The German data protection authority has imposed the highest GDPR fine to date on real estate company Deutsche Wohnen (“German Living): 14.5 million Euros. The enterprise is being accused of storing sensitive data on tenants and failing to reconfirm whether the data still need to be kept or not.

An audit back in 2017 revealed that the archive system used by Deutsche Wohnen does not make it possible to delete data. Sensitive information, such as salary records, bank statements, self-disclosures, employment contracts, tax numbers, as well as social security and health insurance data, were permanently stored in the real estate agency’s databases. A review carried out in March 2019 showed that the issues had not been resolved.

According to the General Data Protection Regulation, companies are only allowed to retain and process personal data for as long as is necessary for the purpose for which the information was collected in the first place. To comply, Deutsche Wohnen would have had to delete the data they obtained about former tenants or persons applying for apartments in time. Holding on to such enormous amounts of data becomes problematic when you factor in the threat of cyber attacks or possible data abuse conducted by internal staff.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

Record fine

The GDPR allows authorities to impose penalties of up to 4 percent of the accused company’s worldwide turnover, depending on the gravity of the offence. In the previous year, Deutsche Wohnen generated more than one billion Euros in turnover. This means that the fine of 14.5 million Euros is significantly lower than the maximum would allow (28 million Euros). The reason the maximum penalty could not be imposed is that authorities were unable to prove that abusive access had been made and, furthermore, Deutsche Wohnen had announced they would be taking measures to improve the situation.

The data protection authority issued additional fines between 6,000 and 17,000 Euros for illegal storage of personal data of tenants in 15 concrete cases. This is the first GDPR fine amounting to millions in Germany; the highest fine in the country to date was 195,000 Euros. France and Great Britain, in comparison, have seen penalties of this magnitude being imposed on several occasions
The decision is not yet legally binding and Deutsche Wohnen has announced that they are intending to appeal the decision.

Access management is data protection

One way to safeguard your company’s critical data and ensure it is being treated responsibly is to make sure that IT privileges are assigned according to comprehensible and transparent processes. tenfold is an access management system that can help you to maintain control of and manage the access rights in your company in an effective manner, spanning across systems and, of course, always in accordance with the GDPR.