German housing giant fined £12.5m for GDPR violations
The firm’s archive system held onto highly sensitive data from bank statements to health insurance records


German property company Deutsche Wohnen has been hit with a staggering data protection fine for hanging onto a treasure trove of personal and financial data of former and current housing tenants.
The firm was fined 14.5 million (approximately 12.5 million) after German data protection investigators found it had been holding information in an archival system from which it was impossible to delete records.
This highly sensitive data, which belonged to former and current tenants, included salary information, extracts from employment and training contracts, tax and health insurance records, as well as bank statements.
This data was stored in the system on an indiscriminate basis, according to German data protection authorities, and without appropriate consents. There was also no legally-defined basis for collecting and storing the data.
Deutsche Wohnen was found to have violated the General Data Protection Regulation (GDPR) under Article 25 (1), which covers the need for businesses to ensure they're adhering to data protection principles such as data minimisation. The firm also violated Article 5, which related to the core ethical principles related to processing data.
Businesses are instructed under GDPR not to keep personal data beyond the legally-established reasons they have identified, and for a period no longer than is required in order to carry out the processing.
RELATED RESOURCE
The German property firm was first warned about its archive system in 2017, according to the data regulator, and requested to change its archiving system as a matter of urgency.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Although the firm changed the archive system in March 2019, the changes still did not establish a lawful basis for storing the personal data and GDPR proceedings were launched, spanning the period between May 2018, when GDPR came into force, and this point.
The initial financial penalty was actually much higher, at roughly 28 million (24 million) based on the firm's annual turnover at more than a billion euros. GDPR fines can fall anywhere in the order of 20 million, or up to 4% of a firm's annual turnover, depending on the severity of the violation.
This initial fine represented 2.8% of the firm's turnover but was reduced because the company had actually taken concrete steps towards correcting its data storage mechanisms, and co-operated with regulators during the process.
IT Pro approached the property giant for its response to the GDPR fine.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Managing change fatigue in the generative AI era
In-depth Leaders must recognize the constant need to adapt to new technologies is leaving some employees feeling drained and disillusioned
-
Microsoft u-turn gives apps security updates on Windows 10 until 2028
News Microsoft says the move is designed to help maintain security while people upgrade to Windows 11
-
Tech leaders worry AI innovation is outpacing governance
News Business execs have warned the current rate of AI innovation is outpacing governance practices.
-
Top data security trends
Whitepaper Must-have tools for your data security toolkit
-
IBM: Data governance for data-driven organizations
whitepaper Master your data management
-
SEC data breach rules branded “worryingly vague” by industry body
News The new rules announced last week leave many questions unanswered, according to security industry experts
-
The gratitude gap
Whitepaper 2023 State of Recognition
-
Meta sues ‘data scraping for hire’ service that collected info on 600k users
News Meta says tackling data scraping will require a “collective effort” from platforms and policymakers
-
Building a data governance strategy in 2023
In-depth Data governance will continue to expand as attitudes change and businesses look to optimise the value of their data
-
FCC plans strict overhaul of 15-year-old US data breach regulations
News Telcos could no longer be able to use negligence as a defence for data breaches as the FCC also seeks to hasten public notification of breaches