Enforcement

€60,000 fine - Data Protection Authority of Berlin

The DPA of Berlin imposed a fine of EUR 60,000 on a healthcare company. The company offers practice management software that includes a patient communication portal with insufficient technical and organizational measures to ensure data protection. The total amount of the fine was reduced because no data breach was found and the company cooperated with the DPA.

Data Protection Authority of Berlin

The DPA of Berlin imposed fined 23 police officers. The police officers misused their access to the police information system for private purposes.

€300,000 fine - Data Protection Authority of Berlin

The DPA of Berlin has imposed a fine of EUR 300,000 on Deutsche Kreditbank. A customer had filed a complaint with the DPA. The customer had submitted an application for a credit card to the bank, which was rejected in the course of an automated decision, despite the customer's good credit history and high income. The customer then requested an explanation of the reasons for the rejection of their application and the basis on which the automated decision was made. However, the controller refused

€215,000 fine - Data Protection Authority of Berlin

The DPA of Berlin has imposed fines totaling EUR 215,000 on Humboldt Forum Service GmbH. Humboldt Forum had improperly documented sensitive information about individual employees and assessed their continued employment as 'critical' or 'very critical' on the basis of the information. The document also contained information on personal statements, health concerns, a possible interest in forming a works council and treatment in psychotherapy. During its investigation, the DPA found that the contro

€525,000 fine - Data Protection Authority of Berlin

The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group. The company had appointed a data protection officer, who however was also the managing director of two service companies that processed personal data on behalf of the very same company for which they acted as data protection officer. These service companies are also part of the group to which the e-commerce company belongs. The DPA considered this to be a conflict of interest and found a vio

Data Protection Authority of Berlin

A job center employee had accessed data in the civil register for private research purposes.

Data Protection Authority of Berlin

The DPA of Berlin imposed a fine on a credit agency. In the course of its investigation, the DPA found that the controller had stored 27 false addresses and 13 false dates of birth of a data subject for more than two years. The controller did not correct this data until the data subject submitted a request for information. However, the DPA also found that the information was provided late due to an internal error.

Data Protection Authority of Berlin

The DPA of Berlin has imposed a fine on a restaurant operator. During the Corona pandemic, the operator had required restaurant visitors to fill out forms with their personal data for the purpose of contact tracing as required by law. However, the controller unlawfully used the data to send promotional messages to the data subjects.

Data Protection Authority of Berlin

The DPA of Berlin imposed a fine on a private individual. The individual, who worked in a store, had contacted a customer privately using the contact information they had provided, which was required to access stores during the Covid 19 pandemic.

Data Protection Authority of Berlin

A job center employee had accessed data in the job center database systems for private research purposes

Data Protection Authority of Berlin

The DPA of Berlin has imposed a fine on a sports photography company. A sports photographer had published over 16,000 photos of minors who had taken part in a swimming competition on the company's freely accessible website. During its investigation, the DPA found that the parents of the minors had not consented to the capturing and publication of the images.

Data Protection Authority of Berlin

Originally, a fine in the amount of EUR 14.500.000 was issued against Deutsche Wohnen SE for using an archiving system for the storage of personal data of tenants that, according to the data protection authority, did not provide for the possibility of removing data that was no longer required. According to the data protection authority, personal data of tenants were stored without checking whether storage was permissible or even necessary and it was therefore possible to access personal data of

Data Protection Authority of Berlin

A police officer had accessed data in a police database for private research purposes. The police officer queried his stepson's investigative process in order to prepare him for his testimony and to convince the officer in charge of the case of a different crime sequence.

Data Protection Authority of Berlin

A police officer repeatedly had accessed data in a police database for private research purposes.

Data Protection Authority of Berlin

A job center employee had accessed data in social database systems and in the civil register for private research purposes.

Data Protection Authority of Berlin

A police officer used a witness's personal data to contact her personally.

Data Protection Authority of Berlin

A police officer had accessed data in a police database for private research purposes. The police officer accused in a criminal case intended to use the information from the police database to prepare for his testimony in court.

Data Protection Authority of Berlin

The DPA from Berlin has imposed a fine on a medical clinic. The clinic had installed 21 cameras in its premises for the purpose of protection against crime and property damage. This made it possible to monitor employees and patients around the clock. The clinic relied on consent given by employees and information signs as the legal basis for the video surveillance. However, the DPA concluded that the clinic could not base the video surveillance on consent, as voluntary consent in the employee-em

Data Protection Authority of Berlin

The DPA from Berlin has imposed a fine on an attorney. The attorney had been in dispute with a client for several years over a monetary claim. For two years, he published the first and last names, the residential addresses of the client and his family members, as well as various unredacted parts of files on his blog - and invoked the press privilege. However, this was not a purely exclusive journalistic publication. Rather, the attorney was concerned with accelerating the payment of the monetary

Data Protection Authority of Berlin

A police officer had accessed data in a police database for private research purposes. The police officer had queried the new partner of a friend's ex-wife because he feared that well-being of the common child might be in endangered by the new partner.

Data Protection Authority of Berlin

A job center employee had accessed data in social database systems and in the civil register for private research purposes. The employee wanted to prove that two of her colleagues had a relationship with each other and checked the registration addresses of both of them.

Data Protection Authority of Berlin

In order to combat the Covid 19 pandemic, a cemetery had put out an open list in which visitors had to enter their contact data. A cemetery employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore imp

Data Protection Authority of Berlin

The DPA from Berlin imposed a fine against a beverage retailer. The retailer operated a video surveillance system in which the observation angle of the cameras extended into the public space.

Data Protection Authority of Berlin

The DPA from Berlin has imposed a fine on a clinic. The clinic had appointed the clinic manager, who was also a shareholder of the clinic, as the data protection officer. A data protection officer may perform other tasks and duties, but the company must ensure that other tasks and duties do not lead to a conflict of interest. In the present case, however, there was such a conflict of interest. On the one hand, the clinic manager had to make economic decisions in his executive position, and on th

Data Protection Authority of Berlin

In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. A restaurant employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore

Data Protection Authority of Berlin

In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.

€195,407 fine - Data Protection Authority of Berlin

According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless rec

€50,000 fine - Data Protection Authority of Berlin

The fine was imposed against against a bank (according to a newspaper N26) that had processed 'personal data of all former customers' without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers su