Relevance for and Impact on the Real Estate Industry
At the end of October 2019, the Berlin Commissioner for Data Protection and Freedom of Information imposed a fine of about EUR 14.5 million against a German residential real estate company for various violations of the EU General Data Protection Regulation (GDPR). The fine is not yet legally binding but, reportedly, has been appealed. However, irrespective of the outcome of the appeal, the sanctioning measures taken by the Berlin Data Protection Commissioner show that GDPR compliance must be taken seriously by all companies in the real estate industry.
Relevance of fine extends beyond residential real estate companies
Given that the amount of the fine was calculated based on the company’s annual turnover, GDPR compliance is particularly crucial for residential real estate companies with large portfolios. As demonstrated in this case, fines can easily amount to millions of euros. However, it is important to note that real estate companies from other sectors also need to comply with GDPR – whether they are office space owners storing contact data of their tenant employees, shopping mall owners with a security concept that involves the operation of video surveillance cameras, or other real estate companies that process personal information about individuals by other means.
The decision of the Berlin Data Protection Commissioner
According to the Berlin Data Protection Commissioner, the GDPR fine was imposed upon the German company because the company had used a tenant-data archive system that did not allow for deletion of legacy data. According to the commissioner, this constituted a violation of the GDPR’s data-processing principles as well as the obligation to introduce appropriate technical and organizational measures designed to implement such principles (privacy by design).
Paradigm shift in the calculation of fines
The fine of some EUR 14.5 million is by far the highest fine ever issued by a German data protection authority for GDPR violations. It exceeds by many times the previous maximum fine of EUR 195,000 that the Berlin Data Protection Commissioner had imposed on a food delivery service in September 2019, and shows a paradigm shift in the calculation of fines by German data protection authorities.
Shortly before this most recent fine, in mid-October 2019, the German authorities published a model for the calculation of GDPR fines. According to the model, fines shall be calculated based on the company’s turnover from the previous year, which amount will be used by the authorities to calculate a daily rate. That rate will then be multiplied by a factor between one and 12 (depending on the severity of the GDPR violation).
According to the Berlin Data Protection Commissioner, the EUR 14.5 million fine was only “in the middle range”. This means that even higher sanctions for GDPR violations are possible in the future.
Don’t wait; act now
To mitigate against the risk of substantial government fines, real estate companies should immediately review their data processing activities for compliance with GDPR requirements. Failure to ensure data processing activities are in compliance with GDPR could mean receipt of a violation notice from the Data Protection Commissioner in the near future.