06.11.2019

On thin ice: Berlin DPA fines Deutsche Wohnen 14.5 million EUR

Portrait von Niko Härting
Niko Härting

In the race for higher fines, Maja Smoltczyk, head of the Berlin data protection authority (DPA), has ventured far ahead. Deutsche Wohnen, a listed real estate company with a portfolio of more than 168.000 units, is to pay 14.5 million EUR. Anyone celebrating the "courage" of Berlin's data protectors could be too happy too soon. The Berlin DPA is likely to be moving on "thin ice". In a statement, Deutsche Wohnen have announced their intention of taking this matter to court.

Dilemma Between GDPR and Statutory Data Retention

According to the press release of the Berlin DPA (BlnBDI, “Berliner Datenschutzbeauftragte verhängt Bußgeld gegen Immobiliengesellschaft” v. 5.11.2019), the fine concerns the digital procedure for archiving old files when these files contain personal data of (former) tenants. Under statutory auditing rules, digital archiving is required to be “audit-proof”. Files are stored in a way that does not allow later changes. As a rule, individual data cannot be deleted from audit-proof archived files.

Audit-proof archiving serves to fulfil statutory retention obligations according to tax laws and other laws. By choosing a digital solution that does not permit any changes or deletions, a company protects itself against the suspicion (by the tax office or other authorities) of subsequent data manipulations.

Inevitable Balance

The conflict with data protection is inevitable:

  • GDPR vs. Tax Law:  Is it permitted to store data of customers, employees and tenants in digital files for many years in order to fulfil tax retention obligations?
  • Legal Basis:  Is this covered by Art. 6 para. 1 sentence 1 lit. c GDPR (data processing for compliance with legal obligations)?

This is highly controversial and ultimately depends on whether the ("audit-proof") retention obligation or data protection has priority. A question that every practitioner familiar with due to their daily work. There are no simple answers.

Approach by Berlin DPA:   GDPR Trumps Tax Law

Apparently, the Berlin DPA has used a trick to avoid Art. 6 para. 1 sentence 1 lit. c GDPR. The DPA has left the vital question open and has not even considered whether data must be deleted in spite of statutory retention obligations. Instead, the DPA appears to have taken the – highly remarkable – view that audit-proof archiving systems are generally not GDPR-compliant. This is daring in several respects:

  • Absolute GDPR Supremacy? The approach of the Berlin DPA implies an absolute supremacy of data protection law over statutory data retention obligations and the documentation thereof. If the fine was upheld in court, many organizations and enterprises would need new software solutions for documentation and archiving.
  • Too Principled? On the other hand, the Berlin DPA has based the decision on Art. 5 GDPR and on Art. 25 para. 1 GDPR (privacy by design) and thus solely on principles. Many German commentators doubt that these provisions can be used as proper basis for a fine notice in compliance with German constitutional requirements of the rule of law.

Prognosis

The trick applied by the Berlin DPA may well turn out as a boomerang. By resorting to "privacy by design", the Berlin DPA has saved itself the trouble of specifying which tenant data should have been deleted at which point in time. However, the "ice" that the Berlin DPA is moving on is thin and slippery. The appeal lodged by Deutsche Wohnen should have a good chance of success.

 

Zurück