Two recent fines imposed by German data protection regulators again highlight the risks of non-compliance with the GDPR.
The first of the fines (€14.5 million) was imposed on a German real estate company (die Deutsche Wohnen) by the Berlin Data Protection Authority. The fine related to the retention of extensive personal data about tenants for longer than was necessary. The Berlin DPA found that:
- Deutsche Wohnen did not have a legal basis for holding the personal data for longer than was needed (a requirement under Article 6 of the GDPR)
- Its retention of the personal data indefinitely infringed the data protection by design and default requirements (as set out in Article 25 of the GDPR); and
- There was also a breach of the general data protection principles (set out in Article 5 of the GDPR).
The fact that Deutsche Wohnen did not have GDPR compliant processes relating to data retention and deletion had been brought to its attention during an audit conducted by the Berlin DPA a couple of years before. However, a second audit in 2019 revealed that the company hadn’t fixed the problem. Something it is surely regretting now!
The second fine (€9.55 million) was imposed on Monday by Germany’s Federal Commissioner for Data Protection and Freedom of Information against mobile service provider, 1&1 Telecommunication SE. The fine related to a breach of the security obligations set out in Article 30 of the GDPR.
However, for once, the breach wasn’t cyber security related. Instead, the regulator had discovered that anyone who rang 1&1 Telecom could obtain extensive personal information about a customer, simply by providing that customer’s name and date of birth (information that is widely available these days through social media). This constituted a failure by 1&1 Telecom to implement appropriate technical and organisational measures to protect customer personal data, putting its entire customer database at risk.
1&1 Telecom plans to appeal the fine, claiming that the size of the penalty imposed is not reflective of the fact that it acted transparently and fully co-operated with the data protection regulator once the non-compliance had been identified. This relates to the provisions of Article 83 of the GDPR which require regulators to take a wide range of factors into account when determining the appropriate level of a fine, including:
- The degree of co-operation with the regulator;
- Whether the non-compliance was intentional or negligent; and
- The nature, gravity and duration of the incident.
1&1 Telecom has also spoken out about what it considers to be the ‘disproportionate nature’ of the fine which took into account the sales of the entire 1&1 group, not just 1&1 Telecom (which was a subsidiary company). However, the GDPR clearly envisages the calculation of fines based on annual, worldwide, group turnover, so it’s unlikely that 1&1 Telecom will get very far with this argument.
Several clear messages emerge from these recent cases:
- The GDPR is about more than just cyber security. Don’t ignore other aspects of your compliance, including your legal bases for processing, data retention and deletion and your organisational and procedural security measures.
- If you are fined, be prepared for the penalty to be based on annual, worldwide, group turnover, not just the sales of the particular group company concerned.
- The fact that you’ve co-operated with the regulators, won’t mean that you escape a substantial fine, particularly if you have put a large amount of personal data at risk.
- If you are audited by a regulator and issues are identified, make sure that you fix the problem within whatever timescale is specified!
If you’d like further information or advice relating to any of the issues dealt with above, please don’t hesitate to contact a member of Geldards’ Information Law Team.