The inability to comply with data retention and data minimization obligations led to a GDPR fine in Germany of € 14.5 million. This is an interesting article from my German colleagues Verena Grentzenberg and Jan Spittka, initially published on Privacy Matters blog.
The case on data retention that led to the € 14.5 million GDPR fine in Germany
On 30 October 2019, the Berlin Commissioner for Data Protection and Freedom of Information imposed an administrative fine of about € 14.5 million against Deutsche Wohnen SE for infringements of the EU General Data Protection Regulation (GDPR).
Deutsche Wohnen SE is a real estate company that was accused of having used an archiving system for the storage of personal data of tenants, which did not allow for the erasure of data that was no longer necessary. According to the German data protection authority, the affected data included information about the personal and financial circumstances of tenants, such as payslips, self-disclosure forms, extracts from employment and training contracts, tax data, social security, and health insurance data and bank statements.
The authority had already flagged this alleged non-compliance with data protection rules after an on-site audit in June 2017. Another audit in March 2019 showed that Deutsche Wohnen SE was still unable to demonstrate either the deletion of data after the expiry of the data retention period or legal grounds for the continued storage. Deutsche Wohnen SE did initiate a project to remedy the potential non-compliance technically. Still, the German data protection authority found that these measures had not led to the establishment of a lawful state of storage of the data. The authority could, however, not prove that personal data had been unlawfully accessed or disclosed to third parties.
Nevertheless, the German data protection authority already considered the archiving without possibility to erase data which is no longer necessary or even had been collected without a legal ground in the first place as an infringement of the data protection by design requirement under Article 25 (1) GDPR as well as of general processing principles set out in Article 5 GDPR:
- Article 25 (1) GDPR requires data controllers – subject to additional preconditions – to provide for appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data subjects; while
- Article 5 (1) GDPR includes inter alia the obligation that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’) i.e. data need to be deleted or anonymized on the expiry of the data retention period.
The calculation of the GDPR fine by the German data protection authority
When calculating the specific amount of the fine, the Berlin data protection authority applied the recently published guidelines on the calculation of GDPR fines of the German privacy authorities.
Taking into account Deutsche Wohnen SE’s annual turnover in 2018 of “more than one billion Euros” (the exact turnover was EUR 1,438,000,000), the upper limit for the fine was at “approx. EUR 28 million”. An interesting point to mention is that the Berlin DPA apparently only applied the 2% of annual revenues maximum for an infringement of Article 25 GDPR (see Article 83 (4) (a) GDPR) and not the 4% of annual revenues maximum for an infringement of Article 5 GDPR (see Article 83 (5) (a) GDPR). If the 4% category had been applied, the maximum fines would have been about EUR 57 million in the case at hand. However, the Berlin data protection authority seems to be well aware that – at least in Germany – the general principles set out in Article 5 GDPR are not precise enough to serve as a basis for sanctions.
For the specific determination of the amount of the fine, the supervisory authority considered the following aggravating and mitigating factors:
- Deutsche Wohnen SE had deliberately set up the archive structure in question and that the affected data had been processed in an inadmissible manner over a long period of time was considered as particularly aggravating;
- The company had taken initial measures to remedy the situation and had cooperated well with the supervisory authority. With a view to the fact that the company could not be proven to have improperly accessed the inadmissibly stored data, a fine in the middle range of the predetermined fine framework was regarded as appropriate.
In addition to sanctioning the structural non-compliance, several additional smaller fines between € 6,000 and € 17,000 have been imposed for the inadmissible storage of personal data of tenants in 15 specific individual cases.
My take on the compliance with the data retention obligation
- Those entities that did not put in place any data retention policy but refer in their privacy information notice to the retention of data for a period not exceeding what necessary to pursue the purposes of the data processing. The result of such an approach is that they never cancel any personal data;
- Companies that have adopted a data retention policy, but are unable to comply with it, since did not implement technical and organizational measures to ensure the cancellation of personal data on the expiry of the retention period. Also under such a scenario, personal data are never deleted, unfortunately, and there is merely formal compliance; and
- Data controllers that have a data retention policy and technical and organizational measures to ensure compliance with it. But this category is quite limited.
Also, some companies have a data retention policy. But they decided not to comply with it since it is excessively costly. This scenario might be the worst to the eyes of data protection authorities since it shows willful conduct to breach data protection obligations. This GDPR fine may change the approach of companies to data retention compliance.
On the same topic, you may find interesting “Data retention period, an intrigued rebus under the GDPR“.