Background - News & Events (Landing) 2016

Search NewsRoom

Advanced Search >

All Alerts & Newsletters

Privacy & Data Protection

September 30, 2009

Other sections of this issue:
Privacy & Data Protection | ISP-Liability & Media Law | Contracts & E-Commerce |
Electronic Communications & IT

On 19 August 2009, the German discounter Lidl has again been condemned to a 36.000 EUR fine by the German Data Protection Authority for unlawful processing of personal data of its personnel.

A year after the scandal where Lidl was found to have been spying on its employees via surveillance cameras, documents were found in a dumpster indicating that Lidl was unlawfully collecting information about its employees' medical conditions.

Such personal data is sensitive and can only be processed under strict conditions, which were clearly absent here. The personal data collected were moreover also supplemented with comments such as 'operated from tumor, but benign' or 'wants to be pregnant, but fertility issues'.

Lidl admitted to having collected the records but alleged this was only with the purpose of relocating its employees to more fitting positions. This position was, however, not accepted and Lidl was condemned by the German Data Protection Authority to pay a 36.000 EUR fine for violating general principles of German privacy law..

Although this fine is significantly lower than the 1,5 million EUR Lidl had to pay last year, it is a clear indication that Data Protection Authorities more and more actively act against privacy law violations. Also, the fine remained rather low, because the violations were only proven with respect to 4 German branches of Lidl, while the suspicion existed that more branches did collect sensitive personal data in an unlawful manner.

On 14 August 2009, the German federal legislator changed Germany's Privacy Act, now including specific provisions for employer-employee relationships, giving the German Data Protection Authority clearer yardsticks in similar situations in the future.

References: Bundesdatenschutzgesetz (BDSG) in der Fassung der Bekanntmachung vom 14. Januar 2003 (BGBl. I S. 66), zuletzt geändert durch Artikel 15 Abs. 53 des Gesetzes vom 5. Februar 2009 (BGBl. I S. 160)


For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Thomas De Meese
Partner – Brussels
Phone: +