#Privacy: Berlin DPA imposes fine to real estate company

The Berlin Data Protection Authority (DPA) becomes the first of German DPAs to impose a million-euro fine for GDPR violations. 

The real estate company, Deutsche Wohnen, has been hit by a fine of 14.5 million euros for the unlawful storage of old tenant data. 

Following an on-site inspection in 2017, the Berlin DPA discovered that Deutsche Wohnen had been using an archive system that did not have an option to delete old data. The system contained sensitive information about former and current tenants. 

Subsequently, the company infringed Art. 25 (1) and Art. (5) of the GDPR, to which the Berlin DPA had issued a recommendation for the company to act and allow them time to amend the archive system so it would fit to GDPR requirements, as well as allowing them to respect applicable retention periods. 

Another on-site inspection carried out in 2019, the GDPR infringements were still present, thus leading the Berlin DPA to impose a fine on the company for the period between the direct applicability of the GDPR and October 2019. 

During this period, Deutsche Wohnen did not clean up its database, nor prove that it had legal basis for the processing of personal data. 

In an interview with Berlin’s Data Protection Commissioner Maja Smoltczyk, explains that this case is not an isolated case, but rather the first on that scale with such a vast amount of data. 

She adds: “There are no health data affected and according to our information, no data has been disclosed to third parties. Nevertheless, personal data are in considerable quantities. The system provides insights into the lives of many, many people. You can see who lives with whom, what kind of education someone has or where he used to live. These are things of everyday life that we would not share so easily.”

Since the implementation of GDPR in Germany, many companies have been turning a blind eye therefore this fine underlines that an official warning to eliminate GDPR infringements is not enough.

This fine is the first in the millions, and it is expected that further fines by the DPAs will follow shortly.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/