UK estate agents have been told they must get their data collection in order following a controversial German law case
The National Association of Estate Agents has now told its members to review their retention procedures.
Berlin property company Deutsche Wohnen has been fined more than £12.4m (€14.5m) due to a GDPR breach.
The company allegedly retained old customer data, which is a breach of administrative obligations, rather than a data breach which is loss or misuse of customer data.
On its website, the NAEA, said in a statement that this was reportedly the first GDPR fine in response to a company’s data retention activity and the largest fine received by a property company.
The association also says that although an incident taking place in Germany, the punishment will be viewed by other regulators – including the UK’s Information Commission – as an indicator of fines.
Personal data
Deutsche Wohnen was found to have breached obligations to keep personal data for “no longer than is necessary for the purposes for which the personal data are processed”, to ensure that personal data is adequate, relevant and limited to what is necessary; and to provide appropriate technical and organisational measures designed to implement data protection principles.
Despite the regulator’s request that it revise these activities, Deutsche Wohnen’s improvements did not go far enough.
This fine far exceeds the previous German record of some €200,000 levied against Delivery Hero Germany and is among the steepest penalties ever imposed in Europe for violations of data protection laws.
The Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued the fine, the highest German GDPR fine to date.
This fine far exceeds the previous German record of some €200,000 levied against Delivery Hero Germany and is among the steepest penalties ever imposed in Europe for violations of data protection laws.
GDPR
The Berlin DPA considered retaining data substantially longer than necessary a breach of the GDPR, in three respects: first, the controller did not have a legal ground to store personal data longer than was necessary; second, this was considered an infringement of the data protection by design requirements under Article 25 (1) GDPR; and, finally, it was an infringement of the general processing principles set out in Article 5 GDPR.
The head of the Berlin DPA recently gave some background in an interview. She said that Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.
The NAEA says the fine could have been millions of pounds higher, but Deutsche Wohnen is co-operating with the investigation and took steps to address its failure.
The NAEA added: “This case highlights to property companies the need to regularly review their data processes and the data which is kept.”