GDPR violations can prove expensive, something which one real estate firm recently had to learn the hard way when it received a fine to the tune of 14.5 million euros.

The EU General Data Protection Regulation – GDPR for short – is supposed to afford better protection to sensitive personal data. For businesses, this means stricter data protection standards. GDPR violations may be met with tough sanctions. We at the commercial law firm MTR Rechtsanwälte note that fines of up to 20 million euros or up to 4 percent of global annual turnover can be imposed.

One real estate firm recently learned the hard way that these are not empty threats. The company received a fine at the end of October in the amount of 14.5 million euros from Berlin”s Commissioner for Data Protection and Freedom of Information, the Berliner Beauftragte für Datenschutz- und Informationsfreiheit. The reason: The company used an archive system for storing tenants” personal information which did not allow data that was no longer necessary to be deleted. The data was being stored without checking whether its storage was legitimate and necessary. It was established, for instance, that data was being stored relating to personal and financial circumstances, payslips, voluntary declarations, account statements, etc.

The firm had already been strongly advised during an initial audit in 2017 to change the archive system. However, by the time of the second audit in March of 2019, little had changed apart from preparations by the company to address the shortcomings; too little to reach a state of legal compliance.

There were therefore compelling reasons to impose a fine according to Berlin”s Commissioner for Data Protection. The GDPR requires supervisory authorities to ensure that fines are effective and proportional in individual cases. The starting point for assessment is the turnover achieved in the previous year. For the purposes of reaching a specific determination, all incriminating and extenuating factors are taken into account. Incriminating factors in this case were that the real estate firm had deliberately created the archive structure and that the relevant data was being unlawfully processed over an extended period of time. On the other hand, the fact that the company had taken initial measures to address the shortcomings was considered an extenuating factor mitigating what could otherwise have been a significantly higher fine.

The decision demonstrates that supervisory authorities do not consider GDPR violations a trivial offense and are instead liable to clamp down. Experienced lawyers can advise on data protection issues.