Clifford Chance

In recent weeks, the German data protection authorities have imposed groundbreaking fines of EUR 14.5 million and EUR 9.55 million for data protection violations against two German companies.

The calculation of the fines applied the new model of fines published by the authorities in October 2019 (See our previous Talking Tech article for details). The fines clearly demonstrate that the German regulators will not hold back in using the legal sanctions provided by the GDPR. The fines will provide a reminder that data privacy is now a board room issue for all organisations.

In both instances the data protection authorities classed the violations as "structural". The alleged infringements are no exceptional cases, but scenarios that are not uncommon in a significant number of companies in various sectors (and not only in Germany).

Both companies have appealed against the fines imposed. A final decision on the legality of the fines – and the new German data protection fine model – will not be known until a later date.

EUR 14.5 million against Deutsche Wohnen SE – 30 October 2019

Background and alleged infringement

The first case relates to the real estate company Deutsche Wohnen SE. The Berlin Commissioner for Data Protection and Freedom of Information issued a fine of around EUR 14.5 million on 30 October 2019 for violation of an infringement of Article 25 (1) GDPR and Article 5 GDPR.

According to the official press release of the supervisory authority (English version), "the company used an archive system for the storage of personal data of tenants that did not provide the possibility of removing data that was no longer required. Personal data of tenants was stored without checking whether storage was permissible or even necessary. In some of the individual cases that were examined, it was therefore possible to find years-old private data from tenants that were preserved although they were no longer necessary for the purpose of their original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements."

The case became first known to the supervisory authority during on-site inspections in June 2017. It is not known if these on-site inspections occurred as a routine visit or were prompted by complaints from individuals or notifications from employees or other ways. As a result of becoming aware of the archive system, the supervisory authority "urgently recommended an adjustment of the archive system during the first inspection in 2017". It is again, not clear if this recommendation was done in the form of a mere recommendation or in the form of an order by the supervisory authority. Since the supervisory did not conduct another review until March 2019, it seems, however, that no formal order with a specific time limit was set.

The supervisory authority finally issued the fine due to the fact that the company was unable to either demonstrate a clean-up of its database or present legal reasons for the continued storage in March 2019, i.e. more than one and a half years after the first inspection. The preliminary measures taken by the company did – according to the supervisory authority – not qualify as sufficient measures to align the storage of personal data with the legal requirements.

Details on the calculation of the fine

The fine qualifies as a sanctioning of "a structural violation". The supervisory authority additionally imposed fines of between EUR 6,000 and EUR 17,000 on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases as well.

The basis for the fine was the previous year's worldwide turnover of the concerned companies. The previous annual turnover of Deutsche Wohnen SE exceeded EUR 1.4 billion according to its 2018 annual report.

Infringements of Art. 25 GDPR can be fined with up to 2% of the total worldwide annual turnover of the preceding financial year, i.e. up to EUR 28 million in this instance. Although the supervisory authority also cited violations of Art. 5 GDPR, which could be sanctioned with up to 4% of the total worldwide annual turnover of the preceding financial year, they seem to have focused on the infringement of Art. 25 GDPR as they state a legally prescribed limit of EUR 28 million in their press release.

As an aggravating factor for the calculation, the supervisory authority regarded the fact that Deutsche Wohnen SE had deliberately set up the archive structure and that the data concerned had been processed in an inadmissible manner over a long period of time.

The facts that the company already took mitigating measures and "cooperated formally well" with the supervisory authority were calculated as mitigating factors.

Overall, the supervisory decided that half of the limit, i.e. 1% of the of the total worldwide annual turnover, was the appropriate fine level as the company could not be proven to have misused access to the inadmissibly stored data. However, it is not clear, how the individual weighted factors of the calculation model were applied.

This last fact is very important –the inadmissible storage was grounds enough for the extreme fine.

Current status

Deutsche Wohnen SE has appealed the decision. According to its own press release (i) the fine related to an archiving system which had since been replaced and (ii) no personal data of any tenants had been disclosed to any third-parties.

It remains to be seen if the supervisory authority follows the arguments of Deutsche Wohnen SE or forwards the case to the competent German courts.

In our view, both arguments seem to lack merit. The supervisory authority clearly states that the archiving system was still in place in March 2019 and only insufficient measures were taken despite problems being highlighted in 2017 and secondly the fact that no disclosure to third parties occurred was not the alleged infringement. In fact, the supervisory authority already took the fact that there had been no misuse of the stored data into account in the calculation of the fine.

General take-aways and insights

Although the case relates to a company in the real estate sector, similar scenarios can also exist in other sectors. Many companies still have "data graveyards" where they store huge amounts of data relating to their (previous) customers.

Such data graveyards are regarded as "structural deficiencies" by the supervisory authorities and are signaling they will fine companies severely, even if the relevant company does not make active use of the data.

The Berlin supervisory authority highlights that the supervisory authorities do not wait until these masses of data are stolen or otherwise abused, e.g. in connection with cyber-attacks, but that they now have measures to sanction such deficiencies before such attacks take place.

9.55 million against 1&1 Telecom GmbH – 9 December 2019

Background and alleged infringement

In the most recent case, the German commissioner for data protection and information security issued a fine in the amount of EUR 9.55 million against 1&1 Telecom GmbH.

According to the press release from the supervisory authority (only available in German), it became aware of persons using the telephone hotline from 1&1 Telecom GmbH could obtain comprehensive information on customers by providing the name and birth date of the customer.

Such authentication process is deemed insufficient by the supervisory authority and in violation of Art. 32 GDPR (adequate technical and organizational measures).

According to a press release from the company, the fine relates to an incident in 2018. During that time, the company used a two factor authentication process. It claims that no uniform stricter authentication process existed at the time.

The company is currently working together with the supervisory authority to improve its authentication process. According to news reports, such measures include the provision of a specific service pin and the telephone number or the contract number.

Details on the calculation of the fine

Basis for the fine was the previous year's worldwide turnover. The previous annual turnover of 1&1 Telecom GmbH is not published but the previous annual turnover of 1&1 Drillisch AG, the direct mother company of the company, amounted to approx.. EUR 3.66 billion according to its 2018 annual report and the previous annual turnover of United Internet AG, the ultimate mother company of 1&1 Telecom GmbH, amounted to approx.. EUR 5.1 billion according to its 2018 annual report. Infringements of Art. 32 GDPR can be fined with up to 2% of the total worldwide annual turnover of the preceding financial year, i.e. up to EUR 73.2 or EUR 102 million in this instance. It is unclear, which turnover was applied by the supervisory authority.

The supervisory authority took the exceedingly good cooperation and the understanding of the company into account as mitigating factors for the calculation of the fine. The fact that the deficiencies did not only affect a small number of customers but the complete customer base was taken into account as an aggravating factor for the calculation. Again, based on the publicly available information, it is not clear, which specific factor the supervisory authority applied for the calculation of the fine.

Overall, according to its press release, the supervisory authority decided to stay at the lower level of the fine scale due to the good cooperation.

Current status

1&1 Telecom GmbH has issued an appeal against the fine. According to the company, the fine is not reasonable. In particular, the fine model which was the basis for the calculation of the fine, would violate the German constitution (i.e. the standard of equal treatment and proportionality). Further, the GDPR would not foresee the annual turnover as a criterion for the calculation of a fine.

General take-aways and insights

Good cooperation with the supervisory authority can lead to significant reductions of a potential fine, but cannot fully mitigate the fine.

The supervisory authority seems to impose fines for data protection violations also for a deterrent effect. The German commissioner for data protection and information security stated "Data protection is a fundamental right. The issued fines are a clear sign that we will enforce these fundamental rights. […]".

1&1 Telecom GmbH is not the only telecommunications company on the radar of the supervisory authority. There are further complaints against other telecommunications companies.

The risk of insufficient authentication processes does not only relate to companies in the telecommunications sector but also to other sectors. In particular those companies using telephone hotlines for customer services and support, should review and amend their processes.