It is important to look at enforcement cases in regards to data protection in Berlin because it can have far-reaching implications for data privacy and protection. GDPR enforcement cases in Germany are relevant beyond its borders due to the regulation’s global impact, their potential to set legal precedents, and the lessons they offer on data privacy and protection. Staying informed about these cases can help you make informed decisions, reduce risks, and, if applicable, potentially build trust with customers and partners in an increasingly data-driven world.
Listed below is a non-exhaustive list of various cases that were fined under the GDPR or other data protection legislation in Berlin.
2023
Controller/Processor: Humboldt Forum Service GmbH
Date of Decision: 2023
Fine (€): 215,000
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Employment
Summary: The DPA of Berlin has imposed fines totaling EUR 215,000 on Humboldt Forum Service GmbH. Humboldt Forum had improperly documented sensitive information about individual employees and assessed their continued employment as ‘critical’ or ‘very critical’ on the basis of the information. The document also contained information on personal statements, health concerns, a possible interest in forming a works council and treatment in psychotherapy. During its investigation, the DPA found that the controller did not have a valid legal basis to process such sensitive data.
Direct URL: https://www.enforcementtracker.com/ETid-1995
Controller/Processor: Deutsche Kreditbank
Date of Decision: 2023-05-31
Fine (€): 300,000
GDPR Article(s): Art. 5 (1) a) GDPR, Art. 15 (1) h) GDPR, Art. 22 (3) GDPR
Type: Insufficient fulfillment of data subjects rights
Enforcing Authority: Data Protection Authority of Berlin
Sector: Finance, Insurance and Consulting
Summary: The DPA of Berlin has imposed a fine of EUR 300,000 on Deutsche Kreditbank. A customer had filed a complaint with the DPA. The customer had submitted an application for a credit card to the bank, which was rejected in the course of an automated decision, despite the customer’s good credit history and high income. The customer then requested an explanation of the reasons for the rejection of their application and the basis on which the automated decision was made. However, the controller refused to provide such information to him, which also made it difficult for the customer to appeal the decision. The DPA found that the controller violated its obligation to transparently inform the data subject about the decision upon request.
Direct URL: https://www.enforcementtracker.com/ETid-1856
2022
Controller/Processor: Credit Agency
Date of Decision: 2022
GDPR Article(s): Art. 15 GDPR
Type: Insufficient fulfillment of data subjects rights
Enforcing Authority: Data Protection Authority of Berlin
Sector: Finance, Insurance and Consulting
Summary: The DPA of Berlin imposed a fine on a credit agency. In the course of its investigation, the DPA found that the controller had stored 27 false addresses and 13 false dates of birth of a data subject for more than two years. The controller did not correct this data until the data subject submitted a request for information. However, the DPA also found that the information was provided late due to an internal error.
Direct URL: https://www.enforcementtracker.com/ETid-1890
Controller/Processor: Job Center Employee
Date of Decision: 2022
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: A job center employee had accessed data in the civil register for private research purposes.
Direct URL: https://www.enforcementtracker.com/ETid-1889
Controller/Processor: Sports photography company
Date of Decision: 2022
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Industry and Commerce
Summary: The DPA of Berlin has imposed a fine on a sports photography company. A sports photographer had published over 16,000 photos of minors who had taken part in a swimming competition on the company’s freely accessible website. During its investigation, the DPA found that the parents of the minors had not consented to the capturing and publication of the images.
Direct URL: https://www.enforcementtracker.com/ETid-1868
Controller/Processor: Restaurant operator
Date of Decision: 2022
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Accommodation and Hospitality
Summary: The DPA of Berlin has imposed a fine on a restaurant operator. During the Corona pandemic, the operator had required restaurant visitors to fill out forms with their personal data for the purpose of contact tracing as required by law. However, the controller unlawfully used the data to send promotional messages to the data subjects.
Direct URL: https://www.enforcementtracker.com/ETid-1867
Controller/Processor: Private individual
Date of Decision: 2022
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: The DPA of Berlin imposed a fine on a private individual. The individual, who worked in a store, had contacted a customer privately using the contact information they had provided, which was required to access stores during the Covid 19 pandemic.
Direct URL: https://www.enforcementtracker.com/ETid-1866
Controller/Processor: Company
Date of Decision: 2022-09-20
Fine (€): 525,000
GDPR Article(s): Art. 38 (6) GDPR
Type: Insufficient involvement of data protection officer
Enforcing Authority: Data Protection Authority of Berlin
Sector: Industry and Commerce
Summary: The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group. The company had appointed a data protection officer, who however was also the managing director of two service companies that processed personal data on behalf of the very same company for which they acted as data protection officer. These service companies are also part of the group to which the e-commerce company belongs. The DPA considered this to be a conflict of interest and found a violation of Art. 38 (6) GDPR. The DPA had already issued a warning to the company in 2021 due to the conflict of interest. When a new inspection this year revealed that no new data protection officer had been appointed, the DPA imposed the fine.
Direct URL: https://www.enforcementtracker.com/ETid-1398
2021
Controller/Processor: Clinic
Date of Decision: 2021
Type: Insufficient involvement of data protection officer
Enforcing Authority: Data Protection Authority of Berlin
Sector: Health Care
Summary: The DPA from Berlin has imposed a fine on a clinic. The clinic had appointed the clinic manager, who was also a shareholder of the clinic, as the data protection officer. A data protection officer may perform other tasks and duties, but the company must ensure that other tasks and duties do not lead to a conflict of interest. In the present case, however, there was such a conflict of interest. On the one hand, the clinic manager had to make economic decisions in his executive position, and on the other hand, he had to monitor the clinic’s compliance with data protection law. The DPA also noted that such a dual role carries the risk that patients and employees would be hesitant to seek the assistance of the data protection officer, also the hospital director, with critical questions about the processing of personal data.
Direct URL: https://www.enforcementtracker.com/ETid-1222
Controller/Processor: Attorney
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Finance, Insurance and Consulting
Summary: The DPA from Berlin has imposed a fine on an attorney. The attorney had been in dispute with a client for several years over a monetary claim. For two years, he published the first and last names, the residential addresses of the client and his family members, as well as various unredacted parts of files on his blog – and invoked the press privilege. However, this was not a purely exclusive journalistic publication. Rather, the attorney was concerned with accelerating the payment of the monetary amount to which he believed he was entitled. Since the attorney could therefore not refer to the press privilege as the legal basis for the data processing, the DPA found that he had unlawfully processed the data of the data subjects.
Direct URL: https://www.enforcementtracker.com/ETid-1221
Controller/Processor: Beverage Retailer
Date of Decision: 2021
Enforcing Authority: Data Protection Authority of Berlin
Sector: Industry and Commerce
Summary: The DPA from Berlin imposed a fine against a beverage retailer. The retailer operated a video surveillance system in which the observation angle of the cameras extended into the public space.
Direct URL: https://www.enforcementtracker.com/ETid-1220
Controller/Processor: Medical Clinic
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Health Care
Summary: The DPA from Berlin has imposed a fine on a medical clinic. The clinic had installed 21 cameras in its premises for the purpose of protection against crime and property damage. This made it possible to monitor employees and patients around the clock. The clinic relied on consent given by employees and information signs as the legal basis for the video surveillance. However, the DPA concluded that the clinic could not base the video surveillance on consent, as voluntary consent in the employee-employer relationship is questionable. Also, clearly visible notices of the video surveillance do not allow the conclusion that the patients, by entering the monitored premises, legally express their consent to the observation. The DPA could not find any other evidence that would justify such extensive video surveillance of the clinic.
Direct URL: https://www.enforcementtracker.com/ETid-1219
Controller/Processor: Job Center Employee
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: A job center employee had accessed data in social database systems and in the civil register for private research purposes.
Direct URL: https://www.enforcementtracker.com/ETid-1218
Controller/Processor: Job Center Employee
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: A job center employee had accessed data in social database systems and in the civil register for private research purposes. The employee wanted to prove that two of her colleagues had a relationship with each other and checked the registration addresses of both of them.
Direct URL: https://www.enforcementtracker.com/ETid-1217
Controller/Processor: Police Officer
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: A police officer had accessed data in a police database for private research purposes. The police officer accused in a criminal case intended to use the information from the police database to prepare for his testimony in court.
Direct URL: https://www.enforcementtracker.com/ETid-1216
Controller/Processor: Police Officer
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: A police officer had accessed data in a police database for private research purposes. The police officer had queried the new partner of a friend’s ex-wife because he feared that the well-being of the common child might be endangered by the new partner.
Direct URL: https://www.enforcementtracker.com/ETid-1215
Controller/Processor: Police Officer
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: A police officer used a witness’s personal data to contact her personally.
Direct URL: https://www.enforcementtracker.com/ETid-1213
Controller/Processor: Police Officer
Date of Decision: 2021
GDPR Article(s): Art. 5 GDPR, Art. 6 GDPR
Type: Insufficient legal basis for data processing
Enforcing Authority: Data Protection Authority of Berlin
Sector: Individuals and Private Associations
Summary: A police officer repeatedly accessed data in a police database for private research purposes.
Direct URL: https://www.enforcementtracker.com/ETid-1212
Controller/Processor: Unknown
Date of Decision: 2021
Enforcing Authority: Data Protection Authority of Berlin
Sector: Public Sector and Education
Summary: In order to combat the Covid 19 pandemic, a cemetery had put out an open list in which visitors had to enter their contact data. A cemetery employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore imposed a fine.
Direct URL: https://www.enforcementtracker.com/ETid-1211
Controller/Processor: Deutsche Wohnen SE
Date of Decision: 2021-02-23
Fine (€): 0
GDPR Article(s): Art. 5 GDPR, Art. 25 GDPR
Type: Non-compliance with general data processing principles
Enforcing Authority: Data Protection Authority of Berlin
Sector: Real Estate
Summary: Originally, a fine in the amount of EUR 14.500.000 was issued against Deutsche Wohnen SE for using an archiving system for the storage of personal data of tenants that, according to the data protection authority, did not provide for the possibility of removing data that was no longer required. According to the data protection authority, personal data of tenants were stored without checking whether storage was permissible or even necessary and it was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. See the separate entry. *** UPDATE *** On 24 February 2021 the Berlin Regional Court has dismissed the fine against Deutsche Wohnen SE due to procedural errors, see link and
Direct URL: https://www.enforcementtracker.com/ETid-98
2019
Controller/Processor: Deutsche Wohnen SE
Date of Decision: 2019-10-30
GDPR Article(s): Art. 5 GDPR
Type: Non-compliance with general data processing principles
Enforcing Authority: Data Protection Authority of Berlin
Sector: Real Estate
Summary: In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR – see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.
Direct URL: https://www.enforcementtracker.com/ETid-99
Controller/Processor: Delivery Hero
Date of Decision: 2019-09-19
Fine (€): 195,407
GDPR Article(s): Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR
Type: Insufficient fulfillment of data subjects rights
Enforcing Authority: Data Protection Authority of Berlin
Sector: Accommodation and Hospitality
Summary: According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company’s delivery service platform for years – in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising emails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising emails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.
Direct URL: https://www.enforcementtracker.com/ETid-78
Controller/Processor: N26
Date of Decision: 2019-03
Fine (€): 50,000
GDPR Article(s): Art. 6 GDPR
Type: Insufficient legal basis for data processing, Page 131 of the activity report of the Data Protection Commissioner of Berlin
Enforcing Authority: Data Protection Authority of Berlin
Sector: Finance, Insurance and Consulting
Summary: The fine was imposed against against a bank (according to a newspaper N26) that had processed ‘personal data of all former customers’ without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had ‘not yet been legally concluded’.
Direct URL: https://www.enforcementtracker.com/ETid-32