Berlin DPA fine of 14.5 million EUR highlights the importance of storage limitation principle
Berlin Data Protection Authority (“DPA”) imposed a huge fine of 14.5 million EUR (5th biggest fine in the EU and highest in Germany) against a real estate company for the failure to observe the storage limitation and data privacy by design principles.
More specifically, the company was found to store data which was no longer necessary for the purposes for which it was processed, by using a storage system that did not provide mechanisms for deleting data that was no longer used. As such, the DPA mentioned that it is not sufficient to determine retention periods for the personal data processed, but also to implement technical mechanisms enabling the removal or destruction of such data.
The issue at hand is particularly sensitive as the company collected and stored different types of data, including sensitive data, such as information on tenants’ personal and financial characteristics: social security and health insurance data, financial data (available bank statements, salary statements).
The company has initially been investigated on the above-mentioned matters early 2017, and remediation measures have been implemented until 2019. Based on the findings of the DPA in 2019 such remediation measures were not effective and large quantities of personal data were still stored in a non-compliant manner for unlawful periods of time.
Such aspects have been essential in determining the amount of the fine. The DPA stated in its press release that such practice is quite frequent, as data cemeteries are encountered often in its investigative activity.
This case plays a particular importance with respect to archiving personal data and reminds the importance of verifying data minimization and data retention principles in practice, with respect to each processing activity and irrespective the business activity of each company.
Data privacy by design and data retention principles may prove to be quite difficult to be implemented in practice, as they require both legal and IT related competences. In particular, data retention needs to take into consideration specifics of the archiving rules in Romania, existing data retention terms and actual business needs of the company.