The Privacy and Information Security Law Blog reports that earlier this month,
the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl € 36,000 (approximately $51,000) for illegally keeping records of employee health data.
To compound the employee privacy breach with a security breach, it seems that the case was triggered by a report in the German news magazine Der Spiegel after someone found papers and forms containing Lidl employees’ health data in a trash bin at a car wash.
Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees’ medical conditions, partly without their knowledge. This activity was found to violate data protection law in many cases.