LfDI (Bremen) - 03/2022
|LfDI (Bremen) - not available|
|Relevant Law:||Article 9 GDPR|
Article 83 GDPR
|National Case Number/Name:||not available|
|European Case Law Identifier:||n/a|
|Original Source:||Landesbeauftragter für Datenschutz Bremen (in DE)|
|Initial Contributor:||Heiko Hanusch|
Bremen's DPA issued a €1,900,000 fine against Brebau GmbH (a residential property management company) for unlawfully processing the sensitive data of over 9500 prospective tenants, including aspects like their skin colour, religious affiliation, sexual orientation, health status, hairstyle and body odour.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is BREBAU GmbH. Its business consists mainly of building and managing residential apartments. During its investigation the DPA of Bremen found that BREBAU was processing information of over 9,500 prospective tenants about their the skin colour, ethnicity, religion, religious affiliation, sexual orientation, health status and even the hairstyle, body odour and personal appearance.
Holding[edit | edit source]
The DPA of Bremen (LfDI Bremen) held that processing this data was not necessary for the conclusion of rental agreements and that this kind of data is particularly protected under the GDPR. Furthermore, it found that BREBAU GmbH also deliberately thwarted requests from data subjects for transparency about the processing of their data.
Regarding the amount of the fine, the DPA concluded that, because of the extraordinary gravity of the violation, a significantly higher fine would actually have been appropriate. However, the DPA reasoned that the amount of the fine could be reduced considerably because BREBAU GmbH cooperated extensively in the supervisory procedure, endeavoured to minimise the damage, to clarify the facts on its own and to ensure that such violations would not be repeated.
Comment[edit | edit source]
Whether the investigation was triggered by a complaint or whether the DPA of Bremen conducted an ex officio investigation is unknown.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The State Commissioner for Free Data protection and Hanseatic city Freedom of Information Bremen Bremerhaven, March 03, 2022 PRESS RELEASE LfDI imposes a GDPR fine on BREBAU GmbH Today the State Commissioner for Data Protection and Freedom of Information (LfDI) as data protection supervisory authority BREBAU GmbH with a fine under Article 83 General Data Protection Regulation (GDPR). BREBAU GmbH has processed more than 9,500 pieces of data on prospective tenants without it there was a legal basis for this. For example, information about hairstyles, body ruch and personal appearance are not required for the conclusion of tenancies. In more than half of the cases, it was also about data that was processed under the GDPR are specially protected. Information about the color of the skin was also processed unlawfully, ethnic origin, religious affiliation, sexual orientation and health state of health. BREBAU GmbH has also received requests from data subjects for transparency regarding the processing thwarting their data awareness. The fine imposed under Article 83 GDPR amounts to around 1.9 million euros. the au- Extraordinary depth of the violation of the fundamental right to data protection would be significantly greater fine was reasonable. Because the BREBAU GmbH in the data protection supervisory Drive extensively cooperated to mitigate damage, own clarification of the facts and endeavored to ensure that such violations are not repeated, the amount of the fine can be significantly reduced. On the occasion of this supervisory procedure, the State Commissioner for Data Protection and Information onsfreiheit, Dr. Imke Sommer: "In connection with the public discussion about the case This data protection supervisory procedure is based on, I have often been asked whether the GDPR prohibits discrimination. The answer to this question is complicated because the DSGVO looks at facts in a specific way. According to the GDPR, it is only in a few cases permitted at all, data on skin colour, ethnic origin, religious affiliation, to process sexual orientation and health status. The GDPR ensures for the fact that in the vast majority of cases this specially protected data is not even collected in the first place may be saved. Uncollected data cannot be misused. In this The GDPR also protects against discrimination." Responsible: The State Commissioner for Data Protection and Freedom of Information • Arndtstraße 1 • 27570 Bremerhaven Tel.: 0421 – 361 – 20 10 or 0471 – 596 – 20 10 •. Email address: email@example.com