The Berlin DPA has sanctioned a General Date Protection Regulation penalty of €14.5 million against Deutsche Wohnen SE, a major real estate company.
The real estate company was investigated, through onsite inspections, between June 2017 and March 2019. During this time period the Berlin DPA discovered that the company was retaining personal data of tenants for an unlimited period, without reviewing if retaining this personal data was necessary or legitimate. The Berlin DPA identified a number of occasions when personal data of affected tenants, some of which were years old, was retained for a considerable amount of time after the purpose for which the information was collected had been achieved.
This fine represents the largest GDPR financial penalty sanction in Germany since GDPR became enforceable on May 25, 2018.
It has been revealed that Deutsche Wohnen SE was using an archiving system which did not permit the removal of data that was no longer required for the original specific purpose for which it was gathered for. The data in question included information of a financial nature and, due to this, can be used for malicious reasons in the wrong hands. Among the data found by the Supervisory Authority were salary statements, self-disclosure forms, tax, social security and health insurance data and other personal data concerning the personal and financial situation of DW’s tenants.
There were some enhancements made to the Deutsche Wohnen SE archiving system after the 2017 investigation was completed. The 2019 Berlin DPA review found that these enhancements were not enough and were in breach of GDPR. It was ruled that Deutsche Wohnen SE knowingly set up the data archive in question and processed the affected data inappropriately for a considerable period of time. For those reasons, a large financial penalty was determined to be appropriate.
GDPR fines can be as high as €20m or 4% of annual global revenue for the previous financial year, whichever figure is higher. Deutsche Wohnen SE reported worldwide turnover greater than €1bn in 2018, which could have seen a GDPR fine of up to €28 million imposed on the firm. The Berlin Commissioner for data protection considered the level of cooperation of Deutsche Wohnen SE in the investigation when determining an appropriate financial penalty, and since Deutsche Wohnen SE did not otherwise abuse the retained data, reduced the fine to €14.5 million.