The First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place
On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date.
The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see post ).
The Berlin DPA considered retaining data substantially longer than necessary a breach of the GDPR, in three respects:
- first, the controller did not have a legal ground to store personal data longer than was necessary;
- second, this was considered an infringement of the data protection by design requirements under Article 25 (1) GDPR; and,
- finally, it was an infringement of the general processing principles set out in Article 5 GDPR.
Infringement of deletion obligations
Deutsche Wohnen failed to establish a GDPR-compliant data retention and deletion procedure for tenants’ personal data. This was aggravated by the fact that in 2017, the Berlin DPA had already flagged the non-compliance with its retention obligations during an on-site audit.
Although Deutsche Wohnen had taken initial measures to remedy the non-compliance, the supervisory authority revealed during its second audit in 2019 that these measures had not led to the establishment of a GDPR compliant archiving system as Deutsche Wohnen was still unable to demonstrate a clean-up of its database or legal grounds for the ongoing storage.
The head of the Berlin DPA recently gave some background in an interview. She said that Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.
The Berlin DPA’s decision is not yet final and Deutsche Wohnen has already announced that it will challenge the fine in court.
Following multi-million Euro GDPR fines in France and the UK, it is clear that German DPAs are joining the club. The Berlin DPA developed the new fining model (referred to earlier) and has been the first of the German DPAs to use it. It would seem that German DPAs will enforce the GDPR vigorously.
The decision of the Berlin DPA emphasises the importance of getting into the detail of records management and the data deletion lifecycle.
The Bavarian DPA has recently announced it will focus on this area too. It is becoming clear that the German DPAs attach particular importance to personal data deletion given the capacity for “data graveyards” to cause unnecessary risk and harm to data subjects particularly where cyber breaches occur.
Implementing formal records management policies has not been widespread in Germany to date. This will have to change.
To read original article please click here
Meet the team of industry experts behind ComsureFind out more
Keep up to date with the very latest news from ComsureFind out more
View our latest imagery from our news and workFind out more
Think we can help you and your business? Chat to us todayGet In Touch
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email firstname.lastname@example.org.