Administrative fine of 14.500.000 Euro imposed against German Real Estate Company
How did the violation come About
During an on-site inspection by the Data Authority in June 2017, the Data Authority observed that the real estate company was using an archive system that did not provide an option to delete personal data that was no longer necessary in relation to the purposes for which they were processed. Personal data of tenants was therefore archived without checking if storing this data was lawful.
The Data Authority issued a warning in June 2017 and suggested to change the archive system. In another on-site inspection in March 2019 the real estate company did neither have a new archive system, had not deleted the unlawful storage personal data of tenants nor could they provide legal grounds for the ongoing storage of the personal data.
Storaged data over several years old
During the second on-site inspection the officers found personal information of tenants from years ago, that was – in the opinion of the Berlin Data Protection Authority - not necessary in relation to the initial purpose. Next to pay slips, self-disclosures, employment and training contracts the officers also found tax information, social and health insurance data as well as account statements from former clients. The unlawfully storaged personal data in numerous ways revealed the personal and financial circumstances of the data subjects.
How did the imposed fine sum up?
The GDPR regulations state that infringements can be subject to administrative fines up to 20 000 000 euros, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Before this case, the highest administrative fine issued in Germany after the application of the GDPR reached the total of 80.000 euros.
The annual turnover of the preceding financial year 2018 amounted to more than one billion euros. Therefore, the legal frame for the administrative fine summed up to approximately 28 million euros. The data authority imposed an administrative fine in midrange of the legal frame, because there was no proof of misusing the unlawfully storage data.
The real estate company does not seem to admit to their failure and has announced to take legal steps against the penalty notice.
Article provided by:
Dr. Jens Eckhardt, dmp Derra, Meyer & Partner PartGmbB
Fachanwalt für IT-Recht
Vorstand (Recht) Eurocloud Deutschland _eco e.V.
Nils Steffen, Meyer & Partner PartGmbB
www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf (Tpoical at 10. December 2019)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, firstname.lastname@example.org