The Berlin DPA (Data Protection Authority) is the first of the German DPAs to impose a fine in the millions for GDPR (General Data Protection Regulation) infringements. The fine of 14.5 million euros on the real estate company Deutsche Wohnen SE was imposed for years of unlawful storage of old tenant data.
The DPA already had detected GDPR infringements (Art. 25 (1) and Art. 5 of the GDPR) of the company in June 2017 when carrying out an on-site inspection. For example, the company had used an archive system that did not provide for the option to delete old data. In this system, the company stored sensitive information about current and former tenants without such storing being legally permissible or necessary.
Due to the detected GDPR infringements, in 2017 the Berlin DPA had issued an urgent recommendation for the company to act and allowed the company some time to adjust the archive system to GDPR requirements and to respect applicable retention periods.
As the same GDPR infringements still were present when carrying out another on-site inspection in March 2019, the Berlin DPA considered it mandatory to impose a fine on the company for the period between May 2018 (beginning of direct applicability of the GDPR) and October 2019. Until then, the company neither had cleaned up its database, nor could it prove a legal basis for the processing of the personal data. The measures taken by the company nonetheless were not able to eliminate the GDPR infringements.
In an interview, the Berlin DPA revealed further details. The personal data stored without legal basis are no health data, yet information related to the private lives of the tenants, which are not easily shared (e.g. which education the tenant had received, with whom he lives together, where he had lived before, etc.). The company had not sufficiently distinguished between the different retention periods and partial storage obligations for the different types of tenant data. The company even had had technical systems, which would have permitted the separation of the different types of tenant data – but these had not been used accordingly.
The GDPR has now been directly applicable in Germany for a good one and a half years. Nevertheless, there still are numerous companies that are turning a blind eye to its impact and have not yet taken any measures to implement the GDPR into their business – although there are many relevant comments and handouts of German DPAs.
The million-euro fine imposed by the Berlin DPA once again shows that this approach is becoming more “dangerous” than ever. It also underlines that an (insufficient) attempt to subsequently eliminate GDPR infringements after an official warning is not enough to repel a fine.
The fine imposed on Deutsche Wohnen SE by the Berlin DPA only is the first in the millions. Especially against the background of the recently published fine concept of the German data protection authorities, it is to be expected that further fines of the DPAs of other federal states will follow shortly. The “grace period” of the DPAs clearly has expired.
The new fine concept most likely also will lead to a general intensification of DPA actions and thus to increasing fines. The fine against Deutsche Wohnen SE clearly shows how it can turn out if the data protection authorities apply the new concept in practice (as further noted in our article about the GDPR fine concept and as described in our interview).