The German rail operator Deutsche Bahn AG has been handed down a record fine of more than one million Euros according to a report in the German newspaper Süddeutsche Zeitung.
The Berlin Data Protection Commissioner revealed that Deutsche Bahn were to be fined exactly 1,123,503.50 million Euros to cover a number of serious breaches of data protection legislation that date back over the past 10 years. According to the official press release from the Berlin Data Protection agency this is “highest penalty that a German Data Protection Inspectorate has established“.
The activity for which Deutsche Bahn is being fined relates to the mass screening of employee data including names, addresses, telephone numbers and bank details against those of suppliers. This screening was carried out on at least three separate occasions in 1998, 2002/3 and 2005/6, supposedly to detect fraudulent activity and employee fronted Scheinfirmen or shell companies. Deutsche Bahn also enlisted the services of a detective agency to assist in this screening activity and the Information Commissioner’s press release states that personal and banking information was illegally retained for “years” even after suspicions had been allayed. Particular weighting was given in the release to the monitoring of all external email communications of all employees in the years 2006 and 2007, ostensibly to discover who was leaking information to journalists and members of the German Bundestag or parliament. All of this was done without the knowledge or consent of the employees concerned.
The official press release does not mention further activity included in the Süddeutsche Zeitung article, snooping on management level employees in two separate incidents and also the collection of employee medical records. The newspaper report certainly appears to hint that this may not be the end of the financial penalties.
As a result of the incident, the CEO and several top execs were forced to resign. The new board has created a C-level position responsible for “Compliance, Data Protection & Justice” and promised to work on the development of new HR guidelines on data protection alongside the Works Council.
Deutsche Bahn’s heavy-handed tactics and the size of the resultant fine amply illustrate the need for enterprises to involve employees, works councils and unions from the outset, both when defining data protection policies and also when conducting sensitive investigations.
Effective training programs should inform the employees, but also check their understanding and gain their acceptance of the rights and obligations of the company and the employee. Effective security policies and technologies should include employee representatives in the design process and notify them when subsequent privileged searches are taking place. At the same time care must be taken not to expose the results of those searches to the employee representatives as this could in itself constitute a breach.
Businesses across Europe have a real motivation to get this right as data protection authorites across the continent are rapidly increasing in power and scope.