German real estate company hoards data – A GDPR fine follows
A Real Estate Agency from Germany saved a lot of personal data, without checking if they were allowed to do so or if they even need the data. The Data Protection Agency found back in the year 2015 an old archive system that didn’t allow the deletion of data. The Data Protection Agency tried to help by offering advice. During an investigation in 2019, the same old archive system was discovered, unchanged. There were hints of preparations, but no action was taken to fix the illegal storage of the data.
In some cases, residents of the 165.000 flats and 2700 stores were able to access data of former inhabitants of the buildings.
As the company saved data that it didn’t need anymore and did not fix the problem for four years, a fine of 14.5 Million Euros was issued. These “Data Graveyards” are sadly common, says the Data Protection Officer of the German city Berlin. These data dumps contain huge piles of unnecessary data. The GDPR rules that data that is not needed anymore has to be deleted.
Sources: heise.de (German)
Type of Issue:
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
32. Security of processing
5. Principles relating to personal data processing
6. Lawfulness of processing