7 November 2019 | By Michael Thaidigsmann
German property company slapped with €14.5m fine for GDPR infringements
Berlin’s Data Protection Authority has imposed the second-highest fine ever for infringements of EU rules on data protection.
The Berlin-based residential property company Deutsche Wohnen SE (DW), which owns an estimated 160,000 residential properties, has been ordered to pay a penalty of €14.5 million for violating provisions of the General Data Protection Regulation. It is the second-highest fine ever imposed in Europe for breach of GDPR rules.
Berlin’s Data Protection Commissioner Maja Smoltczyk said DW had failed to delete sensitive personal information about residents. Her authority had established that the company illegally kept data of its former tenants regarding their financial solvency, work contracts, salary slips, tax declarations and social security information, as well as bank account statements, in its IT system.
The company’s database did not allow for the deletion of that data, in contravention of Article 25 of the GDPR, Smoltczyk said in a press release. Furthermore, according to the basic principles established in Article 5 of the regulation, organisations may only keep data where that is necessary “in relation to the purposes for which they are processed.”
Information belonging to tenants who had moved out of DW-owned properties therefore ought to have been deleted, she pointed out. “Alas, we often encounter the sort of data cemeteries which we discovered at Deutsche Wohnen SE. The importance of such deficits becomes unfortunately only evident when there is improper access to hoarded data sets, e.g. through cyberattacks.” However, even in the absence of such an attack, the fact that DW had kept sensitive personal data in its data base constituted a “blatant breach of fundamental principles of data protection,” Smoltczyk declared.
Smoltczyk has been Berlin’s state commissioner for data protection since 2016. Her office investigated DW since 2017 and repeatedly urged the company to adapt its data management to the new GDPR rules, which entered into force in May 2018. At a second check in March 2019, it had become evident that DW had not addressed the concerns, the data protection commissioner said in her statement. Moreover, some datasets that had been deliberately and illegally maintained.
The basis for calculating the potential maximum fine had been DW’s 2018 turnover of €1 billion, which would have allowed for a maximum fine of €28 million, Smoltczyk said. As mitigating factors which had led to a lowering of the penalty imposed on the company, the data protection commissioner cited that DW had cooperated formally with her office and that there was no evidence that the data in question had been improperly accessed by third parties.
However, DW’s system had potentially given insights into the private lives of a huge number of people, she emphasized in an interview with the Berlin newspaper Der Tagesspiegel.