A German real estate company has been fined 14.5 million Euro for infringing the EU General Data Protection Regulation (GDPR) by the data protection authority of Berlin, who publicly reported on this case in a press release on 5 November 2019. It constitutes the highest fine that has been issued in Germany since the GDPR’s coming into force in May 2018.
The penalty follows investigations by the authority in June 2017 and March 2019. After non-compliance with the then applicable German data protection laws had been initially revealed during the first audit, the authority strongly recommended to rectify the shortcomings. Even though they found, during the second audit, that the company had taken steps to prepare for the required adjustments, the queried matters were still unresolved and in continuous violation of the GDPR.
What was the contested infringement of the GDPR about?
The company used a filing system for archiving purposes, documenting rental agreements with their private customers and related documents. This archive contains information on personal and financial relations of the renters, such as payslips, self-reporting forms, excerpts from employment contracts, bank statements, and information on taxation as well as social and health insurances.
The IT infrastructure was set up in a way that did not allow the erasure personal data for the purpose of ensuring audit-proof data. The authority deemed this database design to be problematic, as retention of personal data is limited to the time frame necessary regarding a legally recognized purpose under the GDPR. It argues that the alleged violation of the GDPR was threefold:
- The principle of storage limitation under Art. 5(1)(e) GDPR stipulates that personal information must “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
- The obligation of data protection by design and default under Art. 25(1) GDPR requires data controllers to implement “appropriate technical and organisational measures […] which are designed to implement data-protection principles […] in an effective manner”.
- Any processing of personal data, including mere data retention, must be legally justified in the individual case under Art. 6 GDPR (e.g. that the data subject has given his or her consent, or that the retention is necessary for the performance of a contract with the consumer, or to comply with legal obligations). The authority contested 15 individual cases of renters in which there was no legal basis for further archiving the information.
The decision is not yet final. The real estate company concerned may appeal and object both to the factual findings of the authority and to their legal interpretation of the GDPR.
What do we need to do to comply with obligations on data retention?
Companies may have good reasons to apply tamper-proof archiving systems that prevent alteration of the data concerned, e.g. for preserving evidence in potential tax audits. Still, those systems must be designed in a manner allowing to reflect the actual retention periods as legally required, and do not prevent erasure of data after such periods have elapsed.
Data controllers may not simply pass on this obligation to their software vendors, since the obligation to comply with the principles of storage limitation and data protection by design applies to the data owner itself. Therefore, companies are recommended to check on two issues:
- Is there an appropriate and compliant data retention policy in place, including internal standards on how to respond to customers exercising their “right to be forgotten”, which covers all categories of personal information falling within the scope of the GDPR? Drafting such policy allows to review applicable retention periods, legal requirements to erase certain information, and the state of the company’s data management.
- Are the applied IT solutions, e.g. regarding archiving, CRM, or accounting, in compliance with the requirements regarding the principle of privacy by design? Companies should verify whether the technical environment indeed allows them to put their envisaged data retention policy into practice.
What does the amount of the fine mean for our GDPR risk analysis?
When it comes to sanctioning, the introduces two categories for capping the maximum amount of the fine:
- Non-compliance with “minor” obligations of the GDPR, such as the obligations to maintain records of processing activities (Art. 30 GDPR), or to appoint a data protection officer (Art. 37 GDPR) can lead to administrative fines of up to 10 mio. EUR, or up to 2% of the worldwide annual turnover, whichever is higher.
- Non-compliance with “major” obligations of the GDPR, such as to lawfully process personal data pursuant to Art. 6 and 9 GDPR, or to accurately respond to consumers claiming their GDPR rights (Art. 12-22 GDPR) can lead to administrative fines of up to 20 mio EUR, or up to 2% of the worldwide annual turnover, whichever is higher.
These numbers seem threatening, however, multi-million penalties are rather exceptional. According to Art. 83 of the GDPR, penalties must “in each individual case be effective, proportionate and dissuasive”. Several factors have to be taken into account, such as the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement or any action taken by the controller or processor to mitigate the damage suffered by data subjects.
In the given case, the authority recognized that the company, generating an annual revenue exceeding the mark of 1 billion Euro, had taken first steps to end the state of non-compliance. On the other hand, the authority has weighed both the intentional as well as the long-term character of the violation against the company.
Since enforcement of the GDPR remains a task of the national data protection supervisory authorities in the EU member states, the practice of balancing those factors may vary throughout the EU. Companies without any establishment in the EU may have to deal with various authorities that are simultaneously competent to audit the non-EU company, depending on where the data subject concerned is located.