On October 30, 2019 Berlin’s Data Protection Authority imposed a fine of 14.5 million Euros on the property company Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR). This fine far exceeds the previous German record of some EUR 200,000 levied against Delivery Hero Germany, and is among the steepest penalties ever imposed in Europe for violations of data protection laws. It also shows that the German state data protection authorities are now also making use of the ability to impose such punitive fines conferred by the GDPR.
It was determined by Berlin's data protection authority as early as June 2017 that Deutsche Wohnen SE had stored tenants' personal data in an archive system from which data that was no longer needed could not be erased. Despite having been instructed to rectify the violation, an on-site inspection in March 2019 revealed that little had changed. According to Art. 5 GDPR, companies may only store and process personal data for as long as required to accomplish the purpose for which they were collected. Furthermore, companies that process personal data are required by Art. 25 GDPR to ensure through technological design and default that data protection principles are implemented effectively. According to the Data Protection Authority, this was and is not assured by the systems operated by Deutsche Wohnen SE.
In calculating the penalty, the supervisory authorities apparently based their calculations on the new model of the German federal government and states' independent data protection supervisory authorities (DSK) that was recently published (Information regarding the new calculation method for financial penalties can be found in our Newsletter Update Data Protection No. 67). In fact, the fine could have been much larger under this model. Deutsche Wohnen SE is a company whose 2018 turnover totaled more than EUR 1 billion (to be precise: EUR 1,438,000.00). The upper limit for the fine applied by the authorities was about EUR 28 million. The data protection authority apparently utilized the 2% of turnover limit for violations of Art. 25 GDPR, rather than the 4% of turnover limit for violations of Art. 5 GDPR. In theory, a financial penalty of as much as EUR 40 million could have been imposed against Deutsche Wohnen SE. The authorities took into account all incriminating and mitigating factors for the precise calculation of the fine, as provided for by law. Weighing against Deutsche Wohnen SE was the fact that the company consciously designed the archival structure in use, and the relevant data was improperly processed over an extended period of time. In mitigation of a more severe penalty, it was taken into account that the company had indeed taken initial steps to rectify the violation, and had formally cooperated well with the supervisory authorities. The fact that no examples of inappropriate use by the company of the illegally stored data could be found also mitigated against the imposition of a larger fine. In addition to the penalty in the amount of EUR 14.5 million, Deutsche Wohnen is also obligated to pay fines of several thousand Euros in 15 individual cases.
Deutsche Wohnen SE has announced that it will appeal the penalty notice.
The Deutsche Wohnen SE case demonstrates that the dreaded era of fines totaling in the millions has now arrived in Germany as well. After the imposition of this record penalty against Deutsche Wohnen SE, an inescapable question arises: Will other companies be similarly targeted by the data protection authorities? This concern seems not unfounded since, according to the Berlin supervisory authorities, "data cemeteries" of the type found at Deutsche Wohnen SE are quite common in practice.
The ruling of Berlin's Data Protection Authority also shows that fines in the millions may be levied even in cases where neither data leaks or misuse nor material damages have occurred. Companies should take note of the proceedings against Deutsche Wohnen SE and make use of the occasion to once again scrutinize and review how they handle data. It is not sufficient in this regard to only implement a process that allows for the erasure of unneeded data; this erasure must also be carried out. One problem here is presented by the fact that some data are subject to a statutory obligation to preserve records, and the data that is subject to such an obligation may not be erased. Examples of such regulations are found in the German Commercial Code and the Tax Code. Implementing a system in compliance with the exigencies of data protection law thus requires the deployment of considerable financial, technical, and legal resources. However, it is the only option for mitigating the significant risk of incurring a financial penalty.