Highest fine in Germany for data protection violations

Berlin’s data protection commissioner Maja Smoltczyk has issued a 14.5 million euro fine notice against listed real estate group Deutsche Wohnen.

The housing company is accused of storing tenants’ personal data in the databases indefinitely, without checking whether this is lawful and necessary. Personal data includes, for example, salary statements, bank statements, self-disclosure statements, extracts from employment contracts, and tax, social security and health insurance data. As a rule, these are documents that prospective tenants must submit to prove their creditworthiness before signing a lease.

Another problem is that the personal data had been stored indelibly in the company’s archives and could still be viewed and processed. This was done without a legal basis, so the documents would have to be destroyed under the GDPR.

This is because, according to Article 5 of the General Data Protection Regulation (GDPR), companies may only store and process personal data for as long as it is necessary for the purpose for which it was collected. For this reason, for example, data of former tenants who have been living elsewhere for some time or of applicants with whom no rental agreement has been concluded must be deleted.

As early as June 2017, Deutsche Wohnen Group was found to have stored personal data of tenants in an archiving system where data that was no longer required could not be deleted at all, the authority said. During a re-audit in the spring of 2019, it had become apparent that the company had still not cleaned up the records.

This case shows that the German data protection supervisory authorities are also applying the new fine concept in practice.

Your contact for data protection law: Dr. Stefan Drewes, Tel.: 0228-90248070, e-mail: