It finally happened. The Berlin Commissioner for Data Protection and Freedom of Information has imposed an administrative fine of about EUR 14.5 million against Deutsche Wohnen SE for infringements of the GDPR in their unstructured data.

Deutsche Whonen SE is a real estate company and are being fined for having an archiving solution containing personal data that did not allow for the erasure of data that was no longer necessary.

The archiving solution used is what called data-lake of unstructured data, containing a variety of files such as payslips, self-disclosure forms, extracts from employment and training contracts, tax data, social security and health insurance data and bank statements. 

On an audit in March 2019 the Berlin DPA found that Deutsche Wohnen SE was unable to demonstrate neither a clean-up of its data, nor legal grounds for each stored document.

The fine is issued although the Berlin DPA could not prove that any data had been lawful or disclosed to third parties.

Instead, the Berlin DPA conclude that storage of personal data, without possibility to erase it, nor being able to display a legal ground for the collection and processing, constitutes an infringement of both the data protection by design in Article 25, and of the general processing principles set out in Article 5.

Keeping personal data in unstructured data, without documentation or ability to erase it, is lack in technical and organizational measures, and leads to breaches of both the principle of data minimization and storage minimization.

The fine constitutes 2% of Deutsche Wohnen SEs global annual turnover, and the Berlin DPA saw it as particularly aggravating that the company deliberately had set up the structure for file storage, and that the data had been processed for a long time.

As mitigating factors, Deutsche Wohnen had in fact taken measures to remedy the situation, although unsuccessful, and the company also cooperated well with the DPA.

Unfortunately, in supervisory practice we often encounter data cemeteries such as those found at Deutsche Wohnen SE. The explosive nature of such misconduct is unfortunately only made aware to us when it has come to improper access to the mass hoarded data, for example in case of cyber-attacks.

But even without such serious consequences, we are dealing with a blatant infringement of the principles of data protection, which are intended to protect the data subjects from precisely such risks.

It is gratifying that the legislator has introduced the possibility of sanctioning such structural deficiencies under the General Data Protection Regulation before the worst-case scenario data breach occurs.

I recommend all organizations processing personal data to review their data archiving for compliance with the GDPR.

Maja Smoltczyk, head of the Berlin DPA

It deserves to be repeated.

Compliance with GDPR in unstructured data can only be achieved by making a privacy data inventory, and the levels of the fine issued by the Berlin DPA shows that negligence towards unstructured data lakes is considered a major breach of processing principles, even though no unauthorized access can even be proven.

And now we know the cost of such negligence.