On October 30, 2019 Berlin's Data Protection Authority imposed a fine of 14.5 million Euros on the property company Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR). This fine far exceeds the previous German record of some EUR 200,000 levied against Delivery Hero Germany, and is among the steepest penalties ever imposed in Europe for violations of data protection laws. It also shows that the German state data protection authorities are now also making use of the ability to impose such punitive fines conferred by the GDPR.
It was determined by Berlin's data protection authority as early as June 2017 that Deutsche Wohnen SE had stored tenants' personal data in an archive system from which data that was no longer needed could not be erased. Despite having been instructed to rectify the violation, an on-site inspection in March 2019 revealed that little had changed. According to Art. 5 GDPR, companies may only store and process personal data for as long as required to accomplish the purpose for which they were collected. Furthermore, companies that process personal data are required by Art. 25 GDPR to ensure through technological design and default that data protection principles are implemented effectively. According to the Data Protection Authority, this was and is not assured by the systems operated by Deutsche Wohnen SE.
An Even Larger Fine Could Have Been Imposed
In calculating the penalty, the supervisory authorities apparently based their calculations on the new model of the German federal government and states' independent data protection supervisory authorities (DSK) that was recently published (Information regarding the new calculation method for financial penalties can be found in our Newsletter Update Data Protection No. 67). In fact, the fine could have been much larger under this model. Deutsche Wohnen SE is a company whose 2018 turnover totaled more than EUR 1 billion (to be precise: EUR 1,438,000.00). The upper limit for the fine applied by the authorities was about EUR 28 million. The data protection authority apparently utilized the 2% of turnover limit for violations of Art. 25 GDPR, rather than the 4% of turnover limit for violations of Art. 5 GDPR. In theory, a financial penalty of as much as EUR 40 million could have been imposed against Deutsche Wohnen SE. The authorities took into account all incriminating and mitigating factors for the precise calculation of the fine, as...