The archiving risk - €14.5m fine in Germany

Big fine by the Berlin data protection supervisory authority against a property company for keeping tenants' personal data in an archive system that didn't allow deletion of specific personal data that was no longer necessary for the original purpose of deciding whether to take them on as a tenant.

Data retention is clearly now a much bigger risk under GDPR. This fine will no doubt spur the takeup of archiving systems allowing selective deletion/anonymisation, perhaps on an automated scheduled basis. But legacy systems, aaaargh! (Note also that this issue has come up before in France, where the CNIL is similarly hot under the collar about archiving, including segregation even of personal data that needs to be retained e.g. the SERGIC fine.)

Details

In 2017 the SA had previously conducted an onsite audit and strongly recommended changing the archive system but, in a March 2019 followup audit, Deutsche Wohnen SE couldn't demonstrate a cleanse of their data archives, or any legitimate reason for the ongoing storage of the tenants' personal data. Even though it had taken some measures to remediate the lack of compliance, it couldn't justify its continued storage.

The Berlin SA therefore imposed a fine based on the company's global turnover of >€1b in 2018. Factors:

• the archive structure was intentionally created
• the company illegitimately processed the data over a long period of time
• it had taken initial measures for remedying the compliance failures
• good cooperation with the DPA
• no evidence of abusive access to the illegitimately stored data

So the fine imposed was in the median range, rather than the maximum possible. 

Huge thanks to my colleague, Fieldfisher partner Katherina Weimer, for her very helpful summary.