Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Administrative fine of 14.500.000 Euro imposed against German Real Estate Company

12.12.2019

The Berlin Data Protection Authority has imposed an administrative fine against a Berlin real estate company for 14,5 Million euros due to violations of GDPR regulations

How did the violation come About

During an on-site inspection by the Data Authority in June 2017, the Data Authority observed that the real estate company was using an archive system that did not provide an option to delete personal data that was no longer necessary in relation to the purposes for which they were processed. Personal data of tenants was therefore archived without checking if storing this data was lawful.

The Data Authority issued a warning in June 2017 and suggested to change the archive system. In another on-site inspection in March 2019 the real estate company did neither have a new archive system, had not deleted the unlawful storage personal data of tenants nor could they provide legal grounds for the ongoing storage of the personal data.

 

Storaged data over several years old

During the second on-site inspection the officers found personal information of tenants from years ago, that was – in the opinion of the Berlin Data Protection Authority - not necessary in relation to the initial purpose. Next to pay slips, self-disclosures, employment and training contracts the officers also found tax information, social and health insurance data as well as account statements from former clients. The unlawfully storaged personal data in numerous ways revealed the personal and financial circumstances of the data subjects.

 

How did the imposed fine sum up?

The GDPR regulations state that infringements can be subject to administrative fines up to 20 000 000 euros, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Before this case, the highest administrative fine issued in Germany after the application of the GDPR reached the total of 80.000 euros.

The annual turnover of the preceding financial year 2018 amounted to more than one billion euros. Therefore, the legal frame for the administrative fine summed up to approximately 28 million euros. The data authority imposed an administrative fine in midrange of the legal frame, because there was no proof of misusing the unlawfully storage data.

The real estate company does not seem to admit to their failure and has announced to take legal steps against the penalty notice.

 

Article provided by:

Dr. Jens Eckhardt, dmp Derra, Meyer & Partner PartGmbB
www.derra.eu
Rechtsanwalt
Fachanwalt für IT-Recht
Datenschutz-Auditor (TÜV)
Compliance-Officer (TÜV)
Vorstand (Recht) Eurocloud Deutschland _eco e.V.

Nils Steffen, Meyer & Partner PartGmbB
www.derra.eu
Rechtsanwalt
Datenschutzbeauftragter (TÜV-Süd)

www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf (Tpoical at 10. December 2019)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.