Data cemetery undertakers will be punished2nd December 2019
On 30 October 2019, the Berlin Commissioner for Data Protection and Freedom of Information, “Berlin DPA“, exacted a regulatory fine of around €14.5 million against Deutsche Wohnen SE for violations against the General Data Protection Regulation (GDPR).
Deutsche Wohnen SE, a real estate firm, stands accused of using a permanent archiving system for the storage of personal data including tax data, payslips, self-disclosure forms, and extracts from employment contracts of tenants.
The Berlin DPA had already flagged this alleged non-compliance with data protection rules after an on-site audit in June 2017. A further inspection in March 2019 revealed that Deutsche Wohnen SE still couldn’t demonstrate a clean-up of its database or any legal reason for the continued storage.
Deutsche Wohnen SE did initiate a project to remedy the potential non-compliance technically. Still, the supervisory authority found that these measures had not led to any resolution. However, the body couldn’t either prove the disclosure of personal data to third parties or that it had been unlawfully accessed.
Nevertheless, the Berlin DPA already acknowledged the archiving as an infringement of the data protection by design requirement under Article 25 (1) GDPR as well as of general processing principles set out in Article 5 GDPR.
In a press release, Maja Smoltczyk, the head of the Berlin DPA warned of the dangers of such ‘data cemeteries’, should there be a cyber attack.
Taking into account Deutsche Wohnen SE’s 2018 annual turnover of €1,438,000,000, the upper limit for the fine was at “approx €28,000,000”. Also, the company suffered several additional penalties, between €6,000 and €17,000, for the unacceptable storage of fifteen separate tenant cases.
With the administrative penalty not yet final; Deutsche Wohnen SE has already stated that it will challenge the fine in court. The company argues that they’ve resolved the problem and that no third parties shared in the tenant’s sensitive data. This case poses a stark warning to any companies processing personal data to review their archiving facilities and their compliance with the GDPR.
Protect your business and your reputation
If you’re worried about gaps in your archiving or in failing to comply with complex GDPR regulations, speak to our specialists today. We pride ourselves on saving organisations like yours from these costly fines – 01673 88 55 33.