News & Blog

First Multi-Million GDPR Fine in Germany

€14.5 million fine for not having a proper data retention management policy in place On October 30th, 2019, the Berlin Commissioner for Data

€14.5 million fine for not having a proper data retention management policy in place

GDPR Fine for data retention management

On October 30th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information made history by delivering her first multi-million GDPR fine to the German real estate company, die Deutsche Wohnen SE for not having a proper data retention management in place, direct infringement of the General Data Protection Regulation (GDPR)

This is the highest GDPR fine to be issued in Germany to date.

Why the infringement?

Deutsche Wohnen SE has been accused of utilising an archiving system for the storage of personal data pertaining to their tenants which does not facilitate the erasure of data that is no longer necessary or required. This data was of a personal nature i.e. it included personally identifiable information (PII), such as tax data, social security, and health insurance data, bank statements, employment contracts payslips, etc.

Deutsche Wohnen SE was audited in June 2017 and was made aware that they were in breach of data protection regulations at the time. Following another audit in March 2019, Deutsche Wohnen SE was again unable to prove a legal ground for the continued retention of the same PII data or demonstrate the ability to clean up their databases by deletion of no longer required data.

Deutsche Wohnen SE did, however, try to start a project to clean up the data however, the Berlin DPA found that these measures were not adequate.

“Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.” Maja Smoltczyk, Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA)

GDPR articles enforced

Article 25 (1) and Article 5 of GDPR were actioned against Deutsche Wohnen SE. Article 25 (1) GDPR requires data controllers – subject to  additional preconditions – to provide for appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data subjects. Article 5 in brief states that that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).

Calculating the €14.5 million fine

It seems that the Berlin DPA applied the recently published fining guide of the German supervisory authorities. Looking at the calculations it is apparent that 2% of annual revenues were enforced instead of the 4% of annual revenue that is laid down by GDPR as a maximum infringement of Article 5. In order to reduce the fine that Berlin DPA has taken into consideration that the company had taken some measures to try to remedy the infringement as notified back in June 2017.

“I recommend all organizations processing personal data to review their data archiving for compliance with the GDPR.” Maja Smoltczyk, The Head of the Berlin DPA

Data commissioners in Europe are really starting to up their game when it comes to issuing GDPR fines. Controllers and processors of data must now take urgent action to review their processes and examine their handling of personal data, regardless of where they are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

ComplyKey offers more granular control of your email and file data for retention and destruction management

Waterford Technologies offers a retention management solution for GDPR and other data protection regulations, that is comprehensive, easy to use and powerful at protecting and enforcing your company’s retention policies.

The ability to create multiple retention categories and tags and assign different periods to specific users and departments gives you total control over email and file retention and destruction.

Enforce Retention Policies

One of the greatest assets of an email and file archive is control over the retention of messages in the archive. With the Waterford Technologies retention feature, you can ensure that your retention policy is adhered to by creating retention categories and tags or setting custom retention periods for individual users or emails.

Retention can be controlled by time and /or by person groups. Person groups can be created that contain current and former users and then retention categories can be applied to those groups. For example, your organization wants to set a retention policy of 5 years for all message but users in the Executive or Financial organisations need to be kept for 7 years. MailMeter set it and forget it Retention Policies make sure that messages are kept according to your record retention policies.

Intelligent Destruction

ComplyKey’s retention feature automatically evaluates your retention policy on every scheduled run. If the policy has been changed at any time, the module will automatically enforce the new policy and purge emails tagged for deletion on its next run. This allows you to intelligently control not only retention but also the destruction of email.

Avoid Accidental Deletion

The ability to retain specific emails or messages from specific users and apply a litigation/legal hold to relevant emails allows you to avoid accidental or wilful deletion. For example, applying a litigation hold to an email will ensure that it will be retained past its normal retention period. After the mail is no longer required, removing the litigation hold will mean the mail is automatically purged on the next scheduled run.

Meet Regulatory Requirements

Implementing an adequate retention policy is key to ensuring regulatory compliance. Your business may be subject to many regulations including Sarbanes-Oxley, FINRA, HIPAA, and GDPR. The ability to create sophisticated and granular retention policies with ComplyKey will help your business to achieve regulatory compliance.

ComplyKey Retention Benefits

  • Enforce email retention policies
  • Protect against accidental deletion
  • Prevent wilful destruction of email
  • Meet regulatory requirements

Take urgent action to review your companies processes and examine your handling of personal data, regardless of where you are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

Contact our Sales team now or request a free demo to see how Waterford Technologies might be able to help your organisation with their data retention management for GDPR and numerous other global data protection legislation.


Laura Stotesbury

Head of Marketing

Waterford Technologies