Deutsche Bahn has been fined more than €1 million to cover a number of serious breaches of data protection legislation dating back over the past ten years.
The Berlin Data Protection Commissioner revealed that Deutsche Bahn were to be fined exactly €1,123,503.50, million which according to the Berlin Data Protection agency, is the ‘highest penalty that a German Data Protection Inspectorate has established'.
The activity for which Deutsche Bahn is being fined relates to the mass screening of employee data including names, addresses, telephone numbers and bank details against those of suppliers. This screening was carried out on at least three separate occasions in 1998, 2002/3 and 2005/6, supposedly to detect fraudulent activity and employee fronted Scheinfirmen or shell companies.
It has been claimed that Deutsche Bahn also enlisted the services of a detective agency to assist in this screening activity. The Information Commissioner's press release states that personal and banking information was illegally retained for ‘years' even after suspicions had been allayed.
The head of Deutsche Bahn, Hartmut Mehdorn, was forced to resign after it became apparent that 173,000 of Deutsche Bahn's 220,000 employees had been screened this way. Deutsche Bahn has since set up a new department for data protection, headed by board member Gerd Becht.
The chief executive officer of Deutsche Bahn, Ruediger Grube, said Becht and his team would ‘do everything to ensure that, in future, Deutsche Bahn provides impeccable and correct data protection'.
Rik Ferguson, senior security adviser at Trend Micro, claimed that Deutsche Bahn's heavy-handed tactics and the size of the resultant fine amply illustrate the need for enterprises to involve employees, works councils and unions from the outset, both when defining data protection policies and also when conducting sensitive investigations.
Ferguson said: “Effective training programs should inform the employees, but also check their understanding and gain their acceptance of the rights and obligations of the company and the employee.
“Effective security policies and technologies should include employee representatives in the design process and notify them when subsequent privileged searches are taking place. At the same time care must be taken not to expose the results of those searches to the employee representatives as this could in itself constitute a breach.
“Businesses across Europe have a real motivation to get this right as data protection authorities across the continent are rapidly increasing in power and scope.”