The Data Protection Supervisory Authority for the state of Berlin (Die Berliner Beauftragte für Datenschutz und Informationsfreiheit, “Supervisory Authority”) recently issued a fine for GDPR violations against Germany’s second largest housing company Deutsche Wohnen SE (“DW”) for retaining personal data without legal justification. The amount of the fine, EUR 14.5m, is the highest issued by a German Supervisory Authority for data protection infringements so far and the first to be in the millions. Germany is thus following the trend of increasing fines set by other EU Member States’ authorities, such as the UK, France and Austria in particular.
The fine was issued for the violation of the data protection principles of Art. 5 GDPR and the data protection by design principle of Art. 25(1) GDPR that occurred between May 2018 and March 2019. DW used an archiving system to store its tenants’ personal data that did not provide for an option to delete data that is no longer needed. Data was therefore stored without evaluating whether its retention is lawful or even necessary. In some of the evaluated cases the Supervisory Authority found years old personal data of tenants that were no longer relevant for the purpose they have originally been collected for. Among the data found by the Supervisory Authority were salary statements, self-disclosure forms, tax, social security and health insurance data and other personal data concerning the personal and financial situation of DW’s tenants. Such a system violates the data protection principles of data minimization, storage limitation and lawfulness enshrined in Art. 5(1)(a), (c), (e) GDPR and the data protection by design principle in Art. 25(1) GDPR. In addition to the EUR 14.5m fine, the Supervisory Authority issued additional fines against DW with amounts between EUR 6’000 and EUR 17’000 for the unlawful storage of tenants’ personal data in 15 individual cases.
DW was urged to remedy these data protection violations by the Supervisory authority as early as June 2017, which was the first time the Supervisory Authority discovered the violations. But since a second inspection in March 2019 showed no substantial improvement, the Supervisory Authority apparently felt compelled to impose a fine. However, DW has already announced its intention to have the fine notice review by a court.
Putting the DSK fine concept to the test
The fine also offered the first opportunity for the new fine concept developed by the conference of the German data protection authorities (Datenschutzkonferenz, “DSK”) to prove its practicability. We will soon publish a comprehensive analysis.