Skip to main content

Administrative fine of 14.500.000 Euro imposed against German Real Estate Company


The Berlin Data Protection Authority has imposed an administrative fine against a Berlin real estate company for 14,5 Million euros due to violations of GDPR regulations.


How did the violation come About

During an on-site inspection by the Data Authority in June 2017, the Data Authority observed that the real estate company was using an archive system that did not provide an option to delete personal data that was no longer necessary in relation to the purposes for which they were processed. Personal data of tenants was therefore archived without checking if storing this data was lawful.

The Data Authority issued a warning in June 2017 and suggested to change the archive system. In another on-site inspection in March 2019 the real estate company did neither have a new archive system, had not deleted the unlawful storage personal data of tenants nor could they provide legal grounds for the ongoing storage of the personal data.


Storaged data over several years old

During the second on-site inspection the officers found personal information of tenants from years ago, that was – in the opinion of the Berlin Data Protection Authority - not necessary in relation to the initial purpose. Next to pay slips, self-disclosures, employment and training contracts the officers also found tax information, social and health insurance data as well as account statements from former clients. The unlawfully storaged personal data in numerous ways revealed the personal and financial circumstances of the data subjects.


How did the imposed fine sum up?

The GDPR regulations state that infringements can be subject to administrative fines up to 20 000 000 euros, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Before this case, the highest administrative fine issued in Germany after the application of the GDPR reached the total of 80.000 euros.

The annual turnover of the preceding financial year 2018 amounted to more than one billion euros. Therefore, the legal frame for the administrative fine summed up to approximately 28 million euros. The data authority imposed an administrative fine in midrange of the legal frame, because there was no proof of misusing the unlawfully storage data.

The real estate company does not seem to admit to their failure and has announced to take legal steps against the penalty notice.


Article provided by:

Dr. Jens Eckhardt, dmp Derra, Meyer & Partner PartGmbB
Fachanwalt für IT-Recht
Datenschutz-Auditor (TÜV)
Compliance-Officer (TÜV)
Vorstand (Recht) Eurocloud Deutschland _eco e.V.

Nils Steffen, Meyer & Partner PartGmbB
Datenschutzbeauftragter (TÜV-Süd) (Tpoical at 10. December 2019)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.