The Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit ), has issued a €14.5 million GDPR fine to German company die Deutsche Wohnen SE. The fine was issued on October 30th, 2019, as one of the highest fine issued so far in Germany.
What we would really like to talk about is the reason behind the fine. As stated in the official press release by the Berlin DPA:
“During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required.[…] In some of the individual cases that were examined, it was, therefore, possible to find years-old private data from tenants that were preserved, although they were no longer necessary for the purpose of their original collection. “
The reason behind the €14.5 million GDPR fine
The reason for this multi-million fine may lie in the fact that the Berlin Commissioner for Data Protection recommended an adjustment of the archive systems during the first inspection in 2017.
However, the company was unable to fix the issue (although the effort was made, it just didn’t suffice). The fact is – the data removal process introduces a set of new challenges for a DPO, amplified with the lack of understanding about where the data is stored, and no real insight into the technical and business implication of data removal.
When a company is processing a large amount of data across multiple systems, automation is the only way to avoid the possibility of human error and reduce the risk of non-compliance.
Nonetheless, there were other factors involved:
“…The specific determination of the amount of the fine, the Berlin Commissioner for Data Protection has used the legal criteria, taking into account both aggravating and mitigating factors. The fact that Deutsche Wohnen SE had deliberately set up the archive structure in question and that the data concerned had been processed in an inadmissible manner over a long period of time…”
We have been talking about the importance of compliant data removal for a while now. However, this is what we continuously observe. The indifference towards certain parts of the compliance process until it is too late, and the fine is issued.
However, it is never too late. Start reading our blogs to get a better understanding of the GDPR compliant data removal orchestration.