Berlin DPA fines millions for inadequate data destruction

Blog

Berlin DPA fines millions for inadequate data destruction

Why the data storage limitation should be taken seriously

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (“Berlin DPA”) imposed a fine of EUR 14,5 million on a real estate company for not complying with the GDPR.

Anastasiya Milshina | November 21, 2019

What happened?

The company had used an archiving system for the storage of personal data of their tenants which did not enable the deletion of personal data that was no longer necessary. The personal data affected included sensitive information such as extracts from employment and training contracts, tax data, social security and health insurance data and bank statements. In some cases this data dated back many years.

The company was warned by the Berlin DPA back in 2017. The company then started a project to remedy the detected faults. However, during a follow-up inspection in 2019 the Berlin DPA found that the company was still unable to demonstrate compliance: the measures did not result in lawful storage of the personal data.

The Berlin DPA therefore imposed a fine for breach of the following principles:

  • 'data protection by design' and 'data protection by default' of Art. 25 (1) GDPR; and
  • ‘storage limitation’ (Art. 5 GDPR) which entails the obligation that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data are processed.

Our pointers

  1. Data retention & destruction is important and relevant. This was not the first fine imposed under the GDPR for failure to comply with the storage limitation principle. In May 2019 the French Data Protection Authority (“CNIL”) issued a EUR 400.000 fine for a similar breach. Both enforcement actions show the importance of an adequate data retention and destruction policy and implementation thereof. Merely having a retention schedule is not enough: organizations should also be able to demonstrate a successful implementation.
  2. Don’t wait for a data breach. Your organization can also be fined before a worst-case-scenario has occurred. In this case the company was fined as a result of an infringement of data protection principles. A specific unlawful processing or unauthorized access (for example a data breach) has not been proven.
  3. Privacy by design and default are serious requirements, and when handled with care can save time and money down the road. The Berlin DPA very concretely indicates that deliberately setting up an archiving structure that does not take into account data protection principles, could increase the penalty.
  4. You are not alone. Many organizations are dealing with issues around data retention and destruction. Much encountered questions are around overlapping data retention terms, applying a (specific) regulatory and legal landscape and responsibilities around legacy (filing) systems and archiving.

Our assistance

Data retention and destruction: never a very popular topic but a shared headache. We do see success in practice where the retention principles and policy can be explained on one paper or the proverbial “back of a beer coaster”. This, in combination with a project based approach around the implementation of these policies, backed up by a globally validated retention schedule that is updated and tuned to your organization’s specific needs. Want to hear more? Please contact Marloes Dankert and Anastasiya Milshina.

Did you find this useful?