October and November have seen two significant pieces of GDPR enforcement action in Europe with the supervisory authorities in Germany and Austria both issuing multi-million Euro fines for breaches of the GDPR principles.
In Germany, the Berlin Data Protection Authority (DPA) imposed a fine of €14.5 million (£12.4 million) on Deutsche Wohnen SE, a housing and letting company, for retaining copies of personal data for longer than it was required. They had been inspected by the DPA in 2017 where they had found retention issues due to the use of a database that did not allow for records to be deleted. A follow up visit from the DPA in early 2019 revealed retention issues had not been resolved. In addition, as they had retained a large amount of personal data for longer than it was required, they could not identify an applicable lawful basis for holding it. So, there were two GDPR principles breached here and the lack of action from the organisation (following the 2017 visit) was clearly an aggravating factor in the level of the fine imposed.
Just across the border in Austria, the Austrian supervisory authority, Datenschutzbehörde, issued a fine of €18 million (£15.4 million) to the Austrian Post, the national postal service, for profiling in excess of 2 million customers’ potential political preferences based on a number of criteria. The data was then to a third parties (including political parties) for targeted advertising.
There are a number of issues here around transparency and lawful basis – it would appear consent is the only applicable lawful basis that could be applied, given that political views constitute special category data under GDPR. And, if so, that consent would need to be fully informed with a clear explanation of how the customers’ data would be used. Given the sensitivity of the personal data here, a Data Protection Impact Assessment (DPIA) would almost certainly have been required before starting this processing.
The current climate around the use of possible political allegiance in influencing elections will be sure to have been a consideration in the level of the fine. It is subject to appeal from Austrian Post, so it may not be the end of the story.
As we have highlighted with other recent enforcement action both in the UK and across Europe, these cases are examples where there has not been a breach of technical IT security. They highlight the importance of adhering to the accountability principle of GDPR in addition to:
- The importance of applying a relevant lawful basis to all your uses of personal data
- The need to be fully transparent about your use of personal data
- Clearly defining your retention periods for personal data and then making sure they are implemented across all systems
- The need to conduct a Data Protection Impact Assessment where it involves a large amount of special category data or involves the systematic and extensive evaluation of personal data based on automated processing, including profiling.
For information on the GDPR compliance challenge please click here.