The Berlin Commissioner for Data Protection (Berlin DPA) has fined Deutsche Wohnen SE, a German property company, €14.5 million for violating the General Data Protection Regulation. This is the largest GDPR fine issued to date by a German data protection authority and signals a trend by regulators to flex their muscles (see, e.g., the recent CNIL fine and the UK ICO’s proposed fine) in cases involving blatant misuse of, or a failure to adequately protect, personal data in violation of the GDPR.

Deutsche Wohnen is the largest private real estate owner in Berlin managing 111,000 apartments. The German company had been on the Berlin DPA’s radar for some time. According to investigations by the Berlin DPA, Deutsche Wohnen illegally archived documents containing sensitive information concerning its tenants. The documents contained information on creditworthiness, including proof of income, Schufa information (a German private credit bureau) and employment. The information was gathered in connection with the lease application process. Once the lease had been signed by the tenants, these documents were meant to be destroyed after a certain period (to be determined by the necessity and/or legitimacy for the retention). Instead the documents had been archived – a practice which had been adopted by Deutsche Wohnen for a number of years.

The fine follows two audits, carried out by the Berlin DPA, in June 2017 and March 2019 that revealed improper data storage and retention. The investigations also revealed that personal data that was no longer required for business purposes was still being stored in Deutsche Wohnen’s archives and inadequate security measures had been adopted by the company to safeguard the data.

The fine is the highest to be issued by a German data protection authority. This fine follows recent publication by the German conference of data protection authorities (Datenschutzkonferenz, DSK) of a proposal for calculating administrative fines for data protection violations (this calculation only applies to German data protection authorities). Among other criteria, the proposed model calls for determining the gravity of the violation and assigning a value that corresponds to the violation. The model for calculating fines will likely be released sometime this month. This enforcement action should be seen as a clear indicator that greater fines will be issued by German data protection authorities in the future.

Businesses should be particularly cognisant of the regulator’s focus on Deutsche Wohnen’s storage and retention practices. Undoubtably, the illegality of the document storage under German law and the sensitive nature of the personal data are important distinguishing factors in this case. Nevertheless, the decision is a timely reminder for businesses that data retention practices must be lawful – and that personal data should not be retained longer than is needed for the purposes it is processed. Businesses that indiscriminately retain documents containing personal data without assessing the necessity or legitimacy of that retention need to reconsider their approach and ensure they have developed and are implementing meaningful data retention policies.