Real Estate Company Fined € 14.5 Million in Germany for Violating GDPR Principle of Privacy by design
Deutsche Wohnen SE owns 100,000 rental apartments in Berlin fined with 14,5M euro which is among the highest GDRP Fine.
In 2017, the SA started an investigation against the company after receiving a complaint by one of the company’s tenants. An inspection of the company’s data archiving systems in June 2017 revealed that these systems did now allow the company to delete obsolete personal data.
Moreover, they found that all date is stored “without checking if this was legal or even necessary”.
According to the SA, the company was also retaining data relating to the tenants’ personal life and creditworthiness considerably longer than necessary to fulfil the purpose for which the data was initially collected.
The SA newly inspected the company in March 2019. Following the SA’s second inspection, the SA decided that the company had not done enough to overcome the deficiencies identified during the SA’s first inspection.
The SA used Germany’s new calculation model for data protection to determine the amount of the fine. The SA classified Deutsche Wohnen’s offences as moderately severe. The SA took into account the following four factors: (i) that the systems did not contain special categories of data, (ii) that the data had not been transferred to any third parties, (iii) that it could not be proven that the company had used the unlawfully stored personal data, and (iv) that Deutsche Wohnen had been cooperative during the investigation.
Determination of the Amount of the Fine
Due to the worldwide turnover of more than one billion euros reported in the annual report of Deutsche Wohnen SE for 2018, the statutory scope for determining the fine for the data protection violation was initially around €28 million, according to the press release. However, the Berlin Commissioner took into account the fact that Deutsche Wohnen SE cooperated with the Berlin Commissioner, took steps to rectify the situation, and did not otherwise abuse the retained data, which limited the amount of the intended fine to €14.5 million.
The fine is not yet final as it may still be appealed.