A German data protection authority, the Berliner Beauftragte für Datenschutz und Informationsfreiheit (‘BBDI’), recently announced that it has issued a 14.5 million euro fine to real estate company, Deutsche Wohnen SE, for breaching GDPR.
Whilst large data protection fines are becoming more prevalent, here there is no suggestion of either data being compromised or misuse of personal data for commercial gain (which have been common triggers for enforcement action by regulators). Instead, Deutsche Wohnen SE’s breach relates to data it holds on its archive database.
The facts
- The German real estate company possessed historical tenant information (including payslips, references and bank statements) without a lawful basis for processing the data and on a system that did not have the possibility to erase personal data when processing was no longer necessary.
- BBDI flagged these issues to Deutsche Wohnen SE following a site visit in 2017.
- In March of this year, BBDI carried out a review and, despite Deutsche Wohnen SE’s attempts to implement changes, was not satisfied that the issues had been adequately resolved and considered that Deutsche Wohnen SE’s practices infringed Article 5(1) and Article 25(1) GDPR. Article 5(1) requires that personal data must be processed lawfully i.e. there must be a lawful basis for processing even where data is held on an archive database and Article 25(1) relates to data protection by design and default i.e. that adhering to the data protection principles must be adequately taken into account when processing personal data.
- The 14.5 million euro fine was issued by BBDI to Deutsche Wohnen SE on 30 October 2019 for breach of Article 25(1).
The fine
- The maximum fine for breach of Article 25(1) GDPR is 10 million euro or 2% of global turnover.
- The 14.5 million euro fine was calculated applying guidelines previously published by German data protection regulators.
- Remedial actions taken by Deutsche Wohnen SE were taken into account as a mitigating factor. However, the deliberate setting up of the archive database and the duration of processing were cited as aggravating factors.
- The German regulator did hold back from pursuing a full 4% turnover fine (for breach of Article 5(1) GDPR) which could have been in the region of 60 million euro.
Practical points
- It is a “GDPR myth” that personal data must be deleted as soon as it has been used, personal data can be retained for as long as the purpose(s) for which it was collected remains valid and there continues to be a lawful basis for doing so. You must, however, erase personal data where it is no longer necessary to keep it. Doing so also helps to comply with the principles of data minimisation and accuracy.
- Personal data is still being “processed” when it is held in archive or offline. Therefore, it is necessary to maintain all applicable data protection compliance obligations in respect to that data.
- GDPR does not specify retention periods, it is expected that you apply appropriate periods to the purposes of processing data.
- Retaining personal data for regulatory or legal requirements are potentially valid purposes for retaining data, however you should be able to identify the applicable regulatory or legal requirement rather than use this as a blanket justification to retain all data.
- It may be appropriate to only keep some of the data collected e.g. only retain personal data about ex-customers that could be relevant to potential complaints or legal claims and delete all other irrelevant personal data.
- Anonymising personal data may be appropriate and useful where data is to be retained but it is no longer necessary to identity the relevant individual e.g. for statistical or analytical purposes; anonymised data can be kept for as long as you like and it will not subject to GDPR. However, you should ensure that personal data is fully anonymised.
- Where data is “deleted” it should be more than archived or offline, the UK’s Information Commissioner requires that it is “put beyond use” and this includes deletion from all live and backup systems.
- In order to meet data minimisation and storage limitation obligations, it may be necessary and worthwhile considering system changes to use functionality that automatically flags data for review.
- Having a policy setting out data retention periods and purposes of processing is often helpful and is a must for many larger organisations.
If you would like assistance with your data retention practices or data protection law more generally, please contact us.