Published on Monday, December 16, 2019 - 14:11 by Martin Fletcher
The Berlin Supervisory Authority has imposed a large monetary penalty on the real estate company Deutsche Wohnen SE for a failure to remove unneeded personal information from its databases.
In separate investigations of the organisation in June 2017 ad March 2019, the regulator stated that the organisation was holding data on previous tenants in a system from which it was not possible to delete them. The information included for personal and financial records of individuals such as; salary, self-declaration forms, copies of work and apprenticeship contracts, tax, social and health insurance data and bank account details.
After the 2017 inspection, the regulator made an urgent recommendation that the organisation changes its archiving system to allow for deletions. They were also told that a further inspection would take place to check that this action had been carried out. However, when the follow up inspection occurred it was found that Deutsche Wohnen was still using the same system.
The organisation had an annual turnover in 2018 of over a billion Euros. Due to the size of the organisation the regulator had to power to impose a fine of anything up to €28 million for this infraction.
On top of the penalty issued for failing to follow the recommendation of the regulator, they were also fined amounts of between €6,000 and €17,000 for 15 specific instances where tenants data had not been deleted.
Berlin Information Commissioner, Maja Smoltczyk, explained the rationale behind such a large penalty:
“Data graveyards, such as that found at Deutsche Wohnen SE are unfortunately common within organisations we investigate. The risks of these are often only realised by the data controller when it is too late and a large amount of information is lost, for example through a cyber attack. Even in cases where this hasn’t occurred, we have shown with this penalty that there are other major risks of not following the law. It is a key part of the regulation that we are able to sanction organisations and force changes in processing before major incidents occur. In light of this I would strongly recommend all data controllers review their archiving systems to check they are GDPR compliant.”
Deutsche Wohnen SE still has the opportunity to contest the penalty they have been issued with.
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: