On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).
The Berlin DPA considered retaining data substantially longer than necessary a breach of the GDPR, in three respects: first, the controller did not have a legal ground to store personal data longer than was necessary; second, this was considered an infringement of the data protection by design requirements under Article 25 (1) GDPR; and, finally, it was an infringement of the general processing principles set out in Article 5 GDPR.
Infringement of deletion obligations
Deutsche Wohnen failed to establish a GDPR-compliant data retention and deletion procedure for tenants’ personal data. This was aggravated by the fact that in 2017, the Berlin DPA had already flagged the non-compliance with its retention obligations during an on-site audit. Although Deutsche Wohnen had taken initial measures to remedy the non-compliance, the supervisory authority revealed during its second audit in 2019 that these measures had not led to the establishment of a GDPR compliant archiving system as Deutsche Wohnen was still unable to demonstrate a clean-up of its database or legal grounds for the ongoing storage.
The head of the Berlin DPA recently gave some background in an interview. She said that Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.
The Berlin DPA’s decision is not yet final and Deutsche Wohnen has already announced that it will challenge the fine in court.
Following multi-million Euro GDPR fines in France and the UK, it is clear that German DPAs are joining the club. The Berlin DPA developed the new fining model (referred to earlier) and has been the first of the German DPAs to use it. It would seem that German DPAs will enforce the GDPR vigorously.
The decision of the Berlin DPA emphasises the importance of getting into the detail of records management and the data deletion lifecycle. The Bavarian DPA has recently announced it will focus on this area too. It is becoming clear that the German DPAs attach particular importance to personal data deletion given the capacity for “data graveyards” to cause unnecessary risk and harm to data subjects particularly where cyber breaches occur.
Implementing formal records management policies has not been widespread in Germany to date. This will have to change.