First Multi-Million GDPR Fine in Germany

€14.5 million fine for not having a proper data retention management policy in place

GDPR Fine for data retention management

On October 30th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information made history by delivering her first multi-million GDPR fine to the German real estate company, die Deutsche Wohnen SE for not having a proper data retention management in place, direct infringement of the General Data Protection Regulation (GDPR)

This is the highest GDPR fine to be issued in Germany to date.

Why the infringement?

Deutsche Wohnen SE has been accused of utilising an archiving system for the storage of personal data pertaining to their tenants which does not facilitate the erasure of data that is no longer necessary or required. This data was of a personal nature i.e. it included personally identifiable information (PII), such as tax data, social security, and health insurance data, bank statements, employment contracts payslips, etc.

Deutsche Wohnen SE was audited in June 2017 and was made aware that they were in breach of data protection regulations at the time. Following another audit in March 2019, Deutsche Wohnen SE was again unable to prove a legal ground for the continued retention of the same PII data or demonstrate the ability to clean up their databases by deletion of no longer required data.

Deutsche Wohnen SE did, however, try to start a project to clean up the data however, the Berlin DPA found that these measures were not adequate.

“Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.” Maja Smoltczyk, Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA)

GDPR articles enforced

Article 25 (1) and Article 5 of GDPR were actioned against Deutsche Wohnen SE. Article 25 (1) GDPR requires data controllers – subject to  additional preconditions – to provide for appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data subjects. Article 5 in brief states that that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).

Calculating the €14.5 million fine

It seems that the Berlin DPA applied the recently published fining guide of the German supervisory authorities. Looking at the calculations it is apparent that 2% of annual revenues were enforced instead of the 4% of annual revenue that is laid down by GDPR as a maximum infringement of Article 5. In order to reduce the fine that Berlin DPA has taken into consideration that the company had taken some measures to try to remedy the infringement as notified back in June 2017.

“I recommend all organizations processing personal data to review their data archiving for compliance with the GDPR.” Maja Smoltczyk, The Head of the Berlin DPA

Data commissioners in Europe are really starting to up their game when it comes to issuing GDPR fines. Controllers and processors of data must now take urgent action to review their processes and examine their handling of personal data, regardless of where they are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

ComplyKey offers more granular control of your email and file data for retention and destruction management

Waterford Technologies offers a retention management solution for GDPR and other data protection regulations, that is comprehensive, easy to use and powerful at protecting and enforcing your company’s retention policies.

The ability to create multiple retention categories and tags and assign different periods to specific users and departments gives you total control over email and file retention and destruction.

Enforce Retention Policies

One of the greatest assets of an email and file archive is control over the retention of messages in the archive. With the Waterford Technologies retention feature, you can ensure that your retention policy is adhered to by creating retention categories and tags or setting custom retention periods for individual users or emails.

Retention can be controlled by time and /or by person groups. Person groups can be created that contain current and former users and then retention categories can be applied to those groups. For example, your organization wants to set a retention policy of 5 years for all message but users in the Executive or Financial organisations need to be kept for 7 years. MailMeter set it and forget it Retention Policies make sure that messages are kept according to your record retention policies.

Intelligent Destruction

ComplyKey’s retention feature automatically evaluates your retention policy on every scheduled run. If the policy has been changed at any time, the module will automatically enforce the new policy and purge emails tagged for deletion on its next run. This allows you to intelligently control not only retention but also the destruction of email.

Avoid Accidental Deletion

The ability to retain specific emails or messages from specific users and apply a litigation/legal hold to relevant emails allows you to avoid accidental or wilful deletion. For example, applying a litigation hold to an email will ensure that it will be retained past its normal retention period. After the mail is no longer required, removing the litigation hold will mean the mail is automatically purged on the next scheduled run.

Meet Regulatory Requirements

Implementing an adequate retention policy is key to ensuring regulatory compliance. Your business may be subject to many regulations including Sarbanes-Oxley, FINRA, HIPAA, and GDPR. The ability to create sophisticated and granular retention policies with ComplyKey will help your business to achieve regulatory compliance.

ComplyKey Retention Benefits

  • Enforce email retention policies
  • Protect against accidental deletion
  • Prevent wilful destruction of email
  • Meet regulatory requirements

Take urgent action to review your companies processes and examine your handling of personal data, regardless of where you are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

Contact our Sales team now or request a free demo to see how Waterford Technologies might be able to help your organisation with their data retention management for GDPR and numerous other global data protection legislation.


Laura Stotesbury

Head of Marketing

Waterford Technologies


Utility Companies – How Much Personal Data Resides On Your Servers?

How to implement proactive email and file compliance in the digital era.

Data compliance and management has become a key requirement for businesses in today’s economy due to the arrival of new and updated data regulations such as GDPR, MiFID2, FOIA & CCPA. In the digital age, companies are responsible for increasing amounts of data, both of their customers as well as their own employees.

This is especially important for the Utilities Sector where large utility companies in the digital era are driven primarily by data.

Continue reading “Utility Companies – How Much Personal Data Resides On Your Servers?”

The True Cost of Data Non-Compliance


For many years now, people have talked about the importance of data. It has been argued that due to the insight and knowledge that can be taken from it, data has now become more valuable than oil.

Nowhere is this more obvious than within large organisations, who can hold TBs of unstructured data (data that does not have a pre-determined model) of their customers and employees.

Continue reading “The True Cost of Data Non-Compliance”

Why Credit Unions need to understand their unstructured data.

How to manage the unstructured data explosion and manage GDPR compliance

The financial services industry is facing a period of extensive changes in the forms of fintech disruption and challenging data regulations. In order to remain relevant in this new arena, credit unions must be able to integrate and optimise all their data.

Continue reading “Why Credit Unions need to understand their unstructured data.”

Waterford Technologies Launches MailMeter- Version 7.1

Waterford Technologies launched MailMeter Cloud 7.1

Organizations are finding today that meeting regulatory requirements and complying with new and current legislation is a challenge.  Unstructured data like email presents a whole range of hurdles when trying to prevent violations or when responding to discovery requests. 

Unstructured data makes up 80% of storage on your servers.
It is generated by conducting your day to day business and consists of email and files such as documents, images, and videos.
Without the correct management tools, this particular data is difficult and time-consuming to see and uncover,- a key requirement of GDPR, FOIA, and general data regulations.

Waterford Technologies has significantly invested in the development of our product set to provide Compliance functionality for unstructured data in both email and file. We have introduced a powerful smart GDPR, FOIA, and eDiscovery solution reimagined to make it easier for you to effortlessly manage your email data- no matter the size of your company.

Available this July, Waterford Technologies are delighted to announce the launch of MailMeter  7.1, enabling organizations to meet demanding compliance requirements and address eDiscovery requests easily, quickly and effectively.

What has changed?

MailMeter 7.1 is a pro-active Microsoft Azure SAAS cloud and on premise-based compliance and data management platform where you can find every single email in your organization, conduct e-discovery, Freedom of Information and DSAR’s searches directly from your desktop. The platform gives you the ability to narrow the scope of your search across email using clearly defined criteria giving our clients the visibility they need for effective monitoring, eDiscovery, compliance, auditing & reporting across a variety of data regulations. 

  • New Operations Portal, a completely redesigned user interface – individual search, e-Discovery search, compliance policies and message retention under a single interface
  • Real-time message filtering, tagging, and labeling- MailMeter cloud message filtering enables an organization to define proactive pre-archiving rules that can discard, tag or label messages based on message participants, message type or keyword content in the message to control archive content, identify compliance violations and assist message analysis.
  • Scoped searching- MailMeter Cloud enables authorized users to set up restricted access for eDiscovery or compliance searching. Using scoped searches, archive access can be limited to any search criteria, which specific types of tags can be used, and which type of actions can be performed.
  • Compliance policies- this new feature enables organizations to establish policies that automatically monitor and identify non-compliance email communication. Reviews can quickly be performed to take actions based on internal policies to reduce risk and ensure regulatory compliance.
  • Delegated access- The new delegated Access feature enables one user to access and search another users email stored in the archive. This feature can be used to allow a manager to access their current and former team members email. You will no longer have to retain former users mailboxes to enable other users to access that users’ messages. All activity performed by the delegated user is recorded in the audit trail.

Benefits you will love-

  • Legal search cost savings and speed of recovery 
  • Respond to DSAR’s promptly
  • Help avoid data regulation penalties and reputation damage
  • Storage and back up cost savings
  • Direct line access to storage
  • Encryption of stored data
  • Full audit trail for email


MailMeter 7.1 is a key feature in our ComplyKey Suite- ComplyKey Suite is built around two ideas, First, full visibility into your email and file volume and activity enables you to more effectively and efficiently manage your data 24/7. Second, companies need a tool that is data regulation audit-ready, flexible enough to support your GDPR, FOIA and data compliances policies and agile enough to deal with subject access requests (DSAR), freedom of information and e-discovery searches across your email and file data.
For more information on finding the right data compliance and management solution to fit your organizational needs, simply contact us for a callback.



California Consumer Privacy Act – Are you ready for January 2020?

The CCPA will take effect on January 1, 2020- Are you ready?

Like Europe, California has been trying to pass updated data protection for many years now. While the General Data Protection Regulation came into effect on May 27th, 2018, to a lot of media attention & speculation. The road to rolling out the California Consumer Protection Act (CCPA) has not been as smooth and attention-grabbing.

Continue reading “California Consumer Privacy Act – Are you ready for January 2020?”

Unstructured Data and the Not for Profit Sector

Are you drowning in vast amounts of data and not sure where the lifebuoy is?

Unstructured data is like the deep ocean, very much an unknown, difficult to view, access and a large proportion unused. Organisations are in unchartered waters when it comes to managing risks, fulfilling personal information requests (PII’s) or data subject access requests (DSAR) under GDPR.

Continue reading “Unstructured Data and the Not for Profit Sector”