An archive system without the possibility of deleting personal data – 14.5 million euros fine for a real estate company
The Berlin data protection authority (“Berliner Beauftragte für Datenschutz und Informationsfreiheit”) has imposed a fine of approximately 14.5 million euros on a real estate company.
Background of the sanction is the archive system of the company that did not provide any possibility to delete no more needed data. According to the authority, this circumstance led to the fact that employees were able to view private information from tenants about their personal and financial circumstances for a very long time, without this still being covered by the original purpose of the data collection.
The authority had already recommended the company in 2017 to change the archive system. A further audit in March 2019 revealed still remaining considerable deficiencies in the archive system.
The fine itself is based on the company’s turnover in the previous year, which was more than one billion euros.
The specific calculation of the penalty against the company was based on the argument that the archive system was intentionally created in the manner described above and that the data were processed unacceptably over a long period. The fact that the data had not fallen into the hands of unauthorised third parties was an argument against an even higher penalty.
The authority considered itself capable of imposing a fine up to a maximum of 28 million euros. The fine of 14.5 million was therefore to be considered a “fine in the middle range”.
It is to be expected that the fine against the company will not remain an isolated case. “Data graveyards” would often be uncovered by the authorities during audits and, according to the authorities, pose a high risk for the person concerned. In the event of a cyber-attack, mass misuse of data can occur under such circumstances.
Our GDPR team helps you and your company to being GDPR compliant.
We will be happy to assist.