On October 30th 2019, the Berlin Data Protection Authority (DPA) issued a fine of around 14.5 million Euros against Deutsche Wohnen SE for keeping data in breach of the General Data Protection Regulation (GDPR).Although this decision is mainly about the fact that the company was sanctioned for a breach of the privacy by design and by default principles as well as the other privacy principles (i.e. proportionality and storage limitation), this decision also provides a glimpse of how the authority worked out the amount of the fine.
What happened? (findings and procedure)
The DPA carried out two on-site inspection in 2017 and 2019 that revealed that the company’s archive system was not set to delete personal data that was no longer required or necessary for the purposes it was initially collected for and that personal data of tenants was stored without checking whether storage was permissible or even necessary. As a consequence, data revealing personal and financial circumstances (e.g. payslip, self-disclosure forms, employment contracts, tax, social security and health insurance data, bank statements…) were kept in breach of data protection requirements (i.e. proportionality and storage limitation principles).
Following its first inspection in 2017, the Berlin DPA recommended an adjustment of the archive system. However, it found out, during its second inspection, in March 2019, that the company had only made preliminary preparations to address the issue, had not cleaned up its database and was not able to provide any reason for keeping the data. The preliminary measures implemented being insufficient to consider the company compliant with the GDPR requirements, the DPA decided to serve a 14.5 million fine for infringement of Article 25 (1) GDPR (i.e. privacy by design and by default) and Article 5 GDPR (i.e. privacy principles).
Calculation of the fine
The starting point for the calculation of fines was the previous year’s worldwide turnover of the companies concerned. The annual turnover of Deutsche Wohnen SE exceeding 1.4 billion Euros according to its 2018 annual report, the upper limit for the fine for this kind of violation was around 28 million Euros (i.e. 2% of the annual worldwide turnover, which is surprising given the fact that it considered the company in breach of the article 5 which may be subject to a fine of up to 4% of the annual turnover).
Aggravating factors: Deutsche Wohnen SE had deliberately set up the archive structure and had processed the data concerned in an inadmissible manner over a long period of time .
Mitigating factors: the company took initial measures to remedy the illegal situation and cooperated formally well with the supervisory authority. It could not be proven the company had misused the data it was not supposed to kept in its database.
As a result, a fine of about half the upper limit was considered appropriate (14.5 M€)
The Berlin DPA served several additional fines from 6,000 and 17,000 Euros for prohibited storage of personal data of tenants in 15 specific individual cases as well.
The fine is not yet final as Deutsche Wohnen SE has still the right to appeal the decision.