VfB Stuttgart fined for neglecting the accountability principle Summary Our remarks Between 2016 and 2017, VfB Stuttgart 1893 e.V., a • Compliance with the GDPR’s accountability registered association under German law, transferred principle is important to keep in mind when tens of thousands of personal data records belonging processing personal data. You must be able to to club members to an external service provider. The provide evidence of compliance upon request by purpose of this transfer was to enable the spin-off the relevant supervisory authority. Make sure that of the professional soccer department into a stock you can provide the Data Protection Authority with corporation named ”VfB Stuttgart 1893 AG”. The data the following: included information on underage members who would ° Detailed and up-to-date documentation of your have turned 18 at the time of a general meeting where data processing activities, including the legal the spin-off decision was made. basis for processing, the purposes of processing, Furthermore, after the GDPR came into effect, the the categories of data subjects and personal soccer club shared an Excel spreadsheet containing data processed, the recipients of personal data, over 100,000 data records with the service provider. the retention period, and the security measures employed. VfB Stuttgart did not provide a contractual basis for their partnership with the service provider. They had not ° Appropriate policies, procedures, and where documented who initially commissioned the service applicable, codes of conduct to demonstrate provider, the specific powers it held within VfB Stuttgart, compliance with the GDPR’s principles, including data or the extent of its access to the personal data of minimization, accuracy, integrity, and confidentiality. members and employees. This may involve conducting regular data protection impact assessments, reviewing and updating The Decision of the DPA data processing agreements with third-party service providers, and ensuring that employees are The LfDI (DPA) limited the proceedings to a violation adequately trained on GDPR compliance. of the principle of accountability and provisionally terminated any further proceedings concerning ° Documentation of which appropriate technical and potential other violations of the GDPR. The DPA fined VfB organizational measures to ensure the security of Stuttgart 1893 300,000 EUR for the following violation: personal data and prevent unauthorized access or disclosure. This includes maintaining confidentiality • Lack of a contractual relationship with the external and integrity of data, providing regular training to service provider and its authority within the staff members, and conducting regular audits of club. Consequently, the legitimacy of the data data protection processes. processing activities could not be adequately verified or proven, which was a breach of the principle of accountability (GDPR, Article 5(2)). Published: 10-03-2021 Journal number: 0623.1-2/3 Tags: 01 Legal Basis and principles of data processing, 54 04 Data processing agreements and supervision of data processors and sub-processors.