legal guardians in the case of children!). Make sure that no data is recognisable that would allow the identification of a real person.

23.10.2023
An employee of Wallbox Chargers S.L. - a company based in Barcelona - sent emails to four customers, in each case unintentionally CCing a fifth customer. The customer received personal data of the other customers both through the email itself, as well as through the replies of the four customers contacted, as they included it in their replies. The fifth customer reported the error to the Wallbox Chargers S.L. employee, who then apologised and said that the error was not that bad. After the fifth customer drew the employee's attention to the risk of misuse and also to the fact that these were data protection violations, the company finally reported the incident to the Spanish supervisory authority. The supervisory authority imposed a fine of EUR 4,800 due to the admission of guilt by the responsible party and a voluntary payment.

Industry: Logistics
Infringement: Art. 5 Abs. 1 lit. f DSGVO, Art. 32 Abs. 1 DSGVO
Fine: 4.800 EUR

Conclusion:
Errors can easily creep in when sending emails. Especially if personal data is included in the content of the email, check the recipient(s) before sending the email.
In general, certain security measures should be taken when sending and receiving e-mails. Due to the massive increase in cyber attacks on email accounts, the supervisory authorities are increasingly focussing on the security of email accounts.

01.10.2020
The H&M company based in Hamburg operates a service centre in Nuremberg. The management of this service centre has been collecting and storing employee data on a permanent basis since at least 2014. This included data on holiday and sickness absences and data on private circumstances, which were also collected in corridor interviews. This data was summarised in individual employee profiles that could be accessed by several managers. These profiles were to be used for measures and decisions in the employment relationship.
Due to an administrative mishap in October 2019, this data could be accessed company-wide for several hours. After being informed of this, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) demanded the surrender of the data carrier (approx. 60 GB) and interviewed numerous witnesses who confirmed the documented practices.

The discovery of the serious violations prompted those responsible to take various corrective measures. A comprehensive concept was submitted to the HmbBfDI, how data protection is to be implemented at the Nuremberg site from now on.
On a positive note, the company management expressly apologised to those affected and was prepared to pay the employees substantial financial compensation.

Industry: Business
Infringement: Art. 6 Abs. 1 DSGVO
Fine: 35.258.708 EUR

Conclusion:
The combination of collecting details about private life and recording their activities led to a particularly intensive encroachment on employees' civil rights. So be warned when team leaders ask questions about private life in welcome back talks.