On August 19, 2009, the state DPA in North Rhine-Westphalia fined a subsidiary of the discount supermarket chain Lidl € 36,000 (approximately $51,000) for illegally keeping records of employee health data.
The case was triggered by a report in the German news magazine Der Spiegel. A Bochum resident found papers and forms containing Lidl employees’ health data in a trash bin at a car wash and forwarded them to the magazine. Subsequent investigations revealed that at least four Lidl branches in North Rhine-Westphalia were using a form to record data about employees’ medical conditions, partly without their knowledge. This activity was found to violate data protection law in many cases.
Source: Privacy and Information Security Law Blog
This sounds like there was both a privacy breach as well as a security breach.