Deutsche Bahn monitored the communications and bank details of thousands of employees in a corruption investigation and in a bid to uncover the source of leaks. At one point it monitored the emails of every Deutsche Bahn employee with external internet access, Berlin's data protection commissioner said.
The fine is the largest ever imposed in Germany for such offences and has been accepted by the company.
The monitoring scandal emerged earlier this year and Deutsche Bahn head Hartmut Mehdorn resigned when it became clear that 173,000 of the firm's 220,000 employees had been subjected to some kind of monitoring.
The data protection commissioner said that a detective agency was used and had kept details gleaned in its investigations for a long time after employees were no longer the subject of the company's suspicions. Even data relating to family members was kept, it said.
It said that it treated as particularly serious the fact that the security company had monitored the emails of everyone in the company in 2006 and 2007, including communications with journalists and members of parliament.
It said, though, that it was pleased that the company now had a department of compliance, data protection and justice and that its ambition was now to be a "model" of good data protection practice.
Berlin data protection commissioner Alexander Dix said, in an automated translation, "Deutsche Bahn has drawn the right conclusions from its serious violations in the past. In its efforts to achieve high data protection standards we strongly support it".
The fine stands in stark contrast to the likely result if the UK data protection authority, the Information Commissioner's Office (ICO), were to handle such a case.
The ICO would not be able to levy a direct fine, but could only issue an enforcement order telling the company to change its behaviour. It could fine the company if it broke that order, but the maximum fine would be £5,000.
The ICO has long lobbied for powers to levy fines directly in the most serious cases and the Government has granted its request. It will be giving the power to fine from April next year for "knowing or reckless" breaches of the Data Protection Act's principles.
The Ministry of Justice said that it had not yet decided what the maximum fines were going to be.
“We are working closely with the Information Commissioner's Office to determine how we will commence the civil monetary penalty provision in the Criminal Justice and Immigration Act 2008," said a spokeswoman. "We expect to make an announcement about the penalties before the end of this parliamentary session."