Berlin: Berlin Commissioner fines Deutsche Wohnen €14.5M for GDPR violations
The Berlin data protection authority ('the Berlin Commissioner') announced, on 5 November 2019, that it had fined Deutsche Wohnen SE €14.5 million for violations of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') following on-site investigations. The Berlin Commissioner outlined that Deutsche Wohnen had stored tenant personal data on an archiving system from which it was impossible to delete such data, and that tenant personal data had been stored without verifying if such data was permitted, or even required. In particular, the Berlin Commissioner highlighted that the tenant personal data included information on the personal and financial circumstances of tenants, such as salary certificates, self-disclosure declarations, excerpts from employment and training contracts, tax, social, and health insurance data, and bank statements.
Furthermore, the Berlin Commissioner noted that, after its initial audit in 2017, it had issued an urgent recommendation to Deutsche Wohnen to change its archiving system but that Deutsche Wohnen had not complied as of March 2019, following a second audit. The Berlin Commissioner stipulated that it therefore fined Deutsche Wohnen for violating Articles 25(1) and 5 of the GDPR on Privacy by Design and Default, and principles relating to processing of personal data between May 2018 and March 2019. In addition, the Berlin Commissioner noted that the amount of the fine was initially calculated to be €28 million, as Deutsche Wohnen had reported sales of over €1 billion in 2018. Mitigating factors in the calculation of the final amount included Deutsche Wohnen's cooperation and attempts to rectify the issue, but aggravating factors included the creation of the offending archiving system and that the affected data was processed inappropriately over a long period of time.
The Berlin Commissioner concluded that the fining decision is not final, and that Deutsche Wohnen can appeal against the fine.
You can read the press release, only available in German, here.
UPDATE (4 December 2019)
EDPB announces Berlin Commissioner fine against Deutsche Wohnen
The European Data Protection Board ('EDPB') announced, on 3 December 2019, that the Berlin Commissioner had fined Deutsche Wohnen €14.5 million for GDPR violations. In particular, the EDPB noted that during on-site inspections in June 2017 and March 2019, Berlin Commissioner found that the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required.
Furthermore, the EDPB highlighted that the decision to impose a fine has not yet become final, and that Deutsche Wohnen has the right to lodge an appeal against the fine.
You can read the press release here.