BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen: Difference between revisions
(Changed appeal court to LG Berlin) |
mNo edit summary |
||
| Line 70: | Line 70: | ||
=== Facts === | === Facts === | ||
The case itself concerns a publicly listed real estate enterprise (the controller), which holds participating interests in around 163 000 housing units and 3 000 commercial units. The companies who own theses units are subsidiaries of the controller and manage the operational side of the business. The controller, on the other hand, handles higher management. Among other things, the controller's business activities included the processing of tenants' personal data. The data handled include: proof of identity, data on health and social insurance, tax, and information relating to previous tenancies. | |||
On its own initiative, the Berlin Commissioner for Data Protection (the DPA) started an "on-the-spot" investigation into the controller. The DPA found that the controller's subsidiary companies were storing personal data of tenants in an electronic archive system, of which storage there was no apparent necessity and without a guarantee that personal data, which was no longer required, would be erased. | |||
The DPA required the controller to delete all the documents from its electronic archive by the end of 2017. The controller concerned refused to do so, stating that deletion was impossible for technical and legal reasons. In particular, deleting the documents would first require this old archive data to be transferred to a new archive system that is compliant with statutory retention obligations under commercial and tax law. The undertaking concerned and the authority then entered into an oral and written exchange concerning the deletion order. | |||
The | Three years later, in 2020, the DPA carried out another inspection and found that there had been no substantial change in the GDPR-infringing data storage. The controller responded to these findings by informing the DPA that the archive system, which it had objected to, had already been decommissioned and that the data would be migrated to the new system imminently. Consequently, the DPA issued a penalty order on the grounds that, in the period from 25 May 2018 to 5 March 2019, the controller concerned deliberately omitted to take the necessary measures to allow the proper deletion of tenant data that were no longer required or were otherwise wrongly stored. The DPA also alleged that the controller had continued to store personal data relating to at least 15 named tenants, even though it was known that this was not necessary or was no longer necessary. | ||
For the intentional infringement of Article 25(1) GDPR and [[Article 5 GDPR#1a|Article 5(1)(a),]] [[Article 5 GDPR#1c|(c),]] [[Article 5 GDPR#1e|and (e) GDPR]], the authority imposed a pecuniary penalty of €14,385,000, as well as 15 further pecuniary penalties each ranging from €3,000 to €17,000 for infringements of [[Article 6 GDPR#1|Article 6(1)GDPR]]. | |||
Following an objection by the controller, the Regional Court of Berlin discontinued the proceedings on the grounds that, under German law, a legal person could not be the party concerned by proceedings for an administrative fine, only a natural person can culpably commit an administrative offence. A legal person can only be a participant in the proceedings. | |||
A request for a preliminary ruling lodged by Kammergericht in relation to interpretation of [[Article 83 GDPR]] of whether fining an undertaking would require there to be a natural person who had, in his or her capacity as a representative of the undertaking committed the offense or shall this requirement be disregarded under primacy of EU law. | |||
The DPA | The processor explained the DPA that the checked archive had been decommissioned and the stored data had been transferred immediately to the new system. | ||
=== Holding === | |||
The case ended up at Landgericht Berlin (Regional Court, Berlin), which discontinued the proceedings. This decision was appealed by the Berlin's Public Porsecutor's Office which left Kammergericht to make final decision on the matter. | The case ended up at Landgericht Berlin (Regional Court, Berlin), which discontinued the proceedings. This decision was appealed by the Berlin's Public Porsecutor's Office which left Kammergericht to make final decision on the matter. | ||
Revision as of 12:02, 26 January 2023
| BlnBDI - C-807/21 - Deutsche Wohnen | |
|---|---|
 | |
| Authority: | BlnBDI (Berlin) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 83 GDPR § 30 OWiG |
| Type: | Other |
| Outcome: | n/a |
| Started: | 21.12.2021 |
| Decided: | |
| Published: | 16.01.2023 |
| Fine: | 14385000 EUR |
| Parties: | Deutsche Wohnen SE Staatsanwaltschaft Berlin |
| National Case Number/Name: | C-807/21 - Deutsche Wohnen |
| European Case Law Identifier: | n/a |
| Appeal: | Appealed - Confirmed LG Berlin (Germany) |
| Original Language(s): | English |
| Original Source: | Curia (in EN) |
| Initial Contributor: | Norman Aasma |
Request for preliminary ruling on interpretation of Article 83 GDPR of whether fining an undertaking would require there to be a natural person who had, in his or her capacity as a representative of the undertaking committed the offense
English Summary
Facts
The case itself concerns a publicly listed real estate enterprise (the controller), which holds participating interests in around 163 000 housing units and 3 000 commercial units. The companies who own theses units are subsidiaries of the controller and manage the operational side of the business. The controller, on the other hand, handles higher management. Among other things, the controller's business activities included the processing of tenants' personal data. The data handled include: proof of identity, data on health and social insurance, tax, and information relating to previous tenancies.
On its own initiative, the Berlin Commissioner for Data Protection (the DPA) started an "on-the-spot" investigation into the controller. The DPA found that the controller's subsidiary companies were storing personal data of tenants in an electronic archive system, of which storage there was no apparent necessity and without a guarantee that personal data, which was no longer required, would be erased.
The DPA required the controller to delete all the documents from its electronic archive by the end of 2017. The controller concerned refused to do so, stating that deletion was impossible for technical and legal reasons. In particular, deleting the documents would first require this old archive data to be transferred to a new archive system that is compliant with statutory retention obligations under commercial and tax law. The undertaking concerned and the authority then entered into an oral and written exchange concerning the deletion order.
Three years later, in 2020, the DPA carried out another inspection and found that there had been no substantial change in the GDPR-infringing data storage. The controller responded to these findings by informing the DPA that the archive system, which it had objected to, had already been decommissioned and that the data would be migrated to the new system imminently. Consequently, the DPA issued a penalty order on the grounds that, in the period from 25 May 2018 to 5 March 2019, the controller concerned deliberately omitted to take the necessary measures to allow the proper deletion of tenant data that were no longer required or were otherwise wrongly stored. The DPA also alleged that the controller had continued to store personal data relating to at least 15 named tenants, even though it was known that this was not necessary or was no longer necessary.
For the intentional infringement of Article 25(1) GDPR and Article 5(1)(a), (c), and (e) GDPR, the authority imposed a pecuniary penalty of €14,385,000, as well as 15 further pecuniary penalties each ranging from €3,000 to €17,000 for infringements of Article 6(1)GDPR.
Following an objection by the controller, the Regional Court of Berlin discontinued the proceedings on the grounds that, under German law, a legal person could not be the party concerned by proceedings for an administrative fine, only a natural person can culpably commit an administrative offence. A legal person can only be a participant in the proceedings.
A request for a preliminary ruling lodged by Kammergericht in relation to interpretation of Article 83 GDPR of whether fining an undertaking would require there to be a natural person who had, in his or her capacity as a representative of the undertaking committed the offense or shall this requirement be disregarded under primacy of EU law.
The processor explained the DPA that the checked archive had been decommissioned and the stored data had been transferred immediately to the new system.
Holding
The case ended up at Landgericht Berlin (Regional Court, Berlin), which discontinued the proceedings. This decision was appealed by the Berlin's Public Porsecutor's Office which left Kammergericht to make final decision on the matter.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
List of results List of results by case List of documents Search result: 1 case(s) 1 documents analysed Deutsche WohnenCase C-807/21 Reports of Cases Information not available
