BlnBDI (Berlin) - 711.412.1: Difference between revisions

From GDPRhub
No edit summary
(nitpick capitalisation)
Line 17: Line 17:
|Type:||Investigation
|Type:||Investigation
|-
|-
|Outcome:||Violation found
|Outcome:||Violation Found
|-
|-
|Decided:||30. 10. 2019
|Decided:||30. 10. 2019

Revision as of 16:07, 3 March 2022

BlnBDI - Deustche Wohnen SE decision
LogoDE-BE.png
Authority: BlnBDI (Berlin)
Jurisdiction: Germany
Relevant Law: Article 5 GDPR

Article 25(1) GDPR

Type: Investigation
Outcome: Violation Found
Decided: 30. 10. 2019
Published: 5.11.2019
Fine: 14,500,000 EUR
Parties: Deustche Wohnen SE
National Case Number: n/a
European Case Law Identifier: n/a
Appeal: Under appeal BlnBDI
Original Language: German
Original Source: datenschutz-berlin.de

The Berlin DPA (BlnBDI) fined the real estate company Deutsche Wohnen SE € 14.5 million for violation of Article 5(1)(e) and Article 25(1) GDPR as the company's archive system was structurally unable to delete unnecessary data.

English Summary

Facts

After having conducted investigations in June 2017, the DPA found that the controller was structurally not deleting data in it's archive. The DPA requested to change the archive system for tenant's personal data under the previous German Data Protection Act. When the situation was reviewed after the coming into force of the GDPR, the DPA found that the company still did not comply.

Dispute

How do Article 5(1)(e) and Article 25(1) GDPR apply to archives?

Holding

The BlnBDI found that the archive system used for storing personal data of tenants, which did not provide for a possibility to remove the personal data violated Article 5(1)(e) and Article 25(1) GDPR. There was also no legal basis for the processing of personal data anymore. The fine was calculated at 14,5 Mio Euro.

In addition, the DPA found 15 other violations of the rights of individual data subjects, which lead to additional fines between 6,000 EUR and 17,000 EUR each.

In February 2021 the Berlin regional court has annulled the fine, on the basis that there was no specific act of the management of the firm that had led to the infringements. The Berlin Public Prosecutor's Office has now filed an appeal against this decision, arguing that for the application of the GDPR the mere establishment of an infringement, without the establishment of a active act by management, is enough to justify regulatory action.

Comment

This case has since been brought to the CJEU, where it has not yet been considered.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Press release

The decision below is a machine translation of the original. Please refer to the German original for more details.

Berlin Commissioner for Data Protection and Freedom of Information imposes fine on real estate company 

On October 30, 2019, the Berlin Commissioner for Data Protection and Freedom of Information imposed a fine of approximately 14.5 million euros on Deutsche Wohnen SE for violations of the Basic Data Protection Regulation (DS-GVO). During on-site inspections in June 2017 and March 2019, the supervisory authority determined that the company used an archive system for the storage of tenants' personal data, which did not provide for the possibility of removing data that was no longer required. Tenants' personal data was stored without checking whether storage was permissible or even necessary.in individual cases examined, it was possible to inspect tenants' private data, some of which were years old, without this data having served the purpose of its original collection. These were data on the personal and financial circumstances of the tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements. After the Berlin data protection commissioner had made an urgent recommendation to convert the archive system in the first examination date in 2017, the company was still unable to demonstrate any cleansing of its data stock or legal reasons for the continued storage in March 2019, more than one and a half years after the first examination date and nine months after the start of application of the basic data protection regulation. It is true that the company had made preparations to eliminate the irregularities found. However, these measures had not led to the creation of a lawful situation with regard to the storage of personal data. 

The imposition of a fine for violation of Article 25 (1) DS-GVO and Article 5 DS-GVO for the period between May 2018 and March 2019 was therefore mandatory. The Basic Regulation on Data Protection obliges the supervisory authorities to ensure that fines are not only effective and proportionate in each individual case, but also deterrent.the starting point for the calculation of fines is therefore, among other things, the worldwide turnover of the companies concerned in the previous year. Due to the annual sales of more than one billion euros reported in the annual report of Deutsche Wohnen SE for 2018, the statutory framework for the calculation of fines for the data protection violation identified is approximately 28 million euros. The Berlin data protection commissioner used the legal criteria for the concrete determination of the amount of the fine, taking into account all the aspects that burden and exonerate. The fact that Deutsche Wohnen SE had deliberately created the archive structure in question and the data concerned had been processed in an inadmissible manner over a long period of time had a particularly negative effect. In contrast, the fact that the company had taken initial measures with the aim of rectifying the illegal situation and had cooperated well with the supervisory authority in formal terms was taken into account as a mitigating factor. In addition to sanctioning this structural infringement, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the improper storage of tenants' personal data in 15 specific individual cases. The fine decision is not yet legally binding. 

Maja Smoltczyk: "Data cemeteries, such as those we have found at Deutsche Wohnen SE, are unfortunately encountered frequently in supervisory practice. Accesses to the masses of hoarded data. But even without such serious consequences, this is a blatant violation of the principles of data protection, which are designed to protect those affected from precisely such risks. It is gratifying that the legislator has introduced the possibility of sanctioning such structural deficiencies in the Basic Data Protection Regulation before the data disaster occurs, and I recommend that all data processing bodies check their data archiving for compatibility with the DS-GAU.