Eighteen months on from Europe’s General Data Protection Act coming into force, the multi million Euro fines after starting to roll in. After major actions in the UK and France, Germany followed suit with a €14.5 million fine against real estate company, Deutsche Wohnen SE.
The fine in this instance relates to the company’s retention of personal data. In this instance, the Berlin DPA considered that the real estate company had retained personal data longer than necessary and that this amounted to a breach for three reasons.
- The controller did not have a legal ground for storing this data longer than needed.
- Article 25 covering data protection by design and default, and integrating safeguards into the processing in order to satisfy the rights of subjects.
- Article 5 relating to the processing of data.
Deutsche Wohnen was found to have failed to establish a data retention and deletion policy which was compliant with GDPR for the personal data of their tenants. This was made worse by the fact that an audit had revealed problems in 2017 and that a second audit in 2019 revealed the company had still not managed to implement a GDPR compliant process because it still couldn’t demonstrate effective clean up of its storage or legal grounds for holding the data longer than necessary.
What can we learn
The DPA’s decision is not final and Deutsche Wohnen has already said it plans to appeal, but the ruling does offer a number of key lessons…
Europe’s regulators are getting tough: The slow start to GDPR enforcement led many to wonder if regulators were willing to resort to the full extent of their powers. We’ve now seen a number of fines from regulators in the million Euro bracket which suggests they aren’t shying away from large scale fines.
- Data retention is a problem: A common theme in fines is the legal basis for retaining data. Firms will need to ensure they have a clear legal justification if they continue to hold data for longer than is absolutely necessary.
- Data retention and deletion processes are crucial: All firms must have clear systems to archive and delete data. Deutsche Wohnen could have used one of a number of commercially available systems which allow it to separate data and apply different archiving and deletion rules.
This is also the first action to be taken under the DPA’s new guidelines for GDPR enforcement. These divide all violations into five categories:
• Step 1: Companies are filtered based on their size.
• Step 2: Average turnover is calculated.
• Step 3: Daily rate is calculated by dividing average annual turnover of the undertaking for the previous year by 360.
• Step 4: Establishing fine corridors which assess the perceived severity of the offence.
• Step 5: Classification of the specific GDPR infringement.
Data protection authorities are all taking their own approaches to enforcement and fine calculation. This adds to the complexity of managing compliance as, although each one refers to the same regulation, authorities may always adopt their own individual stances.
This could become more complicated post Brexit. Although the UK has adopted the GDPR framework and will continue to do so after Brexit, future governments would be free to make changes in the future.