The real estate company Deutsche Wohnen must pay 14.5 million euros fine for breach of data protection. As early as June 2017, it had been established that the company had stored personal data of tenants in an archive system in which data that was no longer required could not be deleted, as reported by the Berlin data protection officer. Despite the request, there was little change in the situation until an on-site investigation in March this year.
The Berlin Data Protection Commissioner has now issued a corresponding fine notice. According to the current state of knowledge, this is the second highest fine ever imposed in Europe for breaches of data protection - and the highest in Germany.
In the present case, it was a "blatant violation of the principles of data protection," said Berlin Commissioner Maja Smoltczyk. When setting the amount of the fine, it was disadvantageous for Deutsche Wohnen that the Group had deliberately created the rejected archive structure and had processed the data in question over a long period of time.
According to Article 5 of the General Data Protection Regulation (DSGVO), companies may only store and process personal data as long as they are necessary for the purpose for which they were collected. Therefore, for example, data from former tenants who have long been living elsewhere or from applicants with whom no lease has been entered, must be deleted. The data that Deutsche Wohnen had stored was information on personal and financial circumstances, such as salary certificates, excerpts from employment and training contracts, tax, social and health insurance data and health insurance statements.
A fine could have been higher
"Data cemeteries, such as those we found at Deutsche Wohnen SE, are unfortunately often encountered in supervisory practice," said Smoltczyk. Unfortunately, the explosiveness of such abuses is only becoming clear when - for example through cyberattacks - abusive accesses to the massively hoarded data have occurred.
In order to calculate the amount, the privacy advocates drew on, among other things, the company's worldwide sales of more than one billion euros in the previous year. Accordingly, the fine with up to 28 million euros could have been significantly higher. In addition, the data protection agencies imposed further fines ranging from 6,000 to 17,000 euros for inadmissible storage of personal data of tenants in 15 specific cases.
According to the data protection authority, the fine is not yet final. The real estate company can still appeal. Deutsche Wohnen has not yet commented on the allegations.
Deutsche Wohnen is a publicly traded housing company with more than 100,000 apartments in Berlin alone. In Berlin, a citizens' initiative has joined forces, which accuses the real estate company to increase the rents in the capital and therefore requires its expropriation.