On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release here in German). It is the highest GDPR fine imposed so far in Germany.

Deutsche Wohnen SE owns 100,000 rental apartments in Berlin. In 2017, the SA started an investigation against the company after receiving a complaint by one of the company’s tenants. An inspection of the company’s data archiving systems in June 2017 revealed that these systems did now allow the company to delete obsolete personal data. Moreover, the SA found that Deutsche Wohnen stored tenants’ personal data “without checking if this was legal or even necessary”. According to the SA, the company was also retaining data relating to the tenants’ personal life and creditworthiness considerably longer than necessary to fulfil the purpose for which the data was initially collected. The SA newly inspected the company in March 2019. Following the SA’s second inspection, the SA decided that the company had not done enough to overcome the deficiencies identified during the SA’s first inspection.

The SA used Germany’s new calculation model for data protection to determine the amount of the fine. The SA classified Deutsche Wohnen’s offences as moderately severe. The SA took into account the following four factors: (i) that the systems did not contain special categories of data, (ii) that the data had not been transferred to any third parties, (iii) that it could not be proven that the company had used the unlawfully stored personal data, and (iv) that Deutsche Wohnen had been cooperative during the investigation.

Deutsche Wohnen publicly announced its intention to appeal the decision.