On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen , the highest German GDPR fine to date.
The infraction related to the over retention of personal data. The Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently.
The company “Deutsche Wohnen” used an archiving system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. It was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection.
This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements.
In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.
The Berlin DPA considered retaining data substantially longer than necessary a breach of the GDPR, in three respects: first, the controller did not have a legal ground to store personal data longer than was necessary; second, this was considered an infringement of the data protection by design requirements under Article 25 (1) GDPR; and, finally, it was an infringement of the general processing principles set out in Article 5 GDPR.
Deutsche Wohnen failed to establish a GDPR-compliant data retention and deletion procedure for tenants’ personal data. This was aggravated by the fact that in 2017, the Berlin DPA had already flagged the non-compliance with its retention obligations during an on-site audit. Although Deutsche Wohnen had taken initial measures to remedy the non-compliance, the supervisory authority revealed during its second audit in 2019 that these measures had not led to the establishment of a GDPR compliant archiving system as Deutsche Wohnen was still unable to demonstrate a clean-up of its database or legal grounds for the ongoing storage.
The Berlin DPA’s decision is not yet final and Deutsche Wohnen has already announced that it will challenge the fine in court.
For further information or clarifications regarding GDPR , please contact S. Dionysiou & Partners LLC at firstname.lastname@example.org / +357 22 272360.