Berlin The corona pandemic and its effects led to serious data protection violations last year. This is shown by a survey by the Handelsblatt among the data protection officers of the federal government and the individual federal states.
A total of 397 violations of the General Data Protection Regulation (GDPR) were punished with a fine. For comparison: In 2020 there were 301 fines. This corresponds to an increase of around 30 percent.
For example, at some test centers, personal health data was easily accessible on the Internet. There were also violations in the processing of employee data during the corona pandemic. The data protection authority in North Rhine-Westphalia, for example, imposed a fine of 134,000 euros because health data had been impermissibly passed on to a works council.
There were also problems with the publication of infection numbers, the survey of vaccination status by companies and schools, the transmission of vaccination certificates, the implementation of the 3G rule in the workplace or the issuing of digital vaccination certificates by pharmacies. It was also not permissible for ID data to be copied here in order to hand out free FFP masks to older people.
Top jobs of the day
Find the best jobs now and
be notified by email.
Schleswig-Holstein’s data protection officer Marit Hansen sees a pattern. “The Corona issue is clearly reflected in the type of data protection violations,” she told Handelsblatt. Her colleague from Mecklenburg-Western Pomerania, Heinz Müller, spoke of an already increased volume of tasks for the authority, “which was further intensified by the corona pandemic”.
Among other things, the responsible Berlin authority reports how data that had to be collected due to the collection of contact details in restaurants, cafés or other places was misused. Here employees accessed the personal data of women in order to write to them privately and ask about their “relationship status”.
Baden-Württemberg’s data protection officer Stefan Brink explained: “Since many regulations were created under great time pressure in the course of fighting the pandemic, there were always uncertainties among those who affected the regulations.” These were restaurants, other companies and above all the citizens. “We have made every effort to support data protection solutions in order to create legal certainty here.”
The Rhineland-Palatinate head of authorities, Dieter Kugelmann, refers to data protection issues caused by “the digitization push in business, administration and society, home office solutions, distance learning at schools and universities or the avalanche-like increase in video conferences”. He always tried to keep an eye on the pandemic and its consequences and yet to let data protection come into its own as much as possible.
The GDPR for the processing, storage and transfer of personal data by public authorities, private companies and citizens has been in force in Germany and the EU since 2018. Violations can be punished with fines of up to 20 million euros or up to four percent of the annual turnover achieved worldwide. In the second case, the fine can be more than 20 million euros.
According to Kugelmann, three years after the GDPR came into effect, the situation has “consolidated”: Many responsible persons would comply with their data protection obligations. The supervisory authorities would also apply the new regulations “consistently, but with a sense of proportion”.
In the past year, more fines than ever before have been imposed for violations of the GDPR. Overall, the sum of the fines imposed is only around 2.4 million euros. This is significantly less than the year before, when penalties of around 48 million euros were imposed. At that time, however, a fine amounted to around 35 million euros.
High penalty against Bundesliga club
The highest fine was imposed by the Hamburg data protection authority on the energy supplier Vattenfall in 2021: The company compared customer data without transparent information, which was punished with a good 900,000 euros.
The Baden-Württemberg authorities imposed a fine of 300,000 euros on the Bundesliga soccer club VfB Stuttgart because the club had forwarded member data to third parties and was later unable to provide any more information on this. In Lower Saxony, the highest GDPR fine imposed in 2021 was 200,000 euros. It was about the video surveillance of employees without a legal basis.
>> Read also: Microsoft Teams, Zoom, WebEx: Berlin authorities warn of common video systems
However, these sums are nothing compared to a case from abroad, as the Bremen state data protection officer Imke Sommer reports: “With the 746 million euros against Amazon, our Luxembourg colleague shot the bird last July.”
However, all the other fines that the European supervisory authorities have imposed, which are appropriate for the most diverse data protection violations, also contribute to the effectiveness of the regulations.
Typical cases in the past year were as follows: Employees of an energy supplier disclosed payment arrears to third parties. Files were disposed of improperly. In the public sector, there were unauthorized data retrievals by employees, including police officers.
Partly drastic increase in data breaches
The right to information, with which citizens can ask companies what data about them is stored or processed there, is still a major point of contention. If the companies do not fulfill the request for information or only partially, the data protection authorities can impose fines. Rhineland-Palatinate did this in one case with 60,000 euros, Hesse with 22,000 euros.
The fact that the General Data Protection Regulation can also be applied in the private sphere is something not everyone is aware of, says Saxon data protection officer Juliane Hundert. “In particular, dash cams, i.e. accident cameras in vehicles, are often used in an uninformed and illegal way,” she told the Handelsblatt.
In such cases, their authority imposed fines of up to 1,000 euros last year. Here the focus must be even more on prevention and education.
With regard to the development of applications using artificial intelligence (AI), the Bavarian State Commissioner for Data Protection, Thomas Petri, points out that “the big test” for the GDPR is still to come.
The number of data breaches has increased, in some cases drastically, in the past year. Saxony, for example, reported an increase of around 45 percent and Thuringia of almost 30 percent compared to 2020.
This includes, for example, reports of lost letters in the post, incorrect mailing or incorrect addressing, unauthorized e-mail dispatch and the transfer of incorrect documents or information to unauthorized persons.
According to the Handelsblatt survey, a total of almost 30,000 data breaches were reported in 2021. Around 10,000 reports were received by the Federal Data Protection Commissioner, Ulrich Kelber.
The Brandenburg State Commissioner for Data Protection, Dagmar Hartge, says: “The large proportion of technical deficiencies in the reports of data protection violations shows that IT security and data protection are closely related.” Here, both in the public sector and in business as well as in everyday life, there are increased efforts required.
According to the responsible authority in Rhineland-Palatinate, the “biggest single cause” of data breaches in 2021 was the infiltration of malware, mostly associated with hacker attacks. “Ransomware” attacks in particular played a role here, in which cybercriminals encrypt data or lock operating systems in order to then demand a ransom for the decryption of the data.
>> Read also: Data protection becomes a burden: These are the biggest annoyances for companies
“The phenomenon is not fundamentally new, but has recently reached increasingly large dimensions,” said the Rhineland-Palatinate data protection authority. Schleswig-Holstein spoke of “several waves” in 2021 in which vulnerabilities in IT systems were exploited.
“We are observing this trend with concern,” said the head of the authority, Hansen. “Some of the problems would have been avoided with timely updates, but there are also attacks on vulnerabilities that could not have been fixed in this way.”
The German economy continues to insist on improvements to the General Data Protection Regulation. So does Stephan Wernicke, chief legal officer of the Association of German Chambers of Industry and Commerce (DIHK): “An EU-wide company has to adapt to different, sometimes contradictory interpretations and case law in different member states.”
The implementation of the GDPR also puts a disproportionate burden on small and medium-sized companies, criticizes Wernicke. Simplified regulations or exemptions would be possible for them. Above all, many companies find the documentation, information and verification requirements to be “excessive bureaucracy”.
More: DIHK analysis – Many companies see themselves hindered by “data protection barriers”.