Hamburger Verkehrsverbund GmbH (HVV GmbH) – €20,000 Fine (Germany, 2019)

€20,000Bundesbeauftragter für den Datenschutz1 January 2019Germany
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Hamburger Verkehrsverbund GmbH (HVV GmbH) was fined for not reporting a security flaw on their website in time. This flaw allowed users to see other customers' data by changing the website URL. It's a reminder to report data breaches promptly to avoid penalties.

What happened

HVV GmbH failed to report a website security gap that exposed customer data in a timely manner.

Who was affected

Customers with an HVV Card whose data could be accessed by others due to the security flaw.

What the authority found

The authority fined HVV GmbH for not reporting the data breach quickly, as required by GDPR.

Why this matters

This case highlights the importance of promptly reporting data breaches to avoid fines. Website operators should ensure they have processes to detect and report such issues quickly.

GDPR Articles Cited

Art. 33 GDPR
Art. 34 GDPR
Germany enforcementBundesbeauftragter für den Datenschutz actionsAll Hamburger Verkehrsverbund GmbH (HVV GmbH) actions
Full Legal Summary
Detailed

On July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data breach was not reported to the data protection authority in a timely manner.

Related Enforcement Actions (0)

No other enforcement actions found for Hamburger Verkehrsverbund GmbH (HVV GmbH) in DE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

1 January 2019

Authority

Bundesbeauftragter für den Datenschutz

Fine Amount

€20,000

Enforcement Tracker ID

ETid-204

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hamburger Verkehrsverbund GmbH (HVV GmbH) - Germany (2019). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: