€14.5m GDPR Penalty For German Propery Firm

The Berlin DPA has sanctioned a General Date Protection Regulation penalty of €14.5 million against Deutsche Wohnen SE, a major real estate company.

The real estate company was investigated, through onsite inspections, between June 2017 and March 2019. During this time period the Berlin DPA  discovered that the company was retaining personal data of tenants for an unlimited period, without reviewing if retaining this personal data was necessary or legitimate. The Berlin DPA identified a number of occasions when personal data of affected tenants, some of which were years old, was accessed without the data serving the purpose of the initial original data collection.

This fine represents the largest GDPR financial penalty sanction in Germany since GDPR became enforceable on May 25 2018.

It has been revealed that Deutsche Wohnen SE was using an archiving system which did not permit the removal of data that was no longer required original specific purpose it was gathered for. The data in question if of a financial nature and, due to this, can be used for malicious reasons in the wrong hands. Among the data found by the Supervisory Authority were salary statements, self-disclosure forms, tax, social security and health insurance data and other personal data concerning the personal and financial situation of DW’s tenants.

There were some enhancements made to the Deutsche Wohnen SE archiving system after the 2017 investigation was completed. Sadly for them, the 2019 Berlin DPA review found that these enhancement were not enough and were in breach of GDPR. It was ruled that Deutsche Wohnen SE knowingly set up the data archive in question and processed the affected data inappropriately for a considerable period of time. For these reasons the record penalty was deemed acceptable by the Berlin DPA.

GDPR fines can be as high as €20m or 4% of annual global revenue for the previous financial year, whichever figure is higher. Deutsche Wohnen SE reported worldwide turnover greater than €1bn in 2018, resulting in a potential GDPR fine of up to €28 million. The Berlin Commissioner took found that Deutsche Wohnen SE had worked with them and did not otherwise abuse the retained data, and reduced the fine to €14.5 million.

 

About Eoin Campbell 11 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.