German commissioner issues fine over poor storage

Updated: Apr 13, 2020

On October 30th 2019, the Berlin Commissioner for data protection and Freedom of information issued a fine of  14.5 million Euros to Deutsche Wohnen SE for violations of GDPR.

To read the press release in German, click here

Throughout website inspections in June 2017 and March 2019, the supervisory authority determined that the organisation used an archive machine for the storage PII of tenants no longer offer the possibility of disposing of data. PII of tenants was saved without checking whether or not storage was permissible or essential. In a number of the instances that were tested, it was consequently possible to find years-old PII

PII from tenants that were preserved even though they were no longer necessary for the purpose of their original collection. This involved PII at the personal and financials of tenants, consisting of revenue statements, self-disclosure forms, extracts from employment, training contracts, tax, social safety and health insurance information.

The Berlin Commissioner for data protection urgently endorsed an adjustment of the archive system during the primary inspection in 2017. However, in March 2019, more than one and a half years after the primary inspection and 9 months after the start of of the GDPR, the company was still unable to both display a clean-up of its database or present legal reasons for the ongoing storage. The organisation did make initial arrangements to remedy the deficiencies. However, those measures did not suffice to align the storage of pii with the legal requirements. The imposition of a fine for an infringement of Article 25 (1) GDPR and Article 5 GDPR during the period between May 2018 and March 2019 became therefore mandatory.

The GDPR requires supervisory authorities to make sure that fines in each case are not only effective and proportionate but additionally dissuasive. The place to begin for the calculation of fines is, therefore, amongst other matters, the previous year’s global turnover of the companies concerned. Since the annual turnover of Deutsche Wohnen SE exceeded 1.4 billion Euros in line with its 2018 annual record, the legally prescribed restriction for fines to be assessed for the type of information protection violation that changed into found became around 28 million Euros.

For the precise determination of the quantity of the fine, the Berlin Commissioner for DataProtection has used the legal standards, taking into account each aggravating and mitigating factors. The reality that Deutsche Wohnen SE had deliberately set up the archive structure in query and that the information involved had been processed in an inadmissible way over a protracted-time period was taken into consideration to be particularly became taken into account as a mitigating factor that the company took initial measures to remedy the illegal situation and cooperated formally well with the supervisory authority. Given the reality that the organisation couldn’t be proven to have misused access to the inadmissibly stored information, a fine of about half the upper limit was suitable.

further to sanctioning this structural violation, the Berlin Commissioner for data protection imposed fines of between 6,000 and 17,000 Euros on the organisation for the inadmissible storage of PII information of tenants in 15 specific individual cases as well.

The decision to impose a fine has not yet become final. Deutsche Wohnen SE has the right to appeal the fine.

Maja Smoltczyk:

“sadly, in the course of our supervisory practice, we frequently come across data graveyards like the one we found at Deutsche Wohnen SE. The significance of such abuses unfortunately only becomes clear when those masses of hoarded data are stolen and abused, for example, due to cyber-attacks. But even without such serious consequences, we are dealing with a flagrant violation of the principles of data protection, which are intended to protect people from precisely such risks. It is gratifying that, adopting the GDPR, the legislator has introduced the possibility of sanctioning such structural deficiencies before the worst-case scenario comes to pass. I recommend to all data controllers that they check their archive systems for compatibility with the GDPR”.