Berlin DPA fines real estate company for GDPR violations

The company supposedly used an archive system to store personal data of tenants that did not allow the removal of no-longer-needed personal data. Personal data from tenants was reportedly stored without verification of the permissibility and necessity of data processing. Furthermore, the company ostensibly processed personal data from tenants for a purpose other than that for which the data had been collected.

The affected personal data dated in some instances years back and included information on personal and financial conditions of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements.

The fine was imposed against the German real estate company on account of the company’s failure to comply with the basic data protection principles pursuant to Article 5 (1) GDPR. It covers inter alia: lawfulness and purpose limitation of data processing as well as data minimisation and accuracy of data processing.

Moreover, the supervisory authority accuses the company of violating the data protection by design principle (Article 25 GDPR). The provision requires the implementation of technical and organisational measures to ensure a level of security appropriate to the risk of data processing (e.g., pseudonymisation and encryption of personal data).

According to the Berlin DPA a fine of “about half the upper limit” was appropriate in light of the aggravating and mitigating factors.
The company was put on notice by the Berlin DPA for alleged GDPR violations as early as 2017. Nevertheless, the company purportedly failed to comply with data protection obligations.

Deutsche Wohnen SE lodged a formal objection to the penalty notice within the prescribed time limit of 14 days. In the interim proceedings, the supervisory authority will examine whether it maintains or withdraws the fine notice considering the objections. If the administrative proceedings are unsuccessful, the supervisory authority will submit the matter to the competent court for further adjudication.

Comment

The underlying calculation of the fine notice is based on a new guideline of the German Conference of Data Protection Authorities (Datenschutzkonferenz – “DSK”).
Under Article 83 (1) GDPR fines shall in each individual case be effective, proportionate and dissuasive. Authorities can impose fines of up to EUR 20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher (see Article 83 GDPR). In order to determine the right amount of a fine Article 83 (2) GDPR contains a criteria catalogue, inter alia, the degree of responsibility of the controller, the categories of personal data affected or if the infringement was intentional.

While the vagueness of the regulation makes it a convenient tool for authorities and courts to avoid analysis and dismiss claims it also makes it difficult to estimate the costs associated with data protection infringements. The calculation guideline aims to standardise the method of calculating fines for GDPR violations in Germany. It is to be seen, if the guideline makes road for continuously high fining practice in Germany. The guideline does at least have a certain signal effect.

Data governance should be integral to a company’s compliance system. The proceedings prove that (unknown) ‘data graveyards’ pose immense risks to businesses processing personal data from European citizens. This is reinforced, e.g., in the context of any ‘Big Data’ operations. The starting point for data governance is always a complete and thorough data processing registry (cf. Article 5 (2) GDPR). Relating thereto, the Bavarian Data Protection Commissioner (Der Bayerische Landesbeauftragte für den Datenschutz) has published an exemplary audit catalogue on accountability of (large) corporate groups and data-driven companies.