Privacy & Information Security Law Blog

On Friday, October 23, 2009, the German Railways Operator Deutsche Bahn AG announced that they would pay a fine of over €1.1 million that was imposed on October 16, 2009 by the Berlin data protection authority.  This fine is the highest ever imposed by a German data protection authority.  The imposition of this fine follows a major data protection scandal that reportedly broke out within the company.  From 2002 to 2005, Deutsche Bahn had screened a large quantity of employee data and compared it to supplier data in an effort to combat corruption, but without specific suspicions related to individual employees.  In addition, the regulator considered activities by the company's security department from 2006 to 2007, which included monitoring the email communications of all employees who used external email accounts at work.  The purpose of this monitoring was to identify communication with journalists and employees of members of the federal parliament to detect which employees may have disclosed company information.  At the time it broke, the scandal cost the CEO and several top managers their jobs.  Thereafter, a major restructuring was undertaken within the company.  In addition to the changes in top management, a separate position was created at the CEO level for compliance, data protection and legal affairs.  Furthermore, it was agreed with the works council, that the company will develop new guidelines for HR data protection by the end of November.