First multi-million GDPR fine in Germany
The Berlin DPA considered retaining data substantially longer than necessary a breach of the GDPR, in three respects: first, the controller did not have a legal ground to store personal data longer than was necessary; second, this was considered an infringement of the data protection by design requirements under Article 25 (1) GDPR; and, finally, it was an infringement of the general processing principles set out in Article 5 GDPR.
Infringement of deletion obligations
Deutsche Wohnen failed to establish a GDPR-compliant data retention and deletion procedure for tenants’ personal data. This was aggravated by the fact that in 2017, the Berlin DPA had already flagged the non-compliance with its retention obligations during an on-site audit. Although Deutsche Wohnen had taken initial measures to remedy the non-compliance, the supervisory authority revealed during its second audit in 2019 that these measures had not led to the establishment of a GDPR compliant archiving system as Deutsche Wohnen was still unable to demonstrate a clean-up of its database or legal grounds for the ongoing storage.
The head of the Berlin DPA recently gave some background in an interview. She said that Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.
The Berlin DPA’s decision is not yet final and Deutsche Wohnen has already announced that it will challenge the fine in court.
Original Source: Blazon – First multi million GDPR fine in Germany