Archiving and data protection: fine for failure to delete data

by | 23.6.2023 | Privacy | 0 comments

A landmark fine notice was issued on Nov. 5, 2019, by Berlin’s data protection authority. Quote:

During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company was using an archive system to store personal data of tenants, which did not provide for the possibility of removing data that was no longer required. Personal data of tenants was stored without checking whether storage was permissible or even necessary.

These are the core contents of the notice:

  • The lack of deletion functionality means a violation of the GDPR
  • The penalty was imposed for “structural” defects, i.e. without the occurrence of a direct violation of personal rights.
  • The fine amounts to € 14.5 million, a hefty amount even if the company has sales in excess of one billion
  • The penitent was admonished beforehand

Update: The case was overturned by the Berlin Regional Court, which in turn was challenged by the prosecution (March 21).


For the first time, the inability to delete data is fined. This is a remarkable decision, because the fine was not imposed because there were concrete violations of personal rights, but because there were structural errors. The operator was fined for not being able to properly delete the personal data. The archiving system was unsuitable to perform the deletion of the data in compliance with the law. This is an important function of a proper archive system. Apparently, the operator was neither able nor competent to remedy this circumstance. This is not surprising, because an incorrectly set up archive system can only be configured properly with a great deal of effort. As a rule, it is not possible at all. As a rule, the data must be migrated to a new archiving system. Even if the decision still leaves some questions open, it is groundbreaking in that the fundamental inability to delete data can result in a large fine. As I have already published several times, the effects of such decisions on Swiss companies will not be long in coming.

What you need to do to avoid such penalties:

Comprehensive information on all these steps can be found on this website as well as on or contact us directly.



Submit a Comment

Your email address will not be published. Required fields are marked *

Related articles

On 16.3. is Digital Cleanup Day

On 16.3. is Digital Cleanup Day

Tidying up is clearly not everyone's cup of tea, but we all know the good feeling that a tidy room, a tidy desk or ... a tidy drive! You can feel proud with a clear conscience, because deleting data also has an important effect on energy consumption. I have calculated...

read more
Dealing with data risks: Data breach notification

Dealing with data risks: Data breach notification

A data breach notification or "data breach notification" refers to the process by which an organization or company is required to notify the relevant data protection authorities and, if applicable, data subjects of a data breach that is likely to result in a high risk...

read more