- Course on VHS transition to financial guidance - occurrences of data security violation
The lack of adequate consideration for data privacy is apparent in the case of a company based in Koblenz. This business aimed to entice prospective employees and advertised on Facebook with a video emphasizing the potential high salaries. Unfortunately, the video featured actual pay stubs, albeit with names obscured, but not sensitive details such as birthdates, health insurance numbers, tax IDs, or wage amounts.
Despite being informed of the issue, the sales department failed to respond, but did manage to remove the video from the platform, as reported by Daniela Franke, the deputy to Kugelmann. However, due to the absence of salvageable screenshots of the video, the company could not be penalized, Franke reported. At least the video was removed, though.
A woman who purchased a virtual reality headset for her son at an electronics store nearby Bad Kreuznach during the previous year's holiday shopping encountered a different dilemma. Upon discovering that the device was already linked to Facebook and Instagram accounts containing personal data and explicit content, Kugelmann reported. It seemed likely that the content was pornographic. The headset had previously been sold to another customer who returned it, and an employee of the store apparently failed to erase the memory card before selling the device again. The store reported the data breach themselves, and no penalty was imposed. It was an instance of human error, according to Kugelmann.
Enrolling in a double-deck course at the Volkshochschule (VHS) Trier in April 2024 resulted in a data protection infringement. The woman did not provide an email address during registration, leading the VHS to search for an existing email address in previous registrations and later send an email to that address notifying the course cancellation. However, the email address belonged to someone else who replied that they had never registered for a double-deck course. The VHS subsequently sent an email with the registration details, including the original double-deck enthusiast's personal information. The VHS's actions were criticized by the data protection officer.
In a Sparkasse near Trier, an employee held a consultation call not in a private room but in a public counter hall. The employee disclosed the client's personal details loudly, which were overheard by another customer in the counter hall who recognized the individual and later reported the breach. In response, the Sparkasse altered its service instructions to prohibit such conversations from taking place in the publicly accessible counter hall.
A government portal had to modify its registration process.
Multiple complaints regarding the "Transfer online" portal of the supervisory and service directorate (ADD) reached the data protection officer. This portal was intended to allow teachers to search for open positions, but registration resulted in a notification being sent to the respective school management. Consequently, teachers were approached by their school principals about their alleged transfer intentions. Following intervention by the Kugelmann authority, the ADD revised the registration process. Furthermore, a primary school principal was reprimanded for misusing the information.
There are also instances where, following an investigation, no violation is discovered, such as in the case of a bank in Kaiserslautern. A customer purchased a firearm and paid with a debit card. Subsequently, the customer received a call from their bank advisor inquiring about the transaction's background. The customer reportedly expressed frustration. The outcome: The investigation into the transaction processed through the checking account was, in fact, permissible.
According to the state data protection officer, this is related to the Anti-Money Laundering Act and the Banking Act. In the event of suspected money laundering, which can also include illegal arms purchases, a credit institution is obligated to take such measures if there is reason to suspect such activity. In this specific case, the purchase was lawful, as the man was a hunter and held a valid weapons permit.
Due to the complexity of data privacy regulations, misunderstandings can occur. For instance, in the case of the 'Other' customer service representative at a bank, they mistakenly believed that a necessary investigation into a legal firearm purchase was a potential violation of data privacy laws.
In order to prevent such misinterpretations in the future, comprehensive training on data privacy laws and their specific applications in various scenarios is essential for all 'Other' roles within financial institutions.
