The Berlin Commissioner for Data Protection (Berlin DPA) has fined Deutsche Wohnen SE, a German property company, €14.5 million for violating the General Data Protection Regulation. This is the largest GDPR fine issued to date by a German data protection authority and signals a trend by regulators to flex their muscles (see, e.g., the recent CNIL fine and the UK ICO’s proposed fine) in cases involving blatant misuse of, or a failure to adequately protect, personal data in violation of the GDPR.
Deutsche Wohnen is the largest private real estate owner in Berlin managing 111,000 apartments. The German company had been on the Berlin DPA’s radar for some time. According to investigations by the Berlin DPA, Deutsche Wohnen illegally archived documents containing sensitive information concerning its tenants. The documents contained information on creditworthiness, including proof of income, Schufa information (a German private credit bureau) and employment. The information was gathered in connection with the lease application process. Once the lease had been signed by the tenants, these documents were meant to be destroyed after a certain period (to be determined by the necessity and/or legitimacy for the retention). Instead the documents had been archived – a practice which had been adopted by Deutsche Wohnen for a number of years.
The fine follows two audits, carried out by the Berlin DPA, in June 2017 and March 2019 that revealed improper data storage and retention. The investigations also revealed that personal data that was no longer required for business purposes was still being stored in Deutsche Wohnen’s archives and inadequate security measures had been adopted by the company to safeguard the data.
The fine is the highest to be issued by a German data protection authority. This fine follows recent publication by the German conference of data protection authorities (Datenschutzkonferenz, DSK) of a proposal for calculating administrative fines for data protection violations (this calculation only applies to German data protection authorities). Among other criteria, the proposed model calls for determining the gravity of the violation and assigning a value that corresponds to the violation. The model for calculating fines will likely be released sometime this month. This enforcement action should be seen as a clear indicator that greater fines will be issued by German data protection authorities in the future.
Businesses should be particularly cognisant of the regulator’s focus on Deutsche Wohnen’s storage and retention practices. Undoubtably, the illegality of the document storage under German law and the sensitive nature of the personal data are important distinguishing factors in this case. Nevertheless, the decision is a timely reminder for businesses that data retention practices must be lawful – and that personal data should not be retained longer than is needed for the purposes it is processed. Businesses that indiscriminately retain documents containing personal data without assessing the necessity or legitimacy of that retention need to reconsider their approach and ensure they have developed and are implementing meaningful data retention policies.
To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Gretchen Scott, Technology and Privacy & Cybersecurity partner in London.
Goodwin’s Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration and Legal 500 Recommended Lawyer; a Legal 500 “Leading Lawyer;” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as three other; Legal 500 Cyber Law ranked partners; several former federal prosecutors; and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe
Goodwin’s Real Estate Industry Group offers deep market insight and a practical approach to helping companies make the most of every investment decision – from private fund formation and all types of real estate transactions to REIT and real estate M&A. With more than 150 attorneys across the U.S., Europe and Asia focusing solely on the real estate industry, we work with owners, managers, operators, developers, lenders and investors – helping them acquire, develop, finance, manage, lease and sell real estate assets
The group was recently named one of Law360’s Real Estate Groups of the Year in 2018 and ranked first in Commercial Property Executive’s Leading Real Estate Firms list.
The intersection between Real Estate and Technology is ever evolving, presenting challenges and opportunities to companies, their investors, and consumers. Technology increasingly underpins the real estate space in all its forms: from artificial intelligence to smart cities, the adaptation of existing buildings into Tech hubs/flex space, improvements in operational and underwriting platforms, the emergence of cryptocurrencies and economies shared. Goodwin’s network runs deep, and through our strong relationships in the Real Estate and Tech space across the globe, we can help make the right connections – not just to connect the dots but to help make decisions that prepare your business for what may come.