Privacy & Information Security Law Blog

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information (“the Berlin Commissioner,” Berliner Beauftragte für Datenschutz und Informationsfreiheit) announced that it had imposed a fine of €14.5 million (approximately $16 million) on Deutsche Wohnen SE, a prominent real estate company. This is the highest fine issued in Germany since the EU General Data Protection Regulation (“GDPR”) became applicable.

GDPR Violation

After conducting onsite inspections in June 2017 and March 2019, the Berlin Commissioner noticed that Deutsche Wohnen SE was retaining personal data of tenants for an unlimited period, without examining whether the retention was legitimate or at all necessary. In some cases, it was possible to access personal data of affected tenants, some of which were years old, without the data serving the purpose of the original data collection. According to the press release, Deutsche Wohnen SE was using an archiving system that did not enable it to remove data that was no longer required for the specific purpose for which it was collected. The affected data relates to financial and personal circumstances, such as bank statements, training contracts, tax, social and health insurance data.

After the inspection of 2017, Deutsche Wohnen SE improved its archiving system. However, in 2019, the Berlin Commissioner noted that the measures adopted to mitigate the data protection violation were not sufficient, and still did not comply with the storage limitation and data minimization principles of the GDPR. The fine is high because the Berlin Commissioner deemed that Deutsche Wohnen SE deliberately created the data archive in question and processed the affected data inappropriately over a long period of time.

Determination of the Amount of the Fine

Due to the worldwide turnover of more than one billion euros reported in the annual report of Deutsche Wohnen SE for 2018, the statutory scope for determining the fine for the data protection violation was initially around €28 million, according to the press release. However, the Berlin Commissioner took into account the fact that Deutsche Wohnen SE cooperated with the Berlin Commissioner, took steps to rectify the situation, and did not otherwise abuse the retained data, which limited the amount of the intended fine to €14.5 million.

The fine is not yet final as it may still be appealed.

For more information, read the press release (only available in German).

Update:

On February 18, 2021, the Berlin Regional Court declared the fine against Deutsche Wohnen SE invalid on the basis that the DPA's fining decision was not sufficiently substantiated. In particular, the fine notice of the Berlin Commissioner did not include any information on specific acts of management or legal representatives of Deutsche Wohnen SE that gave rise to the fine in accordance with German law.

On March 3, 2021, the Berlin Commissioner announced that it filed a complaint against the proceedings before the Berlin Regional Court. The Berlin Commissioner stated in its press release that the court’s interpretation of German law is not in line with European data protection law. The Berlin Commissioner takes the position that the determining factor for the imposition of administrative fines under the GDPR should be that a violation of the law has been identified and not whether any natural persons from the company’s management were responsible for the violation. The Berlin Commissioner also stated that the decision of the Berlin Regional Court addresses legal questions that are highly relevant for all German data protection authorities with respect to how administrative fines should be imposed.