The Berlin Commissioner for Data Protection and Freedom of Information recently fined real estate company Deutsche Wohnen SE €14.5 million under GDPR for storing the personal and financial data of tenants without any need to do so, signalling that real estate firms must comply with GDPR requirements to avoid massive fines and reputational damage.
In July this year, the Information Commissioner's Office issued a fine of £80,000 to London-based real estate agency Life at Parliament View Ltd for failing to appropriately secure personal and financial information of landlords and tenants between March 2015 and February 2017.
The fine was issued after the ICO concluded that the real estate agency failed to implement access restrictions when it transferred personal and financial data of landlords and tenants from its server to a partner organisation.
The ICO issued £80,000 fine to the real estate agency under the Data Protection Act 1998 as the exposure of personal data took place prior to the arrival of GDPR. However, had the privacy violation taken place after the arrival of GDPR, the fine imposed on the real estate agency could have been in millions.
There is a recent precedent of such a massive fine being imposed on a real estate agency for storing and handling the personal and financial data of customers without any business reason for doing so.
Berlin DPA fined real estate agency for storing customer data without having any reason to do so
On 30 October, the Berlin Commissioner for Data Protection and Freedom of Information fined real estate company Deutsche Wohnen SE €14.5 million under GDPR, stating that the company failed to erase personal and financial information of its customers that were no longer necessary even though the non-compliance was flagged by the authority over two years ago.
Berlin DPA noted that Deutsche Wohen SE stored detailed personal and financial information of tenants, such as salary certificates, self-disclosure forms, excerpts from employment and training contracts, tax, social and health insurance data and bank statements.
Even after the company was asked in June 2017 to change its archiving system, the company failed to do so and continued to store customer data that was no longer necessary. The authority initially intended to fine Deutsche Wohen SE €28 million, but finally imposed a fine of €14.5 million as "the company could not be shown any abusive access to the inadmissibly stored data."
"Unfortunately, in supervisory practice we often encounter data cemeteries such as those found at Deutsche Wohnen SE. The explosive nature of such misconduct is unfortunately only made aware to us when it has come to improper access to the mass hoarded data, for example in case of cyber-attacks," said Maja Smoltczyk, the head of the Berlin DPA.
"But even without such serious consequences, we are dealing with a blatant infringement of the principles of data protection, which are intended to protect the data subjects from precisely such risks.
"It is gratifying that the legislator has introduced the possibility of sanctioning such structural deficiencies under the General Data Protection Regulation before the worst-case scenario data breach occurs. I recommend all organisations processing personal data to review their data archiving for compliance with the GDPR," she added.
Real estate firms must continuously review the data they hold and delete data that is no longer required
Commenting on the massive fine imposed on the real estate agency, Emily Dorotheou, an associate at UK law firm Mischon de Reya, told Property Industry Eye that the case serves a reminder to real estate firms to review regularly the personal data which they store and delete or anonymise any data which is no longer required.
"Removal of unnecessary personal data also reduces their exposure to data leaks or security breaches. However, where companies can reasonably justify retaining personal data, for example for tax record purposes, this will arguably provide a basis to continue holding on to the data," she added.
According to Steve Eckersley, Director of Investigations at the ICO, companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with as customers have the right to expect that the personal information they provide to companies will remain safe and secure.