German Property Firm Hit with €14.5m GDPR Fine
A General Data Protection Regulation penalty of €14.5 million has been sanctioned against Deutsche Wohnen SE, a major real estate company, by the Berlin DPA.
The real estate company was subjected to a review, via onsite inspections, between June 2017 and March 2019. During this time period the Berlin DPA discovered that the company was keeping personal data of tenants for an unlimited period, without reviewing if keeping this personal data was necessary or legitimate. The Berlin DPA spotted a number of occasions when personal data of affected tenants, some of which were several years old, was retained well after the initial purpose for which the data was collected had been achieved.
This fine is the largest GDPR financial penalty sanction in Germany since GDPR took effect on May 25 2018.
It has been shown that Deutsche Wohnen SE was utilizing an archiving system which did not permit the removal of data that was no longer needed for original specific purpose it was gathered for. The data in question was of a financial nature and, due to this, could be used for malicious purposes in the wrong hands. Among the data discovered by the Supervisory Authority were salary statements, self-disclosure forms, tax, social security and health insurance data and other personal data relating to the personal and financial situation of DW’s tenants.
There were some enhancements completed on the Deutsche Wohnen SE archiving system after the 2017 investigation was finished. However, the 2019 Berlin DPA review found that those enhancement were not enough and were in breach of GDPR. It was found that Deutsche Wohnen SE knowingly set up the data archive in question and processed the impacted data inappropriately for a considerable period of time. Due to this, a significant financial penalty was deemed appropriate by the Berlin DPA.
GDPR fines can be €20m or 4% of annual global revenue for the previous 12 months, whichever figure is greater. Deutsche Wohnen SE reported worldwide turnover of more than the €1bn in 2018, which could have resulted in a possible GDPR fine of up to €28 million. Because Deutsche Wohnen SE assisted the Berlin DPA and did not abuse the retained data, the Berlin Commissioner for Data Protection reduced the fine to €14.5 million.
Because Deutsche Wohnen SE assisted the Berlin DPA and did not abuse the retained data, the Berlin Commissioner for Data Protection reduced the fine to €14.5 million.