Germany: Record EUR 14.5 million fine for GDPR breach

The Data Protection Commissioner for Berlin has imposed a fine of EUR 14.5 million for a breach of the General Data Protection Regulation (GDPR). The fine is a record for Germany and the first truly large fine imposed in the country since the GDPR entered into force in May 2018. It reveals a pressing need for all businesses to urgently review the type of personal data they are storing as well as the duration of this storage.

'Data protection by design' and 'data protection by default'

The subject of the fine was a real estate company with an annual turnover of over one billion euros. The company had used an archiving system for the storage of personal data relating to their tenants which did not enable the deletion of personal data which was no longer required. The personal data relating to these tenants in some cases dated back many years and included sensitive data such as pay slips, self-disclosure forms, employment contracts, as well as tax data, social security data and health insurance data. This data was stored even though it was no longer necessary for the purpose for which it had originally been collected.

Berlin's Data Protection Commissioner had already audited the company in 2017 and advised of the need to urgently replace the archiving system, yet upon visiting again in 2019 these issues had still not been resolved and the system remained in place. The Commissioner therefore imposed the fine for breach of the principles of 'data protection by design' and 'data protection by default', enshrined in Art 25 (1) GDPR, as well as for a breach of Art 5 GDPR.

Importantly, such a high fine was imposed notwithstanding the fact that there was no evidence that the data had actually been accessed for improper purposes. The Data Protection Commissioner, Maja Smoltczyk, noted that the danger of having such massive amounts of personal data hoarded is that the consequences of unauthorized access can be enormous. When personal data is exposed on such a scale through a hacker attack, for example, such maladministration can have "explosive effects".

However, this was not the first case in Europe in which non-compliance with data retention provisions of GDPR led to a significant fine by local regulators. CNIL, the French Data Protection Regulator, has previously in May 2019 issued a 400,000 EUR fine against real property development company SEGIC inter alia for failure to comply with the data retention provisions of the GDPR.

Urgent action required

Controllers and processors must now take urgent action to review their processes and examine their handling of personal data, regardless of where in the world they are situated. Issues such as liability for breaches of the principles of data protection by default and by design should be considered in such contracts.

Businesses - including Businesses that are subject to the extraterritorial scope of the GDPR - that retain documents containing personal data without assessing the necessity or legitimacy of that retention need to reconsider their approach and ensure they have developed and are implementing meaningful data retention policies. This consists of the examination of data flows in an organization, the categorization of the different types of personal data processed, the definition of appropriate storage periods for those respective categories of personal data and the implementation of systems to ensure adherence to such meaningful data retention policies. BEITEN BURKHARDT can readily assist you with the creation, adoption and implementation of such data retention policies.

If you have any questions regarding this topic, please feel free to contact Dr Axel von Walter and Sam Cross, LL.M.