GDPR, data cemeteries, and million-dollar fines: Deutsche Wohnen SE Case Study
On October 30, 2019, Germany dealt out its largest GDPR fine to date: €14.5 million (EUR). The business receiving this fine was Deutsche Wohnen SE, a major property company. This case study will analyze Deutsche Wohnen SE’s legal infractions and the decision-making process of the Berlin Data Protection Authority (DPA), and explain what Deutsche Wohnen SE should have done differently. Through this, we hope to help your business avoid making the same mistake.
Deutsche Wohnen SE was found to have stored the personal data of tenants in an archive system whose architecture was not designed to delete data deemed no longer necessary. This meant that data that was years old could be utilised for purposes other than those specified at the point of collection. This clearly violates GDPR, as the company had no legal grounds to store information that is not relevant to the original business purpose.
A fine of this magnitude signifies that particular importance has been attributed to data graveyards, given the unnecessary risks associated with cyber breaches in this repository. Storing data for excessive periods of time is covered comprehensively by the GDPR, and the damages demonstrate that these articles will be enforced extensively. Regulatory bodies expect businesses to embed privacy into their software design, to minimize data as much as possible, and to implement changes to the way they store and process data.
How Deutsche Wohnen SE violated Articles 5 and 25 of GDPR
Examinations by the Berlin DPA in June 2017 and March 2019 determined that the tenant data stored in Deutsche Wohnen SE’s archive system was not essential to business operations and thus could not legally be stored longer than the necessary period of time. However, there was no system implemented to erase unnecessary data. This violates Article 5 and Article 25 of the GDPR.
Article 5 (e): Personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
Deutsche Wohnen SE’s actions infringed upon the processing principles outlined in Article 5, which determines that data should only be kept for as long as is necessary to complete the original purpose for which it was collected, to benefit the general public, or for scientific/historical research. This means that under the law, tenant data should have been deleted as soon as the tenant ended their connection with the company.
Article 25 (1): “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
Article 25 outlines that privacy should be baked into the framework of data storage systems in an effort to offer data subjects the highest possible level of data protection. This is known as Privacy by Design. Deutsche Wohnen SE failed to meet this criterion because they had no system in place to erase unnecessary data. Since it was determined by the DPA that the tenant information was not vital to operations, a systematic process should have been in place to erase the data as soon as it was no longer pertinent.
Why the Berlin DPA fined Deutsche Wohnen SE 4.5 million euros
Inspectors from Berlin’s DPA first flagged the archive system in an audit in June 2017. Then, in March 2019, more than 1.5 years after the initial examination and nine months after the implementation of GDPR, another audit was performed that demonstrated the system had still not been brought into compliance.
Consequently, it was determined that Deutsche Wohnen SE deliberately created an archival system that they knew for over a year violated consumer privacy and the law.
The company did initiate a project to attempt to remedy the potential non-compliance, but the measures were determined to be inadequate. Though ineffective, by taking an initial step to remedy the illegal data management structures and by cooperating with the DPA, Deutsche Wohnen SE was able to limit the magnitude of the fine, which could have amounted to as much as 4% of their annual revenue of nearly 1.5 billion euros.
In a press release, the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, said:
Unfortunately, in supervisory practice, we often encounter data cemeteries such as those found at Deutsche Wohnen SE. The explosive nature of such misconduct is unfortunately only made aware to us when it has come to improper access to the mass hoarded data, for example, in cases of cyber-attacks. But even without such serious consequences, we are dealing with a blatant infringement of the principles of data protection, which are intended to protect the data subjects from precisely such risks.
The DPA’s ruling reflects that being unable to prove that data had been disclosed to third parties or accessed unlawfully is irrelevant to the case. If the architecture of data storage was not designed with privacy in mind, it violates GDPR.
This signifies the risk of storing old data in the GDPR era. After all, data cemeteries are just waiting to be mishandled and exposed in data breaches.
GDPR makes provisions for the risks of data breaches, and seeks to limit them by enforcing proactive privacy regulations. These objectives are what the commissioner looked to uphold when he determined the monetary penalty for the German property company. In consequence, Deutsche Wohnen SE was fined 14.5 million euros, the highest German GDPR fine to date, for failing to encompass Privacy by Design. Additional fines were also imposed (between EUR 6,000 and 17,000) for “the inadmissible storage of personal data of tenants in 15 specific individual cases.” (Source)
What Deutsche Wohnen SE should have done, and how you can avoid the same fate
In that same press release, Maja Smoltczyk remarked that it is gratifying to be able to impose sanctions on structural deficiencies under GDPR before data breaches occur. In addition, he gave a warning: “I recommend all organizations processing personal data review their data archiving for compliance with the GDPR.”
The definitive recommendation and high fine signify that the Berlin DPA will meet data cemetery cases with a hard hand. This sets a precedent that the commissioner intends to impose penalties on companies before massive breaches occur, as a means of being proactive. The threat of proactive penalties should incite fear across all data-driven organizations because the impact of audits and finding GDPR non-compliance will undoubtedly disrupt operations and cost money.
However, there is another salient lesson to be learned here: customer information that has been anonymized is no longer considered personal and thus is not regulated by the GDPR. This means that had Deutsche Wohnen SE anonymized their data cemeteries, they would have avoided the €14.5 million regulatory penalties and protected their tenants’ data.
In light of this penalty, it is clear that businesses should implement anonymization strategies into the design of their data repositories. This can be done through privacy automation solutions, like CN-Protect, which assess, quantify, and assure privacy compliance through a four step process:
- Metadata classification: identifies the direct, indirect, and sensitive data in an automated manner, to help businesses understand what kind of data they have.
- Protect data: applies advanced privacy techniques, such as k-anonymization and differential privacy, to tables, text, images, video, and audio.
- Quantify risk: calculates the risk of re-identification of individuals and provides a privacy risk score.
- Automate privacy protection: implements policies to determine how data is treated in your pipelines.
Businesses should use this four step processes to confirm that their dataset has truly been anonymized, and gain certainty that they won’t be next on the GDPR chopping block. In turn, privacy automation will smooth out the compliance process and empower businesses to mitigate any risks from data cemeteries.
Taking the step to anonymize data minimizes the risk of identification. With de-personalized data, control belongs to you, and GDPR-risks are eliminated. Through this process, privacy protection and data analysis can occur simultaneously. You can be sure that Deutsche Wohnen SE are now wishing they had performed anonymization, as it would have saved them millions of Euros. Don’t get caught in the same position.