German regulator issues record fine for keeping personal data too long

The Data Protection Supervisory Authority for the state of Berlin (Die Berliner Beauftragte für Datenschutz und Informationsfreiheit, “Supervisory Authority”) recently issued a fine for GDPR violations against Germany’s second largest housing company Deutsche Wohnen SE (“DW”) for retaining personal data without legal justification. The amount of the fine, EUR 14.5m, is the highest issued by a German Supervisory Authority for data protection infringements so far and the first to be in the millions. Germany is thus following the trend of increasing fines set by other EU Member States’ authorities, such as the UK, France and Austria in particular.

What happened?

The fine was issued for alleged violations of the data protection principles of Art. 5 GDPR and the data protection by design principle of Art. 25(1) GDPR occurring between May 2018 and March 2019. DW used an archiving system to store its tenants’ personal data that did not provide for an option to delete data that is no longer needed. Data was therefore stored without evaluating whether its retention was lawful or even necessary. In some of the evaluated cases, the Supervisory Authority found years’ old personal data of tenants which were no longer relevant for the purposes of their original collection. Among the data found by the Supervisory Authority were salary statements, self-disclosure forms, tax, social security and health insurance data and other personal data concerning the personal and financial situation of DW’s tenants. Such a system was considered to violate the data protection principles of data minimization, storage limitation and lawfulness enshrined in Art. 5(1)(a), (c), (e) GDPR and the data protection by design principle in Art. 25(1) GDPR. In addition to the EUR 14.5m fine, the Supervisory Authority issued additional separate fines against DW in amounts ranging between EUR 6,000 and EUR 17,000 for the alleged unlawful storage of tenants’ personal data in 15 individual cases.

DW was advised to remedy these data protection violations by the Supervisory Authority as early as June 2017, when the Supervisory Authority first discovered these alleged violations. After a second inspection in March 2019 apparently showed no substantial improvement, the Supervisory Authority decided to impose a fine. DW has already announced its intention to challenge the fine notice in court.

Putting the DSK fine concept to the test

This fine offered the first opportunity for the new fine concept developed by the conference of the German data protection authorities (Datenschutzkonferenz, “DSK”) to prove its practicability. We will publish a comprehensive analysis soon.