German Supervisory Authority Imposes a Fine on Real Estate Company for Storing Unnecessary Data in Violation of the GDPR

On October 30, 2019, the Berlin Commissioners for Data Protection (Supervisory Authority) imposed a 14.5 million Euros fine against Deutsche Wohnen SE, one of the leading property companies in Germany, for violations of Articles 5 and 25(1) of the General Data Protection Regulation (GDPR).

Article 5 of the GDPR requires, inter alia, that data controllers do not keep personal data for “longer than is necessary for the purposes for which the personal data are processed.”  Article 25(1) of the GDPR, in turn, requires organizations to embed data privacy features and data privacy enhancing technologies directly into the design of data processing systems.

During the on-site inspection in June of 2017, the Supervisory Authority discovered that the company used an archive system for the storage of personal data of tenants that did not provide the possibility for removing data that was no longer required.  Personal data was stored without checking whether the storage was permissible or necessary.  Indeed, the inspection revealed that the company preserved tenants’ personal data, including salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements, that was no longer necessary for the purposes of original collection.

At the time of the original inspection, the Supervisory Authority recommended an adjustment of the archive system. However, in March of 2019, nine months after the start of the application of the GDPR, the company was still unable to demonstrate a clean-up of its database or present legal reasons for the continued storage of archived data.  Even though the company eventually made some effort to comply with the regulatory requirements, the Supervisory Authority found them to be insufficient and imposed a mandatory fine.

The fine imposed by the Berlin Commissioners for Data Protection is at least a second recent fine imposed by the European Supervisory Authorities for violation of the data protection by design principles.  Thus, it is fundamental for companies subject to the GDPR to carefully consider privacy compliance issues when designing and maintaining their systems and processes.

As businesses are faced with mounting compliance costs, selecting the right provider to facilitate GDPR compliance is crucial. Clarip’s enterprise privacy software is built to help your company navigate the GDPR.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653