On 5 November 2019, the Berlin Commissioner for Data Protection and Freedom of Information ("the Berlin DPA") imposed a fine of €14.5million against the German landlord Deutsche Wohnen SE ("DW") for their retention of their tenants' personal data contrary to GDPR. The Berlin DPA's decision is not yet final, and the level of the proposed fine is yet to be determined following its appeal.
The facts of the case and nature of the breach
An audit of DW's systems by the Berlin DPA in June 2017 indicated that these were not GDPR-compliant, because an archiving function allowed the systems to retain information of tenants for longer than necessary. The affected data was of a personal and financial nature and included payslips, employment details, bank statements, social security and insurance information and extracts from employment contracts.
DW were instructed by the Berlin DPA to implement GDPR-compliant systems. However while corrective measures had been taken, a further audit by the Berlin DPA in March 2019 found that DW were still unable to demonstrate that the unnecessary data had been wiped, nor were they unable to demonstrate legal grounds for the retention of that data. Therefore, the systems had not been made GDPR-compliant following instructions from the Berlin DPA.
What does the GDPR say about data retention?
GDPR introduced stricter requirements regarding the length, nature and purpose of retention of personal data than were previously in place. Under Article 5(e) of GDPR, personal data shall only be kept for a period that is "no longer than is necessary" for the purposes of processing that data. Therefore, there must be a legal basis for retaining personal data. Further, Recital 39 of GDPR indicates that compliance with data retention rules under GDPR will require the data retention period to be limited to a "strict minimum".
Size of the fine and the calculation method
To date, this is the largest proposed fine that has been issued in Germany resulting from a GDPR breach. DW intend to challenge the size of the proposed fine.
It is also the first time that the Berlin DPA has used the new model for calculating fines pursuant to Art. 85 of GDPR. The new calculation method allows for the size of a group of companies to be used as the basis for calculating fines for a breach of GDPR. The size of the group company in this case has arguably increased the proposed fine. This principle is the subject of ongoing debate in Germany; it is therefore difficult to tell whether such large fines will become the norm for infractions in the future.
This case offers some insight into how landlords (and others) can prevent a breach of GDPR and avoid the consequences of such a breach. Some suggestions are:
- if in the course of business you need to process sensitive personal data of tenants or other parties, establish a policy clearly setting out the length of your data retention period, and the bases on which you retain data. Set this out in writing in a privacy notice and communicate this notice to the data subjects, implement the policy in IT systems, and conduct internal audits to ensure that it is deleted;
- if your organisation is unable to implement such a policy, investigate whether you can buy in an appropriate service. The Berlin DPA indicated that the fine in this case may have been lower because such options were available and not taken; and
- finally, if the ICO recommends measures to bring your data processing systems up to a GDPR-compliant standard, ensure that those recommendations are implemented. DW had already been audited by the Berlin DPA, with no fine levied for the first finding of non-compliance. It seems that progress had been made towards compliance; however, the size of the proposed fine in this case arguably reflects that the Berlin DPA's recommendations were not fully implemented in the 20 months between the two audits.