UK estate and letting agents should be on their guard after a property company in Berlin was served a notice to fine it over £12.4m, or €14.5m, because of a breach of data regulations.
The German company, Deutsche Wohnen, is said to have hung on to tenant data, using a software system that did not automatically delete obsolete information.
It appears to be the first GDPR fine triggered by a company’s data retention activities, and the largest against a property company.
British agents have been strongly warned by a lawyer to take note of the case, as exactly the same data protection regime applies in the UK.
The case is therefore directly relevant to UK agents; it is also important because there was no misuse of actual data but a breach of admin obligations under General Data Protection Regulations.
Furthermore, the fine could have been even higher (€20m or 4% of global turnover, whichever the greater).
GDPR came into force on May 25, 2018, and applies to all EU countries. It will continue to apply in the UK after Brexit.
The Berlin data protection regulator has issued a notice to fine Deutsche Wohnen over its archived storage of tenants’ personal data.
Deutsche Wohnen was found to have breached obligations to keep personal data for “no longer than is necessary for the purposes for which the personal data are processed”; to ensure that personal data is adequate, relevant and limited to what is necessary; and to provide appropriate technical and organisational measures designed to implement data protection principles.
Deutsche Wohnen is understood to be appealing the notice.
The fine could have been millions of pounds higher, but for Deutsche Wohnen’s co-operation with the investigation and the initial steps it took to address its failure.
However, an aggravating factor was the length of time over which Deutsche Wohnen had been processing the personal data.
Although a German investigation, it will be one which other data protection regulators, including the UK’s Information Commission, will be looking at.
Emily Dorotheou, an associate at UK law firm Mischon de Reya, said: “This case also serves a reminder to property companies to review regularly the personal data which they store and delete or anonymise any data which is no longer required.
“Removal of unnecessary personal data also reduces their exposure to data leaks or security breaches.”
She adds: “However, where companies can reasonably justify retaining personal data, for example for tax record purposes, this will arguably provide a basis to continue holding on to the data.”
In the UK Housing Benefit paid to the landlord can be reclaimed at any time, technically without limit according to my local authority. So surely it is only reasonable that I keep all the tenant personal data in perpetuity, otherwise I would not be in a position to defend any reclaim?
HMRC can go back 20 years, so I need to be able to prove my position for the last two decades. How can this be done without all the tenant personal information?
You must be logged in to like or dislike this comments.
Click to login
Don't have an account? Click here to register