A landmark fine notice was issued on Nov. 5, 2019, by Berlin’s data protection authority. Quote:
During on-site inspections in June 2017 and March 2019, the supervisory authority found that the company was using an archive system to store personal data of tenants, which did not provide for the possibility of removing data that was no longer required. Personal data of tenants was stored without checking whether storage was permissible or even necessary.
These are the core contents of the notice:
- The lack of deletion functionality means a violation of the GDPR
- The penalty was imposed for “structural” defects, i.e. without the occurrence of a direct violation of personal rights.
- The fine amounts to € 14.5 million, a hefty amount even if the company has sales in excess of one billion
- The penitent was admonished beforehand
Update: The case was overturned by the Berlin Regional Court, which in turn was challenged by the prosecution (March 21).
For the first time, the inability to delete data is fined. This is a remarkable decision, because the fine was not imposed because there were concrete violations of personal rights, but because there were structural errors. The operator was fined for not being able to properly delete the personal data. The archiving system was unsuitable to perform the deletion of the data in compliance with the law. This is an important function of a proper archive system. Apparently, the operator was neither able nor competent to remedy this circumstance. This is not surprising, because an incorrectly set up archive system can only be configured properly with a great deal of effort. As a rule, it is not possible at all. As a rule, the data must be migrated to a new archiving system. Even if the decision still leaves some questions open, it is groundbreaking in that the fundamental inability to delete data can result in a large fine. As I have already published several times, the effects of such decisions on Swiss companies will not be long in coming.
What you need to do to avoid such penalties:
- Conduct an assessment of your data protection capabilities. Test whether you can delete data.
- Design an information governance and data governance concept
- Describe and capture your data (taxonomy, ontology, semantic methods)
- Perform a data cleanup(Data Cleanup)
- Evaluate and implement a proper archive system
- Delete the data regularly