On 30 October 2019, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – “Berlin DPA”) imposed an administrative fine of about EUR 14.5 million against Deutsche Wohnen SE for infringements of the General Data Protection Regulation (GDPR).

Facts and legal evaluation by Berlin DPA

Deutsche Wohnen SE is a real estate company which was accused of having used an archiving system for the storage of personal data of tenants which did not allow for the erasure of data that was no longer necessary. According to the Berlin DPA the affected data included information about the personal and financial circumstances of tenants, such as payslips, self-disclosure forms, extracts from employment and training contracts, tax data, social security and health insurance data and bank statements. This alleged non-compliance with data protection rules has already been flagged by the Berlin DPA after an on-site audit in June 2017. Another audit in March 2019 showed that Deutsche Wohnen SE was still unable to demonstrate either a clean-up of its database or legal grounds for the continued storage. Deutsche Wohnen SE did initiate a project to technically remedy the potential non-compliance but the supervisory authority found that these measures had not led to the establishment of a lawful state of storage of the data. The authority could, however, not prove that personal data had been unlawfully accessed or disclosed to third parties.

Nevertheless, the Berlin DPA already considered the archiving without possibility to erase data which is no longer necessary or even had been collected without a legal ground in the first place as an infringement of the data protection by design requirement under Article 25 (1) GDPR as well as of general processing principles set out in Article 5 GDPR. Article 25 (1) GDPR requires data controllers – subject to additional preconditions – to provide for appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data subjects. Article 5 (1) GDPR includes inter alia the obligation that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).

Calculation of the administrative fine

When calculating the specific amount of the fine, the Berlin DPA apparently applied the recently published fining guideline of the German supervisory authorities.

Taking into account Deutsche Wohnen SE’s annual turnover in 2018 of “more than one billion Euros” (the exact turnover was EUR 1,438,000,000) the upper limit for the fine was at “approx. EUR 28 million”. An interesting point to mention is that the Berlin DPA apparently only applied the 2% of annual revenues maximum for an infringement of Article 25 GDPR (see Article 83 (4) (a) GDPR) and not the 4% of annual revenues maximum for an infringement of Article 5 GDPR (see Article 83 (5) (a) GDPR). If the 4% category had been applied the maximum fines would have been about EUR 57 million in the case at hand. However, the Berlin DPA seems to be well aware that – at least in Germany – the general principles set out in Article 5 GDPR are not precise enough to serve as basis for sanctions.

For the specific determination of the amount of the fine, the supervisory authority considered the following aggravating and mitigating factors:

  • The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the affected data had been processed in an inadmissible manner over a long period of time was considered as particularly aggravating.
  • In order to reduce the fine it was taken into account that the company had taken initial measures to remedy the situation and had cooperated well with the supervisory authority. With a view to the fact that the company could not be proven to have improperly accessed the inadmissibly stored data, a fine in the middle range of the predetermined fine framework was regarded appropriate.

In addition to sanctioning the structural non-compliance, several additional smaller fines between EUR 6,000 and EUR 17,000 have been imposed for the inadmissible storage of personal data of tenants in 15 specific individual cases.

The risks of “data cemeteries”

In the press release, Maja Smoltczyk, the head of the Berlin DPA stated:

Unfortunately, in supervisory practice we often encounter data cemeteries such as those found at Deutsche Wohnen SE. The explosive nature of such misconduct is unfortunately only made aware to us when it has come to improper access to the mass hoarded data, for example in case of cyber-attacks. But even without such serious consequences, we are dealing with a blatant infringement of the principles of data protection, which are intended to protect the data subjects from precisely such risks. It is gratifying that the legislator has introduced the possibility of sanctioning such structural deficiencies under the General Data Protection Regulation before the worst-case scenario data breach occurs. I recommend all organizations processing personal data to review their data archiving for compliance with the GDPR.

The administrative sanction is not yet final. Deutsche Wohnen SE has already announced that it will challenge the fine in court. The competent court of first instance will be the Regional Court (Landgericht) Berlin. The company pointed out that the archiving solution in dispute has been replaced in the meantime and stressed again that no personal data of tenants has been disclosed to third parties in an inadmissible way.