German Propery Firm hit with €14.5m GDPR Fine
A General Date Protection Regulation penalty of €14.5 million has been sanctioned against Deutsche Wohnen SE, a major real estate company by the Berlin DPA.
The real estate company was subjected to a review, via onsite inspections, between June 2017 and March 2019. During this time period the Berlin DPA discovered that the company was keeping personal data of tenants for an unlimited period, without reviewing if keeping this personal data was necessary or legitimate. The Berlin DPA spotted a number of occasions when personal data of affected tenants, some of which were years old, was viewed without the data serving the purpose of the initial original data collection.
This fine is the largest GDPR financial penalty sanction in Germany since GDPR became live on May 25 2018.
It has been shown that Deutsche Wohnen SE was utilizing an archiving system which did not permit the removal of data that was no longer needed for original specific purpose it was gathered for. The data in question if of a financial manner and, due to this, can be used for malicious reasons in the wrong hands. Among the data discovered by the Supervisory Authority were salary statements, self-disclosure forms, tax, social security and health insurance data and other personal data relating to the personal and financial situation of DW’s tenants.
There were some enhancements completed on the Deutsche Wohnen SE archiving system after the 2017 investigation was finished. Sadly for them, the 2019 Berlin DPA review found that these enhancement were not enough and were in breach of GDPR. It was found that Deutsche Wohnen SE knowingly set up the data archive in question and processed the impacted data inappropriately for a considerable period of time. Due to this, the record penalty was deemed acceptable by the Berlin DPA.
GDPR fines go up to as €20m or 4% of annual global revenue for the previous 12 months, whichever figure is higher. Deutsche Wohnen SE reported worldwide turnover more than the €1bn in 2018, resulting in a possible GDPR fine of up to €28 million. The Berlin Commissioner discovered that Deutsche Wohnen SE had worked with them and did not otherwise abuse the retained data, and cut the fine to €14.5 million.