In the industry, commerce and real estate sector, DPAs from 12 different countries have so far imposed 41 fines on a variety of different enterprises, including courier services, retailers and property companies, amounting to a total of EUR 16.2 million.
The statistics for this sector are highly skewed by a single fine imposed by the Berlin DPA on Deutsche Wohnen SE, one of Europe's leading property companies. The Berlin DPA issued a fine of EUR 14.5 million for non‑compliance with general data processing principles. Excluding this fine, the statistics look much less spectacular: just over EUR 2 million in fines covering 40 violations and averaging a little over EUR 41,000 per fine. Six-figure fines were imposed by French (EUR 500,000 – violation of data subjects' rights) and Polish (EUR 645,000 – insufficient TOMs) DPAs.
Most companies in this sector were fined due to having an insufficient legal basis for data processing (15) and non‑compliance with general data processing principles (9). Insufficient technical and organisational measures (TOMs) resulted in the highest average amount per fine (EUR 113,583), while a failure to comply with information obligations came relatively cheap for the offending companies (EUR 2,096 on average). No DPA was more active than the Spanish data protection authority, which imposed around half of all fines in this sector (19), followed by the authorities from Romania (5) and Cyprus (4).
Let's take a closer look
- The standout fine in this sector is the EUR 14.5 million penalty imposed on Deutsche Wohnen SE, currently ranking number six among the highest individual fines imposed under the GDPR regime. The company used an archiving system for storing tenants' personal data that did not provide for the possibility of removing data that was no longer required. Personal data of tenants was stored without checking whether storage was permissible or even necessary. It was therefore possible to access personal data of affected tenants that had been stored for years without still serving the purpose of its original collection (e.g. salary statements, self‑disclosure forms, tax, social security and health insurance data).
- Insufficient TOMs also caused Polish online tech shop morele.net to pick up a hefty fine of EUR 645,000 from the Polish National Personal Data Protection Officer. The identified lack of data security facilitated unauthorised access to the personal data of 2.2 million customers.
- The highest fine for lack of a legal basis for data processing was imposed on Spanish energy provider EDP España S.A.U. (EUR 75,000). Personal data such as first and last names, tax numbers, addresses and mobile phone numbers of customers were processed without the required consent of the data subjects.
Insufficient data security measures triggered particularly harsh fines for companies in the industry, commerce and real estate sector. DPAs have shown that they are willing to impose six‑figure fines for insufficient data security, especially when personal data of a large number of people is exposed to the public. The standout example Deutsche Wohnen SE shows that companies need to have a proper plan for erasing personal data once the legal basis expires.