The recent notice to fine real estate company, Deutsche Wohnen, €14.5 million for its unjustified retention of tenant data, should serve as a clear warning to others within the industry. Whilst this fine does not come close to the notices of intent to fine (as announced earlier this year in the UK) against Marriott International and British Airways, it appears to be the first GDPR fine triggered by a company's data retention activities and the largest fine against a real estate company. The majority of data protection headlines to date have been in relation to data breaches, however companies would do well to note that there are other GDPR obligations which may soon attract similarly significant fines.
The GDPR, which came into force on 25 May 2018, directly applies to all EU countries. Therefore, both the GDPR and its application in the Deutsche Wohnen decision, are directly relevant to UK companies. The GDPR will also continue to apply in the event of a no-deal Brexit. Firstly, the UK government intends to incorporate the GDPR into UK data protection law on exit (dubbed 'UK GDPR'). Secondly, any UK based businesses which operate in the EU27, by offering goods or services to individuals in the EU27 or monitoring their behaviour, will still need to comply with the actual GDPR post Brexit.
The Berlin Data Protection regulator issued a notice to fine Deutsche Wohnen €14.5 million for its data protection breaches under GDPR relating to its archived storage of tenants' personal data. Deutsche Wohnen was found to have breached its GDPR obligations to keep personal data for "no longer than is necessary for the purposes for which the personal data are processed", to ensure that personal data is adequate, relevant and limited to what is necessary, and to provide appropriate technical and organisational measures designed to implement data protection principles.
The fine (which we understand Deutsche Wohnen will be challenging) comes after an investigation by the regulator into Deutsche Wohnen's activities. Reportedly, from June 2017, the company was storing tenants' personal data in an archive system which did not allow for the erasure of data that was no longer necessary. The company was storing data relating to tenants' personal and financial circumstances, such as salary and social and health insurance data. Despite the regulator's request that it revise these activities, Deutsche Wohnen's improvements did not go far enough.
At present, this is reportedly the second largest fine in Europe for breach of data protection obligations (as opposed to a data breach), and the largest for a breach of the obligation not to keep personal data for longer than is necessary. An aggravating factor, which contributed to this large fine, was the lengthy period over which Deutsche Wohnen had been processing the personal data. The fine could have been significantly higher, however, if the regulator had chosen to proceed with the maximum fine permitted under GDPR (€20 million or up to 4% of global turnover, whichever is higher). However, the regulator accepted Deutsche Wohnen's cooperation with the investigation and initial steps to address its failings, as mitigating factors which reduced the overall fine.
Whilst this is a German investigation, in these early days of GDPR fines, data protection regulators (including the UK's Information Commissioner) will look to other European countries for an indication of appropriate fines. This case also serves a reminder to property companies to review regularly the personal data which they store and delete or anonymise any data which is no longer required. Removal of unnecessary personal data also reduces their exposure to data leaks or security breaches. However, where companies can reasonably justify retaining personal data, for example for tax record purposes, this will arguably provide a basis to continue holding onto the data.