German regulator issues record fine for keeping personal data too long

Orrick, Herrington & Sutcliffe LLP

The Data Protection Supervisory Authority for the state of Berlin (Die Berliner Beauftragte für Datenschutz und Informationsfreiheit, “Supervisory Authority”) recently issued a fine for GDPR violations against Germany’s second largest housing company Deutsche Wohnen SE (“DW”) for retaining personal data without legal justification. The amount of the fine, EUR 14.5m, is the highest issued by a German Supervisory Authority for data protection infringements so far and the first to be in the millions. Germany is thus following the trend of increasing fines set by other EU Member States’ authorities, such as the UK, France and Austria in particular.

What happened?

The fine was issued for the violation of the data protection principles of Art. 5 GDPR and the data protection by design principle of Art. 25(1) GDPR that occurred between May 2018 and March 2019. DW used an archiving system to store its tenants’ personal data that did not provide for an option to delete data that is no longer needed. Data was therefore stored without evaluating whether its retention is lawful or even necessary. In some of the evaluated cases the Supervisory Authority found years old personal data of tenants that were no longer relevant for the purpose they have originally been collected for. Among the data found by the Supervisory Authority were salary statements, self-disclosure forms, tax, social security and health insurance data and other personal data concerning the personal and financial situation of DW’s tenants. Such a system violates the data protection principles of data minimization, storage limitation and lawfulness enshrined in Art. 5(1)(a), (c), (e) GDPR and the data protection by design principle in Art. 25(1) GDPR. In addition to the EUR 14.5m fine, the Supervisory Authority issued additional fines against DW with amounts between EUR 6’000 and EUR 17’000 for the unlawful storage of tenants’ personal data in 15 individual cases.

DW was urged to remedy these data protection violations by the Supervisory authority as early as June 2017, which was the first time the Supervisory Authority discovered the violations. But since a second inspection in March 2019 showed no substantial improvement, the Supervisory Authority apparently felt compelled to impose a fine. However, DW has already announced its intention to have the fine notice review by a court.

Putting the DSK fine concept to the test

The fine also offered the first opportunity for the new fine concept developed by the conference of the German data protection authorities (Datenschutzkonferenz, “DSK”) to prove its practicability. We will soon publish a comprehensive analysis.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.