First multi-million dollar GDPR fine

A German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen) has received the highest GDPR fine to date for ‘over retention’ of personal data, €14.5 million.

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information announced it has imposed highest fine issued in Germany since the EU General Data Protection Regulation (“GDPR”) became applicable.

After conducting onsite inspections in June 2017 and March 2019, the Berlin Commissioner noticed that Deutsche Wohnen SE was retaining personal data of tenants for an unlimited period, without examining whether the retention was legitimate or at all necessary. In some cases, it was possible to access personal data of affected tenants, some of which were years old, without the data serving the purpose of the original data collection.

According to the Commission, Deutsche Wohnen SE was using an archiving system that did not enable it to remove data that was no longer required for the specific purpose for which it was collected. The affected data relates to financial and personal circumstances, such as bank statements, training contracts, tax, social and health insurance data.

After the inspection of 2017, Deutsche Wohnen SE improved its archiving system. However, in 2019, the Berlin Commissioner noted that the measures adopted to mitigate the data protection violation were not sufficient, and still did not comply with the storage limitation and data minimization principles of the GDPR.

The company has announced it will challenge the fine in court.

Writing on the company blog, Norton Rose Fulbright lawyers Christoph Ritzer and Natalia Filkina noted,  “The decision of the Berlin DPA emphasises the importance of getting into the detail of records management and the data deletion lifecycle. The Bavarian DPA has recently announced it will focus on this area too. It is becoming clear that the German DPAs attach particular importance to personal data deletion given the capacity for “data graveyards” to cause unnecessary risk and harm to data subjects particularly where cyber breaches occur.

“Implementing formal records management policies has not been widespread in Germany to date. This will have to change.”