September 22, 2020

Volume X, Number 266

September 21, 2020

Subscribe to Latest Legal News and Analysis

Multimillion-Euro Fine Imposed on German Residential Real Estate Company for Violations of the EU General Data Protection Regulation

Relevance for and Impact on the Real Estate Industry 

At the end of October 2019, the Berlin Commissioner for Data Protection and Freedom of Information imposed a fine of about EUR 14.5 million against a German residential real estate company for various violations of the EU General Data Protection Regulation (GDPR).
The fine is not yet legally binding but, reportedly, has been appealed. However, irrespective of the outcome of the appeal, the sanctioning measures taken by the Berlin Data Protection Commissioner show that GDPR compliance must be taken seriously by all companies in the real estate industry.

Relevance of fine extends beyond residential real estate companies

Given that the amount of the fine was calculated based on the company’s annual turnover, GDPR compliance is particularly crucial for residential real estate companies with large portfolios. As demonstrated in this case, fines can easily amount to millions of euros. However, it is important to note that real estate companies from other sectors also need to comply with GDPR – whether they are office space owners storing contact data of their tenant employees, shopping mall owners with a security concept that involves the operation of video surveillance cameras, or other real estate companies that process personal information about individuals by other means.

The decision of the Berlin Data Protection Commissioner

According to the Berlin Data Protection Commissioner, the GDPR fine was imposed upon the German company because the company had used a tenant-data archive system that did not allow for deletion of legacy data. According to the commissioner, this constituted a violation of the GDPR’s data-processing principles as well as the obligation to introduce appropriate technical and organizational measures designed to implement such principles (privacy by design).

Paradigm shift in the calculation of fines

The fine of some EUR 14.5 million is by far the highest fine ever issued by a German data protection authority for GDPR violations. It exceeds by many times the previous maximum fine of EUR 195,000 that the Berlin Data Protection Commissioner had imposed on a food delivery service in September 2019, and shows a paradigm shift in the calculation of fines by German data protection authorities.

Shortly before this most recent fine, in mid-October 2019, the German authorities published a model for the calculation of GDPR fines. According to the model, fines shall be calculated based on the company’s turnover from the previous year, which amount will be used by the authorities to calculate a daily rate. That rate will then be multiplied by a factor between one and 12 (depending on the severity of the GDPR violation).

According to the Berlin Data Protection Commissioner, the EUR 14.5 million fine was only “in the middle range”. This means that even higher sanctions for GDPR violations are possible in the future.

Don’t wait; act now

To mitigate against the risk of substantial government fines, real estate companies should immediately review their data processing activities for compliance with GDPR requirements. Failure to ensure data processing activities are in compliance with GDPR could mean receipt of a violation notice from the Data Protection Commissioner in the near future.

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume IX, Number 346


About this Author

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150
Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes advising clients on all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.