The German company, Deutsche Wohnen, is reported to have retained old customer data, which is a breach of administrative obligations, rather than a data breach which is loss or misuse of customer data.
It is reportedly the first GDPR fine in response to a company’s data retention activity and the largest fine received by a property company.
Although a German investigation, it will be one which other data protection regulators, including the UK’s Information Commission, will be looking at for an indication of appropriate fines.
The GDPR came into force on 25 May 2018, and directly applies to all EU countries including the UK, even in the event of a no-deal Brexit. Any UK based businesses offering goods or services in the EU, or monitoring the behaviour of EU residents, will still need to comply with GDPR rules.
Deutsche Wohnen was found to have breached obligations to keep personal data for “no longer than is necessary for the purposes for which the personal data are processed”, to ensure that personal data is adequate, relevant and limited to what is necessary; and to provide appropriate technical and organisational measures designed to implement data protection principles.
Despite the regulator's request that it revise these activities, Deutsche Wohnen's improvements did not go far enough. The fine could have been millions of pounds higher, but Deutsche Wohnen is co-operating with the investigation and took steps to address its failure.
This case highlights to property companies the need to regularly review their data processes and the data which is kept.
Propertymark GDPR resources
Propertymark has a number of resources to help members understand and comply with their GDPR obligations.