Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Fine For Property Company

by Adam Brogden
in Blog

12-Nov-2019 10:56

A property company has been hit with a staggering data protection fine for hanging onto a treasure trove of personal and financial data of former and current housing tenants. The firm was fined €14.5 million (approximately £12.5 million) after German data protection investigators found it had been holding information in an archival system from which it was impossible to delete records. This highly sensitive data, which belonged to former and current tenants, including salary information, extracts from employment and training contracts, tax and health insurance records, as well as bank statements. This data was stored in the system on an indiscriminate basis and without appropriate consents. There was also no legally-defined basis for collecting and storing the data.

The company was found to have violated the General Data Protection Regulation (GDPR) under Article 25 (1), which covers the need for businesses to ensure they're adhering to data protection principles such as data minimisation. The firm also violated Article 5, which related to the core ethical principles related to processing data. The German property firm was first warned about its archive system in 2017, according to the data regulator, and requested to change its archiving system as a matter of urgency. Although the firm changed the archive system in March 2019, the changes still did not establish a lawful basis for storing the personal data and GDPR proceedings were launched, spanning the period between May 2018, when GDPR came into force, and this point.

The initial financial penalty was actually much higher, at roughly €28 million (£24 million) based on the firm's annual turnover. GDPR fines can fall anywhere in the order of €20 million, or up to 4% of a firm's annual turnover, depending on the severity of the violation The fine was reduced because the company had actually taken concrete steps towards correcting its data storage mechanisms, and co-operated with regulators during the process.Businesses are instructed under GDPR not to keep personal data beyond the legally-established reasons they have identified, and for a period no longer than is required in order to carry out the processing.

If you are involved in any sort of property company the chances are you have lots of personal data. Make sure you understand your obligations under GDPR and have the appropriate controls in place.

If in doubt please call us. We are always happy to help.

Good luck all.