Processing of sensitive data of prospective tenants without legal basis
BREBAU GmbH is a Bremen-based company specializing in residential construction and is a wholly owned subsidiary of the City of Bremen.
According to a report by the LfDI, BREBAU GmbH processed 9500 data of prospective tenants without a legal basis. Data was also collected on body odor, personal appearance and hairstyle, among other things. In more than half of the cases, data of the special categories of personal data were within the meaning of Art. 9 para. 1 GDPR, which require special protection, collected. In particular, information on skin color, ethnic origin, religious affiliation, sexual orientation, and health status was unlawfully processed.
Furthermore, the company has deliberately prevented requests from data subjects to disclose their data.
The LfDI considered this incident a drastic violation of the fundamental right to data protection and therefore imposed a fine.
According to the LfDI, the seriousness of the data protection breach would have justified a considerably higher penalty. On the other hand, BREBAU GmbH cooperated extensively in the supervisory proceedings, was committed to mitigating the damage and, through internal measures, aims to prevent the repetition of such incidents in the future, so the fine was significantly reduced.
As a result, two senior executives of the company were dismissed.
Art des Verstoßes:
Illegal data processing
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
15. Right of access by the data subject
5. Principles relating to personal data processing
6. Lawfulness of processing
9. Processing of special categories of personal data