German court lifts multimillion Euro GDPR fine against Volkswagen

On 26 February 2025, the Regional Court Hanover (“Court”) rendered a significant decision for companies on how to meet the information obligations under the General Data Protection Regulation (“GDPR”). The Court acquitted German car manufacturer Volkswagen of alleged GDPR violations after it received a high-profile administrative of EUR 4.3 million under Article 83 GDPR. The State Commissioner for Data Protection of Lower Saxony (“LfD”) accused the company of failing to adequately inform its employees about the onward processing of their personal data for the purpose of a monitorship mandated by US authorities. The case highlights the importance of structured data protection documentation when working with external monitors – especially in complex, cross-border compliance settings.

Background

As part of settling several legal proceedings in the U.S., a German car manufacturer agreed to oversight by a court-appointed Compliance Monitor (“Monitor”). The Monitor's mandate focused on evaluating and improving the company's compliance systems and organisational structures – not investigating individual misconduct or reporting findings to authorities.

One area of the Monitor's review concerned performance-related processes, including so-called bonus discussions between managers and HR personnel to determine individual employee bonus amounts. The affected employees whose bonuses were being discussed did not participate in these meetings. In cases involving bonus reductions due to misconduct, the Monitor received information using pseudonyms, while in regular bonus discussions, the Monitor received actual employee names, which later became subject to scrutiny by the LfD.

To support the monitorship, the company established an extensive communication framework to inform employees about the monitorship and data processing activities: a group works council agreement, internal review processes for document disclosures, a detailed redaction guide, and general employee communication via a universal data privacy policy for employees (“Privacy Policy”), a specific information letter about the monitorship, and an intranet notice. These communications provided general information about potential data processing activities but did not include specific advance notice of actual data disclosures in individual cases. In cases where the Monitor insisted on receiving unredacted information, the company would evaluate legal permissibility on a case-by-case basis and document its decision internally (so-called formal single-case decision).

Despite these structured efforts, the LfD took the view that the company had failed to meet its obligation under Article 13 GDPR to inform affected employees in advance of such disclosures.

The decision: A structured GDPR compliance approach helps to challenge GDPR fines

The Court acquitted the company on all counts. The Court's reasoning offers a helpful framework for understanding how GDPR information obligations can be met in complex compliance scenarios:

1. Comprehensive General Information Can Satisfy GDPR Requirements: The Court ruled that the company had sufficiently fulfilled its information obligations under Article 13 GDPR by making relevant privacy information accessible through general channels – namely, its Privacy Policy, a specific information letter about the monitorship, and notice on the firm’s intranet. The Court held that the company’s Privacy Policy, in conjunction with the monitorship-specific information and intranet notice, clearly outlined the purposes, data categories, recipients, and legal bases for the processing. This holistic information package was deemed sufficiently comprehensive under Article 13(1) and (2) GDPR.The Court also found that additional individual notification of employees about the monitorship is not necessary under Article 13 GDPR. Such notification was not necessary as the data subjects possessed the necessary information, and the general information was deemed sufficiently comprehensive by the Court (Article 13(4) GDPR). The Court clarified that the exception under Article 13(4) GDPR only applies if the data subject already possesses the full scope of information otherwise required under Article 13(1) and (2) GDPR. Mere assumptions or indirect inferences do not suffice.
    
2. Pseudonymised Data and Recipient Perspective: For the majority of the alleged violations where only employee ID numbers instead of clear names were transmitted, the Court questioned whether these even qualified as personal data in terms of GDPR in this specific context. The Court disagreed with the LfD's view that sharing pseudonymised information (employee ID numbers) with the Monitor should be treated identically to sharing clear names.
   Referring to a judgment from the European General Court (T-557/20 - SRB v EDPS), the Court stated that the assessment of pseudonymisation should be based on the recipient's perspective. Since the monitor, being an external and foreign entity, was not able to link the employee ID numbers to specific individuals, these data were considered "quasi-anonymous" for the monitor. The monitor's right to demand clear names was characterised as a "test case" for cooperation, not a regular investigative tool. The Court noted that the monitor had no practical need or incentive to re-identify individuals from ID numbers.
   The decision reflects a risk-based approach: pseudonymised data may not fall under GDPR if, in the specific context, the risk of re-identification is negligible and the recipient has no means or interest to re-identify.
   However, the Court noted that this European General Court decision was not yet final and ultimately left the question of whether complete anonymisation had occurred open for determination.
    
3. GDPR Scope – Structured vs. Unstructured Data Processing: In the context of handwritten notes that were taken during bonus discussions, the Court clarified that the GDPR is only applicable to the processing of personal data if it is part of a filing system or intended to form part of a filing system (Article 2(1) GDPR). Such filing system, however, requires a structured set of personal data (Article 4(6) GDPR). Following this argumentation, the GDPR is not applicable to unstructured manual records, such as individual, informal notes taken during a meetings or oral statements.
   This distinction proved crucial as the Court already questioned whether bonus discussions involve personal data as such discussions usually involve insights, information and impressions of third parties. Even if other personal data were involved, the Court found it impossible to determine retrospectively whether information from bonus discussions conducted several years earlier had been stored in a structured filing system or consisted merely of individual, informal notes or oral statements by supervisors. Given the passage of time and the lack of clear evidence about which employees were affected, retrospective clarification was no longer feasible.
    
4. Voluntary Data Provision: In the final allegation, employees had voluntarily submitted personal information – including details about qualifications and hobbies – to assist with the monitorship. The Court found no evidence suggesting this data had been collected or transmitted without consent or awareness. Employees had used a dedicated template to provide this information and were demonstrably aware of its purpose and intended recipient. The Court emphasised that no additional authorisation or data protection review was needed in these cases, since the employees had voluntarily provided the information in full knowledge of the purpose and context of the processing.

Practical implications of the decision: Sometimes it’s worth fighting

While this case arose from the specific context of a court-appointed compliance monitor with its unique legal framework and international dimensions, certain aspects of the Court's reasoning may offer guidance for companies in related situations – particularly for companies conducting internal investigations, HR assessments, or working with external advisors who receive access to employee data:

Building Comprehensive Information Frameworks: A well-structured internal privacy framework (comprehensive policies, intranet communications, FAQs) may satisfy GDPR information obligations -- especially when individual notifications would be impractical or redundant. The key is ensuring that general information is sufficiently detailed, specific, and easily accessible to employees.

Consider the Recipient’s Actual Capabilities: When sharing pseudonymised data with external parties, consider whether the recipient can realistically re-identify individuals. The Court's emphasis on the recipient's actual ability to re-identify individuals, rather than theoretical possibilities, may influence how pseudonymisation affects GDPR obligations. However, given that the cited European General Court decision has not become final and binding yet, companies should approach this aspect cautiously.

Distinguish Between Structured and Informal Data: The GDPR does not extend to every piece of information -- only to data that is part of, or intended to form part of, a structured filing system. This distinction can be particularly relevant for:

• Meeting notes and informal discussions
• Individual supervisor assessments
• Ad-hoc communications that are not systematically stored

Document Voluntary Employee Participation: Where employees provide data voluntarily with full awareness of its purpose and recipient, ensure this voluntary nature is clearly documented. This can help demonstrate compliance with GDPR principles and reduce the need for additional formal procedures. A structured approach to GDPR compliance significantly increases the chances of challenging correctives measures, including significant fines, by data protection authorities!