On October 30, 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of approximately 14.5 million Euros against Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).
During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company used an archiving system for storing personal data of tenants that did not provide a mechanism for removing data no longer required. Personal data of tenants was stored without verifying whether such storage was permissible or even necessary. In some reviewed individual cases, private information of affected tenants, dating back several years, could therefore be accessed even though it no longer served the purpose for which it was originally collected. This included data concerning the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, excerpts from employment and training contracts, tax, social security, and health insurance data, as well as bank statements.
After the Berlin Data Protection Commissioner had urgently recommended changing the archiving system during the first inspection in 2017, the company was still unable, in March 2019 – more than eighteen months after the initial inspection and nine months after the General Data Protection Regulation came into effect – to demonstrate either a cleanup of its data inventory or legal grounds for the continued storage. While the company had made preparations to rectify the identified deficiencies.
However, these measures had not resulted in a lawful state regarding the storage of personal data. The imposition of a fine due to a Berlin Data Protection Commissioner imposes a fine on a real estate company. On October 30, 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of approximately 14.5 million Euros against Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR).
During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company used an archiving system for storing personal data of tenants that did not provide a mechanism for removing data no longer required. Personal data of tenants was stored without verifying whether such storage was permissible or even necessary. In some reviewed individual cases, private information of affected tenants, dating back several years, could therefore be accessed even though it no longer served the purpose for which it was originally collected. This included data concerning the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, excerpts from employment and training contracts, tax, social security, and health insurance data, as well as bank statements.
After the Berlin Data Protection Commissioner had urgently recommended changing the archiving system during the first inspection in 2017, the company was still unable, in March 2019 – more than eighteen months after the initial inspection and nine months after the General Data Protection Regulation came into effect – to demonstrate either a cleanup of its data inventory or legal grounds for the continued storage. While the company had made preparations to rectify the identified deficiencies.
However, these measures had not resulted in a lawful state regarding the storage of personal data. The imposition of a fine for a violation of Article 25 para. 1 GDPR and Article 5 GDPR for the period between May 2018 and March 2019 was therefore mandatory.
The General Data Protection Regulation obliges supervisory authorities to ensure that fines in each individual case are not only effective and proportionate but also deterrent. A key factor for determining fines is, therefore, among other things, the global turnover achieved by the companies concerned in the previous year. Due to the annual turnover of over one billion Euros reported in Deutsche Wohnen SE's 2018 annual report, the legally stipulated framework for calculating the fine for the identified data protection violation was approximately 28 million Euros.
For the specific determination of the fine amount, the Berlin Data Protection Commissioner applied the legal criteria, taking into account all aggravating and mitigating factors.
A primary aggravating factor was that Deutsche Wohnen SE had deliberately established the criticized archiving structure and processed the affected data unlawfully over a long period. Conversely, it was considered a mitigating factor that the company had indeed taken initial measures aimed at rectifying the unlawful state and formally cooperated well with the supervisory authority. Also, given that no abusive access to the unlawfully stored data could be proven against the company, a fine in the middle range of the stipulated penalty framework was ultimately deemed appropriate.
In addition to sanctioning this structural violation, the Berlin Data Protection Commissioner imposed further fines ranging from 6,000 to 17,000 Euros against the company for the unlawful storage of personal data of tenants in 15 specific individual cases.
The fine decision is not yet legally binding. Deutsche Wohnen SE can appeal the penalty notice.
Maja Smoltczyk:
“Data graveyards, such as those we found at Deutsche Wohnen SE, are unfortunately frequently encountered in supervisory practice. The urgency of such deficiencies only becomes clearly apparent to us, unfortunately, when abusive access to the massively hoarded data occurs, for example, through cyberattacks. However, even without such severe consequences, we are dealing here with a blatant violation of data protection principles, which are intended to protect data subjects precisely from such risks. It is gratifying that the legislator, with the General Data Protection Regulation, has introduced the possibility of sanctioning such structural shortcomings before a data catastrophe occurs. I recommend that all data processing entities review their data archiving for compliance with the GDPR.”
Source: Press release from the Berlin Commissioner for Data Protection and Freedom of Information
