German Real Estate Company Issued with €14.5 Million GDPR Fine for Unlawful Data Retention
A German real estate company, Deutsche Wohnen SE, has been issued with a €14.5 million GDPR penalty by the Berlin Data Protection Authority for the unlawful retention of the personal data of tenants.
The Berlin DPA determined that data was being held of an unlimited period of time after the purpose for which the data had been collected had been achieved. There were several instances where tenant data had been retained for a period of several years after the tenants had vacated properties and were no longer clients of the firm.
The archiving system used by the firm did not allow data to be deleted when its purpose had been achieved. The data included financial information, which could have been misused if it had fallen into the wrong hands. Other information on tenants included statements of salary, tax data, Social Security data, health insurance information, self-disclosure forms, and personal information.
The Berlin DPA conducted an audit of the firm between June 2017 and March 2019, which included multiple onsite inspections. Following an inspection in 2017, the company made changes to its archiving system; however, the 2019 inspection revealed that the company had not done enough, and its archiving system was still not compliant with GDPR requirements.
The Berlin DPA determined that Deutsche Wohnen SE had knowingly set up its archiving system to allow tenant data to be retained and processed inappropriately, hence the substantial financial penalty. The €14.5 million fine is the largest to be issued in Germany to resolve violations of the General Data Protection Regulation.
The maximum possible fine was €28 million, but since the real estate company cooperated fully with the Berlin DPA’s investigations, the fine was reduced to €14.5 million.
The fine should serve as a warning to all businesses. GDPR prohibits the retention of data after the purpose for which personal data has been collected has been achieved. This is detailed in GDPR article 5(1)(e).