On 30 October 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine notice of around €14.5 million against Deutsche Wohnen SE for breaches of the General Data Protection Regulation (GDPR).
During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company used an archiving system for the storage of tenants' personal data that did not provide for the possibility to remove data that was no longer required. Tenants' personal data was stored without checking whether storage was permissible or even necessary. In individual cases reviewed, it was therefore possible to view private data of affected tenants, some of which was years old, without it still serving the purpose for which it was originally collected. This involved data on the tenants' personal and financial circumstances, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements.
After the Berlin data protection commissioner had issued an urgent recommendation to convert the archiving system at the first audit date in 2017, the company was still unable to demonstrate a clean-up of its data stock or legal reasons for the continued storage in March 2019, more than one and a half years after the first audit date and nine months after the start of application of the General Data Protection Regulation. The company had made preparations to remedy the irregularities found.
However, these measures had not led to the establishment of a lawful state of affairs in the storage of personal data. The imposition of a fine due to a Berlin data protection commissioner imposes fine on real estate company On 30 October 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine notice in the amount of approximately 14.5 million euros against Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).
During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company used an archiving system for the storage of tenants' personal data that did not provide for the possibility to remove data that was no longer required. Tenants' personal data was stored without checking whether storage was permissible or even necessary. In individual cases reviewed, it was therefore possible to view private data of affected tenants, some of which was years old, without it still serving the purpose for which it was originally collected. This involved data on the tenants' personal and financial circumstances, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements.
After the Berlin data protection commissioner had issued an urgent recommendation to convert the archiving system at the first audit date in 2017, the company was still unable to demonstrate a clean-up of its data stock or legal reasons for the continued storage in March 2019, more than one and a half years after the first audit date and nine months after the start of application of the General Data Protection Regulation. The company had made preparations to remedy the irregularities found.
However, these measures had not led to the establishment of a lawful situation with regard to the storage of personal data. The imposition of a fine for a breach of Article 25(1) of the GDPR and Article 5 of the GDPR for the period between May 2018 and March 2019 was therefore mandatory.
The General Data Protection Regulation obliges supervisory authorities to ensure that fines are not only effective and proportionate, but also dissuasive in each individual case. The starting point for the assessment of fines is therefore, among other things, the previous year's global turnover of the companies concerned. Due to the annual turnover of more than one billion euros reported in the annual report of Deutsche Wohnen SE for 2018, the legally prescribed framework for the assessment of fines for the identified data protection breach was approximately 28 million euros.
For the concrete determination of the amount of the fine, the Berlin data protection commissioner used the legal criteria, taking into account all aggravating and exculpatory aspects.
The fact that Deutsche Wohnen SE had deliberately created the offending archive structure and that the data concerned had been processed in an unlawful manner over a long period of time had a negative impact. On the other hand, the fact that the company had taken initial measures to rectify the unlawful situation and had formally cooperated well with the supervisory authority was taken into account to mitigate the fine. Also in view of the fact that the company could not be proven to have abused access to the unlawfully stored data, a fine in the middle range of the specified fine range was appropriate.
In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 -17,000 euros on the company for the unauthorised storage of tenants' personal data in 15 specific individual cases.
The fine decision is not yet legally binding. Deutsche Wohnen SE can appeal against the fine decision.
Maja Smoltczyk:
"Unfortunately, we often encounter data graveyards like the one we found at Deutsche Wohnen SE in supervisory practice. Unfortunately, the explosive nature of such abuses is only made clear to us when, for example, cyber attacks have led to abusive access to the masses of hoarded data. But even without such serious consequences, we are dealing here with a blatant violation of the principles of data protection, which are supposed to protect those affected from precisely such risks. It is gratifying that with the General Data Protection Regulation, the legislator has introduced the possibility of sanctioning such structural deficiencies before a data disaster occurs. I recommend all data-processing agencies to check their data archiving for compatibility with the GDPR."
Source: Press release of the Berlin Commissioner for Data Protection and Freedom of Information
