Details:
| Summary | Originally, a fine in the amount of EUR 14.500.000 was issued against Deutsche Wohnen SE for using an archiving system for the storage of personal data of tenants that, according to the data protection authority, did not provide for the possibility of removing data that was no longer required. According to the data protection authority, personal data of tenants were stored without checking whether storage was permissible or even necessary and it was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. See the separate entry. *** UPDATE *** On 24 February 2021 the Berlin Regional Court has dismissed the fine against Deutsche Wohnen SE due to procedural errors, see link and link. This was based on the fact that, according to German law, a fine can only be issued to a company if the offence is attributable to a natural person, such as a managing director or employee. The case was then appealed to the Appellate Court of Berlin, which on 16 December 2022 in turn referred it to the European Court of Justice for a preliminary decision on whether the Regional Court’s decision aligned with European law. On 5 December 2023 the European Court of Justice ruled that while culpability is indeed required for a fine to be issued, it is not always necessary to attribute the offence to a natural person. If the controller is a company instead of a natural person, it shall suffice if the offence is attributable to the company itself. In light of this decision the Appellate Court of Berlin overturned the initial decision of the Regional Court of Berlin and referred the case back to the Regional Court of Berlin for a new decision which, at the time of the editorial deadline of this update, is still pending, see link |
| Link: | link |
| Related articles: | Art. 5 GDPR, Art. 25 GDPR |
| Type: | Non-compliance with general data processing principles |
| Fine: | EUR 0 |
| Sector | Real Estate |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/