GDPR violations
The recent notice to fine real estate company, Deutsche Wohnen, 14.5 million euros for the unlawful storage of tenant data, should serve as a clear warning to others within the industry.
The Berlin Data Protection Authority (DPA) became the first of German DPAs to impose a fine for GDPR violations.
After an on-site inspection in 2017, the Berlin DPA discovered that Deutsche Wohnen had been using an archive system that did not have an option to delete old data. The system contained sensitive information about former and current tenants.
Subsequently, the company infringed Art. 25 (1) and Art. (5) of the GDPR, to which the Berlin DPA had issued a recommendation for the company to act and allow them time to amend the archive system so it would fit to GDPR requirements, as well as allowing them to respect applicable retention periods.
Another on-site inspection in 2019 found that the GDPR infringements were still present, this lead to the Berlin DPA to impose a fine on the company for the period between the direct applicability of the GDPR and October 2019.
During this period, Deutsche Wohnen did not clean up its database, nor prove that it had legal basis for the processing of personal data.
In an interview with Berlin's Data Protection Commissioner Maja Smoltczyk, explains that this case is not an isolated case, but rather the first on that scale with such a vast amount of data.
She adds: "There is no health data affected and according to our information, no data has been disclosed to third parties. Nevertheless, personal data are in considerable quantities. The system provides insights into the lives of many, many people. You can see who lives with whom, what kind of education someone has or where he used to live. These are things of everyday life that we would not share so easily."
Since the implementation of GDPR in Germany, many companies have been turning a blind eye therefore this fine underlines that an official warning to eliminate GDPR infringements is not enough.
This fine is the first in the millions, and it is expected that further fines by the DPAs will follow shortly.
Property Software Solutions provides a facility within the software package called 'Data Management'. This facility allows for the removal of 'personal' data in relation to tenants, landlords, properties and contractors.