Real Estate company fined millions for violations of the General Data Protection Regulation (GDPR) in relation to its archive systems.
Is your company’s archive system compatible with the GDPR? The answer to this could cost you thousands, hundreds of thousands, or even millions! Indeed this is a lesson that Berlin-based Real Estate company, Deutsche Wohnen SE is now contending with.
As reported by the EDPB, on October 30th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around 14.5 million euro against Deutsche Wohnen SE for violations of the GDPR. The EDPB explains that the violations centred on the company’s use of an archive system for storage of personal data of tenants that did not provide the possibility of removing data that was no longer required. Therefore, personal data of tenants were stored without checking whether storage was permissible or necessary.
Deutsche Wohnen SE’s archiving practices were found particularly to infringe Article 5 and Article 25 (1) of the GDPR. For the purpose of this blog we zone in on Article 5 (1c) and Article 5 (1e) of the GDPR.
Article 5 (1c): “[Personal data shall be] adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”
Article 5 (1e): “[Personal data shall be] kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).
On the importance of proper archiving practices, Aphaia’s Managing Partner Bostjan Makarovic says that ”getting rid of old data that is no longer necessary for the original purpose is essential to comply with GDPR. As data grows in size and the relationship of the company with the individual weakens, the problem only becomes bigger.”
For more information on GDPR Fines and Statistics we recommend visiting https://www.privacyaffairs.com/gdpr-fines/