Authors: Dr. Annabel Hili & Nico Fauser
On 30 October 2019, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) (“Berlin DPA”) issued a €14.5 million administrative fine against the real estate company Deutsche Wohnen SE for infringements of the GDPR.
During an on-site inspection in June 2017, the Berlin DPA found that the company was storing personal data belonging to its tenants in an archive system. This archive system did not allow for the deletion of stored data which was no longer required. In some cases, tenants’ personal data was being stored without considering whether storage was permitted or even required. Furthermore, in some cases, outdated tenants’ private information was stored, even if it failed to satisfy the criteria for which it was originally collected. The Berlin DPA noted that the stored data included tenants’ personal and financial details, such as salary certificates, self-disclosure forms, extracts from employment and training contracts, tax, social and health insurance data and account statements. Following the inspection, the Berlin DPA issued an urgent recommendation to change the archiving system and delete any information that was being stored without a legal basis.
In March 2019, a second inspection was carried out and it resulted that, more than one a half years after the first audit date and nine months after the date of application of the GDPR, the company had neither cleaned up their data nor had they established a lawful basis for the continued storage of this data. While the company had started a project aimed at remedying the issues that had been pointed out by the Berlin DPA, it was found that the measures implemented did not lead to the establishment of a legal basis for the storage of tenants’ personal data. While the authority was unable to demonstrate that personal data had been unlawfully accessed or disclosed to third parties, it still considered the fact that data was archived with no possibility of deletion and/or collected with no legal basis to be a violation of the data protection by design rule under article 25 (1) of the GDPR as well as the general processing principles under article 5 of the GDPR.
Breach of Law
Under article 25(1), data controllers are obliged to provide for appropriate technical and organizational measures designed to implement data protection principles (e.g. data minimization) effectively so as to ensure necessary precautions are taken when processing personal data.
Under article 5, inter alia personal data processing should be adequate, relevant and limited to what is necessary in connection with the purposes for which it is processed (‘data minimization principle’). Moreover, personal data should be retained only for as long as is necessary for the purposes for which it was collected (‘storage limitation principle’).
The Berlin DPA therefore held that the imposition of a fine for breach of article 25(1) of the GDPR and article 5 of the GDPR for the period between May 2018 and March 2019 was mandatory.
Calculation of the Fine
The GDPR obliges supervisory authorities to ensure that fines in each individual case are not only effective and proportionate, but also that they have a deterrent effect. The starting point for the calculation of fines is dependent on the global annual turnover of the company, which in the case of Deutsche Wohnen SE exceeded €1 billion in 2018. On this basis, the privacy violation was estimated to be subject to a fine with an upper limit of around €28 million.
In order to determine the specific amount of the fine, the Berlin DPA considered a number of factors:
- The main aggravating factor was that Deutsche Wohnen SE had created the archive without giving due consideration to the data protection implications, and that data stored over a long period of time was being improperly processed.
- The main mitigating factor was that the company had taken some preliminary steps with the intention to remedy the situation, and was cooperative in its interactions with the regulator. Furthermore, it was noted that the company did not unnecessarily access outdated personal data, despite it being stored in the archive system.
In view of the various factors, the Berlin DPA held that the full fine of €28 million would be excessive and decided that a more moderate position would be appropriate, settling approximately halfway at €14.5 million.
The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the affected data had been processed in an inadmissible manner over a long period of time was considered as particularly aggravating.
In addition, a number of additional smaller fines of between €6,000 and €17,000 were imposed for the inadmissible storage of tenants’ personal data in 15 individual cases.
The administrative fine is subject to appeal and Deutsche Wohnen SE has already announced its intention to challenge the sanction in the Regional Court of Berlin.
Berlin DPA head Maja Smoltczyk said in a statement:
“‘Data cemeteries’ such as those we found at Deutsche Wohnen SE are quite often encountered in supervisory practice. Often, the gravity of such grievances unfortunately only becomes clear to us following a cyber-attack, when unauthorized access is obtained to masses of data. But even without such serious consequences, we are dealing with a blatant violation of the principles of data protection. It is gratifying that the legislator has introduced the possibility of sanctioning such structural deficiencies under the GDPR before an entire data meltdown occurs. I recommend all data processing organisations check their data archiving practices for compatibility with the GDPR.”