GDPR Violation: 14,5 Million Euro Fine for “Deutsche Wohnen”

An audit back in 2017 revealed that the archive system used by Deutsche Wohnen does not allow data to be deleted. Sensitive information, such as salary records, bank statements, self-disclosures, employment contracts, tax numbers, as well as social security and health insurance data, was stored permanently in the real estate agency’s databases. A review carried out in March 2019 showed that the issues had not been resolved.

According to the General Data Protection Regulation, companies are only allowed to retain and process personal data for as long as the purpose for which the information was collected in the first place lasts. To comply, Deutsche Wohnen should have deleted the data they obtained about former tenants or persons applying for apartments in time. Holding on to such enormous amounts of data is problematic considering the threat of cyber attacks or potential data abuse by internal staff.

The GDPR allows authorities to impose penalties of up to 4 percent of the accused company’s worldwide turnover, depending on the gravity of the offence. In the previous year, Deutsche Wohnen generated more than one billion Euros in turnover. This means that the fine of 14.5 million Euros is significantly lower than the maximum would allow (28 million Euros). The reason the maximum penalty could not be imposed is that authorities were unable to prove that abusive access had been made and, furthermore, Deutsche Wohnen had announced they would be taking measures to improve the situation.

The data protection authority issued additional fines between 6,000 and 17,000 Euros for illegal storage of personal data of tenants in 15 concrete cases. This is the first GDPR fine amounting to millions in Germany; the highest fine in the country to date was 195,000 Euros. France and Great Britain, in comparison, have seen penalties of this magnitude being imposed on several occasions
The decision is not yet legally binding and Deutsche Wohnen has announced that they are intending to appeal the decision.

One way to safeguard your company’s critical data and ensure it is being treated responsibly is to make sure that IT privileges are assigned according to comprehensible and transparent processes. tenfold is an access management system that can help you to maintain control of and manage the access rights in your company in an effective manner, spanning across systems and, of course, always in accordance with the GDPR.