Processing of sensitive data of prospective tenants without legal basis

Processing of sensitive data of prospective tenants without legal basis

BREBAU GmbH is a Bremen-based company specializing in residential construction and is a wholly owned subsidiary of the City of Bremen.

According to a report by the LfDI, BREBAU GmbH processed 9500 data of prospective tenants without a legal basis. Data was also collected on body odor, personal appearance and hairstyle, among other things. In more than half of the cases, data of the special categories of personal data were within the meaning of Art. 9 para. 1 GDPR, which require special protection, collected. In particular, information on skin color, ethnic origin, religious affiliation, sexual orientation, and health status was unlawfully processed.

Furthermore, the company has deliberately prevented requests from data subjects to disclose their data.

The LfDI considered this incident a drastic violation of the fundamental right to data protection and therefore imposed a fine.

According to the LfDI, the seriousness of the data protection breach would have justified a considerably higher penalty. On the other hand, BREBAU GmbH cooperated extensively in the supervisory proceedings, was committed to mitigating the damage and, through internal measures, aims to prevent the repetition of such incidents in the future, so the fine was significantly reduced.

As a result, two senior executives of the company were dismissed.

Entscheidungsdatum:
03.03.2022

Land:
Germany

Art des Verstoßes:
Illegal data processing

Betroffene Datensätze:
9500

Waren sensible Daten betroffen?:
Yes

verhängte Geldstrafe:
€ 1,900,000,-

Quelle:
Press release of the LfDI of the Free Hanseatic City of Bremen