Data storage failings lead to GDPR fine in Germany

Berlin's data protection commissioner Maja Smoltczyk issued the fine after it identified failings in the way the company stored personal data. The fine is not final and Deutsche Wohnen has a right to appeal.

The Berlin authority said it had first identified problems with Deutsche Wohnen's data storage practices when it conducted a data protection audit of the company in June 2017.

The authority found that the company stored personal data about tenants, including salary statements, details of the terms of their employment, tax, social security and health insurance data, and bank statements, among other information, on an archive system. However, it said some of the data was stored on the system for years and no longer served the purpose it was originally collected for, and has further claimed that the company did not make provision for the removal of the data from the archive.

The data protection commissioner revisited Deutsche Wohnen's premises in March this year to carry out a follow-up audit. While it found the company had taken some steps towards addressing the problems identified in June 2017, it determined that the measures had not been sufficient and that the company's storage of personal data was unlawful.

Deutsche Wohnen could have faced a fine of up to approximately €28 million for the breach, but the Berlin authority said it has levied a lower penalty in recognition of the company's cooperation with its investigations, the lack of evidence to show the company had misused its access to the data it stored unlawfully, and because it had taken initial steps to address the failings it had identified.

The Berlin commissioner said that she has additionally imposed separate fines on Deutsche Wohnen, each between €6,000 and €17,000, over its alleged unlawful storage of tenants' data in 15 specific cases.

Data protection law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law, said: "The Berlin authority has based its fine on a violation of Articles 5 and 25 of the GDPR, the latter of which concerns the concept of privacy by design and bydefault. Whether or not Deutsche Wohnen will be successful in challenging the fine to a large extent depends on what exactly the Berlin authority means when it said that the fine was justified because Deutsche Wohnen 'used an archiving system that did not provide for the possibility to delete data that is no longer required'."

"Did the authority take into account, for example, whether tax law required Deutsche Wohnen to keep relevant documents unredacted and unmodified until expiry of the retention period? This would arguably provide Deutsche Wohnen with a statutory basis under the GDPR for the lawful storage of the data, in which case was it the continuous storage after expiry that the authority held to fall foul of the GDPR requirements? Challenging the finding of non-compliance in such circumstances would probably be difficult," he said.

"However, if the Berlin authority has adopted its decision based only on a high-level understanding that the archiving system's design did not technically allow for deletion of data that is no longer necessary to retain, without actually identifying specific data that actually has been kept on file longer than required, then there may be more room for getting the fine revoked," Appt said. "Vague application of legal terms and principles, such as that of privacy by design, by regulators could call into question the enforceability of the fines they issue."