Author: Frederic Debusseré (Timelex)
Publication date: 11/11/2019
On 30 October 2019, the Berlin Data Protection Authority (DPA) issued a big fine of 14.5 million EUR against Deutsche Wohnen SE, a German publicly listed real estate company with more than 160,000 apartments in its portfolio, for storing all personal data of its tenants indefinitely in an archive system, and thus for not sufficiently distinguishing between the different retention periods and partial storage obligations for the different types of tenant data. It is the biggest fine imposed by a German DPA so far.
Insufficient archive system
During on-site inspections in June 2017 and March 2019 following a complaint, the Berlin DPA found that Deutsche Wohnen used an archive system for storing its tenants’ personal data which did not provide the possibility to delete data that was no longer required. Tenants’ personal data had been stored without verifying whether storage was allowed or even required. In some cases, it was thus possible to look into years-old personal data without these still serving the purpose of their initial processing.
In an interview of 5 November 2019, the DPA said that Deutsche Wohnen had insufficiently distinguished between the different retention periods and partial storage obligations for the different types of tenant data. Deutsche Wohnen even had had technical systems that would have enabled it to separate the different types of tenant data, but it had had not used these accordingly.
According to the decision, it concerned data about the tenants’ personal life and financial situation, such as payslips, self-identification forms, excerpts from employment and training contracts, tax, social and health insurance data, and bank statements. In the interview, the DPA added that the data also included which education the tenant had received, with whom (s)he lives together, where (s)he had lived before, etc.
After the Berlin DPA had issued an urgent recommendation in 2017 to change the archiving system, in March 2019 Deutsche Wohnen was still unable to demonstrate either a cleansing of its database or legal grounds for the continued storage. Although Deutsche Wohnen had made preparations for remedying the GDPR infringements, these measures had not led to establishing a lawful state of storage of personal data.
Therefore, the Berlin DPA found that it had to impose a fine for violating Article 5 (principles relating to processing of personal data) and Article 25.1(privacy by design and by default) of the GDPR for the period between May 2018 and March 2019.
Pursuant to Article 84.1 GDPR, fines not only have to be effective and proportionate, but also dissuasive. According to Article 83.4 GDPR, fines have to be up to 2 % of the total worldwide annual turnover of the company’s preceding financial year. As Deutsche Wohnen’s annual report for 2018 reported an annual turnover of more than 1.4 billion EUR, the Berlin DPA could have fined Deutsche Wohnen up to 28 million EUR.
In order to determine the exact amount of the fine, the Berlin DPA applied the legal criteria taking into account all relevant aspects.
- On the one hand, an important negative element was that Deutsche Wohnen had deliberately created the infringing archiving system and that the personal data concerned had been unlawfully processed over a long period of time.
- On the other hand, elements held in favour of Deutsche Wohnen were that it had taken measures with the aim of rectifying the unlawful situation very early, that it had at least formally cooperated well with the DPA, and that there was no proof that it had accessed the unlawfully stored data in an abusive way.
Based on these elements, the DPA imposed a fine of about half of the aforementioned prescribed amount, i.e. 14.5 million EUR.
In addition to sanctioning this structural infringement, the Berlin DPA imposed further fines of between 6,000 and 17,000 EUR against Deutsche Wohnen for unlawfully storing tenants’ personal data in 15 specific cases.
The Berlin DPA’s press release of 5 October 2019 can be read here.