Data Protection Law: "Data Cemetery" Risk

After the publication of the new concept of the German data protection authorities for the assessment of fines for data protection violations, a German data protection authority has for the first time imposed a fine in the tens of millions.

Conduct contrary to data protection law

On October 30, 2019, the Berlin commissioner for data protection and freedom of information issued a fine of approximately 14.5 million euros against Deutsche Wohnen SE for violations of several principles for the processing of personal data (Art. 5 General Data Protection Regulation, "GDPR") and insufficient technical protection of personal data (Art. 25 GDPR).

Deutsche Wohnen SE is a German housing company based in Berlin. Its real estate portfolio includes over 150,000 apartments and commercial properties, of which around 110,000 are in Berlin.

In a press release, the Berlin data protection commissioner announced that the supervisory authority had determined during audits in June 2017 and March 2019 that Deutsche Wohnen SE archives personal data of tenants without examining the necessity of storage. In individual cases, it had therefore been possible to inspect private data of the persons concerned, some of which were years old, on their personal and, in particular, financial circumstances, without (still) having a legal basis for doing so.

In view of the annual turnover of more than one billion euros reported in the annual report of Deutsche Wohnen SE for 2018, the legally prescribed framework for calculating the fine was approximately 28 million euros. The company was negatively impacted by the fact that the objected archive structure was deliberately set up and that the data concerned were illegally processed over a long period of time. A relieving factor was that no improper access to the data stored inadmissibly could be proven. For this reason, a fine was imposed in the middle of the specified fine framework.

The fine notice is not final. Deutsche Wohnen SE has already announced that it will lodge an appeal against the decision.

Note

It is to be expected that "data cemeteries" such as that of Deutsche Wohnen SE could become the subject of even more frequent fine proceedings in the future. The deletion concepts required under the GDPR to enforce the principle of data economy have so far been inadequately implemented in many companies. A comparable example in this context is the storage of data on unsuccessful applicants. As a rule, six months after completion of the application procedure, there is no longer any reason for such storage unless the applicant has consented to it.

Against this background, it is particularly important for a company to ensure that its own data archive provides for the possibility of removing data that is no longer required. The systems must be checked for possible "data corpses" and these must be removed immediately if necessary.