Published on November 27th, 2019 📆 | 3649 Views ⚑0
Agents warned after property firm faces £12m fine in tenancy data breach case – Property Industry Eye
UK estate and letting agents should be on their guard after a property company in Berlin was served a notice to fine it over £12.4m, or €14.5m, because of a breach of data regulations.
The German company, Deutsche Wohnen, is said to have hung on to tenant data, using a software system that did not automatically delete obsolete information.
It appears to be the first GDPR fine triggered by a company’s data retention activities, and the largest against a property company.
British agents have been strongly warned by a lawyer to take note of the case, as exactly the same data protection regime applies in the UK.
The case is therefore directly relevant to UK agents; it is also important because there was no misuse of actual data but a breach of admin obligations under General Data Protection Regulations.
Furthermore, the fine could have been even higher (€20m or 4% of global turnover, whichever the greater).
GDPR came into force on May 25, 2018, and applies to all EU countries. It will continue to apply in the UK after Brexit.
The Berlin data protection regulator has issued a notice to fine Deutsche Wohnen over its archived storage of tenants’ personal data.
Deutsche Wohnen was found to have breached obligations to keep personal data for “no longer than is necessary for the purposes for which the personal data are processed”; to ensure that personal data is adequate, relevant and limited to what is necessary; and to provide appropriate technical and organisational measures designed to implement data protection principles.
Deutsche Wohnen is understood to be appealing the notice.
The fine could have been millions of pounds higher, but for Deutsche Wohnen’s co-operation with the investigation and the initial steps it took to address its failure.
However, an aggravating factor was the length of time over which Deutsche Wohnen had been processing the personal data.
Although a German investigation, it will be one which other data protection regulators, including the UK’s Information Commission, will be looking at.
Emily Dorotheou, an associate at UK law firm Mischon de Reya, said: “This case also serves a reminder to property companies to review regularly the personal data which they store and delete or anonymise any data which is no longer required.
“Removal of unnecessary personal data also reduces their exposure to data leaks or security breaches.”
She adds: “However, where companies can reasonably justify retaining personal data, for example for tax record purposes, this will arguably provide a basis to continue holding on to the data.”