On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release here in German). It is the highest GDPR fine imposed so far in Germany.

Deutsche Wohnen SE owns 100,000 rental apartments in Berlin. In 2017, the SA started an investigation against the company after receiving a complaint by one of the company’s tenants. An inspection of the company’s data archiving systems in June 2017 revealed that these systems did now allow the company to delete obsolete personal data. Moreover, the SA found that Deutsche Wohnen stored tenants’ personal data “without checking if this was legal or even necessary”. According to the SA, the company was also retaining data relating to the tenants’ personal life and creditworthiness considerably longer than necessary to fulfil the purpose for which the data was initially collected. The SA newly inspected the company in March 2019. Following the SA’s second inspection, the SA decided that the company had not done enough to overcome the deficiencies identified during the SA’s first inspection.

The SA used Germany’s new calculation model for data protection to determine the amount of the fine. The SA classified Deutsche Wohnen’s offences as moderately severe. The SA took into account the following four factors: (i) that the systems did not contain special categories of data, (ii) that the data had not been transferred to any third parties, (iii) that it could not be proven that the company had used the unlawfully stored personal data, and (iv) that Deutsche Wohnen had been cooperative during the investigation.

Deutsche Wohnen publicly announced its intention to appeal the decision.

Print:
EmailTweetLikeLinkedIn
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.

Photo of Ulrike Elteste Ulrike Elteste

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a…

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a focus on technology or IP. Ulrike also represents clients in commercial and IP litigation.