The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.
These practices might lead to an investigation and result in a fine. Companies that are subject to the EU General Data Protection Regulation (GDPR) and the related EU data protection laws should remember that GDPR and those national laws contain detailed and specific provisions requiring, among other, that entities collect only the minimum amount of data necessary, and limit the retention of this data to the shortest, most reasonable time.
EUR 14.5 million fine
At the beginning of November 2019, the Berlin Commissioner for Data Protection and Freedom of Information assessed a EUR 14.5 million fine against Deutsche Wohnen SE, a German residential real estate company, for violations of the GDPR, specifically violation of the data minimization and storage limitation principles. The decision has been made public, but is not yet final; it has been appealed.
According to Berlin Data Commissioner, the EUR 14.5 million fine was related to alleged deficiencies in the company’s archiving system, which did not allow for deletion of legacy data. The data affected included financial information about tenants, such as pay-slips, self-disclosure forms, extracts from employment agreements, tax data, social security and health insurance data and bank statements. The Berlin Data Commissioner also found that the practices of the company constituted an infringement of the data protection by design requirements. It focused primarily on violations of the data minimization principle and the failure to dispose of the data upon expiration of the retention period.
Companies that are subject to the GDPR should keep in might that the GDPR provides for fines significantly higher than those that were assessed under the national laws that derived from the 1995 EU Data Protection Directive. GDPR Article 83 provides for two levels of fines, which depend on the nature of the violation, but even the lower range would allow for significant fine amounts. The highest level of fines is up to EUR 20 Million or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. The lowest level of fines is up to EUR 10 Million or 2% of the worldwide annual revenue, whichever is higher.
Germany, where the Deutsche Wohnen case was handled, is taking a structured approach to the determination of fines for violation of the GDPR. In October 2019, DSK, the joint coordinating board of the German Data Protection Authorities, published a detailed chart for the calculation of GDPR fines. Among other things, it sets out several levels of severity of the violation, and associates to each of these levels a multiplier range between 1 and 14.4. A fine is computed according to that multiplier and the daily global revenue for the company or group of companies. According to the Berlin Data Commissioner, the fine in the Deutsche Wohnen case has been computed by using the DSK model.
As the EU Data Supervisory Authorities are reviewing cases and assessing fines that are based on the provisions of the GDPR, we note an increasing number of decisions that provide for significant fines. Earlier this year, for example, CNIL, the French Data Protection Authority, assessed a EUR 50 million fine against Google for aggressive marketing practices. This was followed, during the summer by a £100 million fine assessed against Marriott Hotel, and a £183.39 million against British Airways. Both cases were handled by the UK Information Commissioner’s Office.
While the nature of the Deutsche Wohnen case is different from that of the earlier cases discussed above, and the level of fines assessed against the real estate company is significantly lower than those described above, they show that
- Supervisory Authorities handle a wide variety of cases, react to numerous forms of alleged violations of the GDPR; not just data breaches
- Compliance with the basic data protection principle is a significant element; they should be reviewed at each legal and technical audit.
- Periodic compliance and technical audits may help identify deficiencies and reduce legal and technical risk when these deficiencies are corrected.
- Fine levels under GDPR are generally significantly higher than under prior regimes.