首先，德國 DPA 認為違反了 GDPR 第 13 條（個資處理告知義務），因為測試車輛上具有境頭隨時蒐集用路人的影像等資訊，但是該車上並沒有帶有攝像頭符號和其他規定標誌來告知任何一位道路使用者此輛車將進行個人數據的處理。
1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:Article 13: Information to be provided where personal data are collected from the data subject
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
DPA 發現福斯汽車未與進行試駕的公司簽訂處理協議，違反了 GDPR 第 28 條。根據GDPR規定當將資料處理委託他人進行時，必須要簽訂資料處理協議，以確保資料可以被妥善的保護，如果受委託公司違反資料處理協議時，委託公司應依契約進行求償。
3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:Article 28 – Processor
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
DPA 認為福斯汽車在處理個人資料前前未進行個人資料保護影響評估，違反了 GDPR 第 35 條。GDPR要求在處理個人資料前必須進行相關的影響評估，確保公司或個人在處理個人資料時有充分考量到外洩以及相關保護的措施。
1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.Article 35 – Data protection impact assessment
DPA 認為福斯汽車未在其處理活動記錄中列出其技術和組織安全措施，從而違反了 GDPR 第 30 條。個人資料蒐集後必須盡到保護的義務，此保護義務要求不僅是口號而已，更是進一步要求要在技術上（例如雙階段驗證後才可以使用，確保只有公司員工可以看到資料）或是組織上（特定層級或特定任務的人員才可以看到個人資料，除此之外都不得看到或使用個人資料）。
1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:Article 30 – Records of processing activities
(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).