Another big GDPR fine this one for an estate agent
GDPR Fine for estate agent, Frankfurt, the 30th October 2019 the Berlin Commissioner for Data Protection issued a whopping fine of approximately €14,500,000 (or roughly £12,400,000) to a Property company based in Frankfurt called ‘Deutsche Wohnen SE’.
Before we say anything else, it’s important to remember that Deutsche Wohnen’s reported turn over in 2018 was 1.4 billion Euros, which makes this an approximately 1% fine. The Commissioner concluded that under the circumstances the maximum fine they could have imposed would have been 28 million Euros (2%). Always remember to perspective with matters concerning data protection, and ‘Don’t Panic’…
So, why were they fined such a huge amount of money?
Basically, because they were retaining personal data for longer than was necessary.
What’s interesting about this is that there was no data breach, no specific problem had occurred, but during onsite inspections the Commissioners agents found that the company was using an archive system to store their tenants data that didn’t allow for records to be removed when no longer necessary. They found personal data that dated back years, though the tenants had long ago left; in terms of data protection law this is referred to as data that is no longer necessary for the purpose it was originally collected.
In light of this enforcement action the National Association of Estate Agents (the NAEA) has warned all UK estate agents to review their own GDPR and data protection compliance systems and processes. The advice they are giving (quite rightly in my opinion) is that the judgement by the German regulator will be viewed by other regulators (including the ICO in the UK) as an indicator of fines, and that similar action will be taken if other property companies are found to be causing the same infraction.
In light of this enforcement action the National Association of Estate Agents (the NAEA) has warned all UK estate agents to review their own GDPR and data protection compliance systems and processes. The advice they are giving (quite rightly in my opinion) is that the judgement by the German regulator will be viewed by other regulators (including the ICO in the UK) as an indicator of fines, and that similar action will be taken if other property companies are found to be causing the same infraction.
Reviewing and creating an evidencable GDPR compliance strategy is not as difficult as it may seem, but it is a process. That doesn’t mean it has to be a painful process; our approach at Ametros Group is to try and use that process to not only build a string foundation of compliance into the business to protect it, but to use the process to actually improve the way the business runs. Introduce improvements that can reduce waste, make your staff more efficient, allow the company to work more flexibly…
Remember that the GDPR wasn’t created to make it more difficult for you to run you business, or to be profitable, no one wants to make things harder than they have to be; you just need to make the right decisions for your business.
Unsure how to proceed?
Remember that the GDPR wasn’t created to make it more difficult for you to run you business, or to be profitable, no one wants to make things harder than they have to be; you just need to make the right decisions for your business.
We represent and support hundreds of organisations as their independent external Data Protection Officer, and we’ll always happy to take on new clients.
About Ametros Group
Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultancy, compliance framework implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data privacy experts have worked with FTSE100, Fortune500 and SMEs to deliver data protection excellence around the globe.
Press Contact
Ametros Group
press@ametrosgroup.com
Connect with Ametros Group
Together we can improve data privacy standards