LfDI (Bremen) - 03/2022

From GDPRhub
Revision as of 11:49, 9 March 2022 by Hha (talk | contribs)
LfDI (Bremen) - not available
LogoDE-HB.png
Authority: LfDI (Bremen)
Jurisdiction: Germany
Relevant Law: Article 9 GDPR
Article 83 GDPR
Type: Other
Outcome: n/a
Started:
Decided: 03.03.2022
Published: 03.03.2022
Fine: 1,900,000 EUR
Parties: BREBAU GmbH
National Case Number/Name: not available
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: Landesbeauftragter für Datenschutz Bremen (in DE)
Initial Contributor: Heiko Hanusch

Bremen's DPA issued a €1,900,000 fine against a Brebau GmbH (a residential property management company) for unlawfully processing the sensitive data of over 9,500 prospective tenants, including aspects like their skin colour, religious affiliation, sexual orientation, health status, hairstyle and body odour.

English Summary

Facts

The controller is BREBAU GmbH. Its business consists mainly of building and managing residential apartments. During its investigation the DPA of Bremen found that BREBAU was processing information of over 9,500 prospective about their the skin colour, ethnicity, religion, religious affiliation, sexual orientation, health status and even the hairstyle, body odour and personal appearance.

Holding

The DPA of Bremen (LfDI Bremen) held that processing this data was not necessary for the conclusion of rental agreements and that this kind of data is particularly protected under the GDPR. Furthermore, it found that BREBAU GmbH also deliberately thwarted requests from data subjects for transparency about the processing of their data.

Regarding the amount of the fine, the DPA concluded that, because of the extraordinary gravity of the violation, a significantly higher fine would actually have been appropriate. However, the DPA reasoned that the amount of the fine could be reduced considerably because BREBAU GmbH cooperated extensively in the supervisory procedure, endeavoured to minimise the damage, to clarify the facts on its own and to ensure that such violations would not be repeated.

Comment

Whether the investigation was triggered by a complaint or whether the DPA of Bremen conducted an ex officio investigation is unknown.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

 The State Commissioner for Free
 Data protection and Hanseatic city

 Freedom of Information Bremen



                                                                         Bremerhaven, March 03, 2022

 PRESS RELEASE




LfDI imposes a GDPR fine on BREBAU GmbH


Today the State Commissioner for Data Protection and Freedom of Information (LfDI) as
data protection supervisory authority BREBAU GmbH with a fine under Article 83

General Data Protection Regulation (GDPR).


BREBAU GmbH has processed more than 9,500 pieces of data on prospective tenants without it
there was a legal basis for this. For example, information about hairstyles, body

ruch and personal appearance are not required for the conclusion of tenancies.
In more than half of the cases, it was also about data that was processed under the GDPR
are specially protected. Information about the color of the skin was also processed unlawfully,

ethnic origin, religious affiliation, sexual orientation and health
state of health. BREBAU GmbH has also received requests from data subjects for transparency regarding the processing

thwarting their data awareness.


The fine imposed under Article 83 GDPR amounts to around 1.9 million euros. the au-
Extraordinary depth of the violation of the fundamental right to data protection would be significantly greater
fine was reasonable. Because the BREBAU GmbH in the data protection supervisory

Drive extensively cooperated to mitigate damage, own clarification of the facts
and endeavored to ensure that such violations are not repeated, the amount of the

fine can be significantly reduced.


On the occasion of this supervisory procedure, the State Commissioner for Data Protection and Information
onsfreiheit, Dr. Imke Sommer: "In connection with the public discussion about the case
This data protection supervisory procedure is based on, I have often been asked whether

the GDPR prohibits discrimination. The answer to this question is complicated because the
DSGVO looks at facts in a specific way. According to the GDPR, it is only in a few

cases permitted at all, data on skin colour, ethnic origin, religious affiliation,
to process sexual orientation and health status. The GDPR ensures

for the fact that in the vast majority of cases this specially protected data is not even collected in the first place
may be saved. Uncollected data cannot be misused. In this
The GDPR also protects against discrimination."



          Responsible: The State Commissioner for Data Protection and Freedom of Information • Arndtstraße 1 • 27570 Bremerhaven

               Tel.: 0421 – 361 – 20 10 or 0471 – 596 – 20 10 •. Email address: office@datenschutz.bremen.de