Deutsche Wohnen SE

What happened

Berlin's data protection authority fined Deutsche Wohnen, one of Germany's largest residential real estate companies, €14.5 million for storing tenants' personal data indefinitely without any legal basis for continued retention. The company's archiving system did not allow for the deletion of data that was no longer needed. Personal data including salary statements, self-disclosure forms, employment contracts, tax and social security data, and bank statements of tenants were retained for years beyond their lawful retention period. Despite being warned by the DPA in 2017, Deutsche Wohnen failed to implement a data deletion concept. This case became a landmark for the principle that companies can be directly fined under GDPR.

Articles violated

Lessons learned

Companies must implement data retention policies with automated deletion mechanisms. Storing personal data indefinitely 'just in case' violates the storage limitation principle. When a DPA issues a warning, organizations must act promptly to remediate. Real estate companies handling sensitive financial data of tenants must establish clear retention schedules and ensure their IT systems support data deletion. This case confirmed direct corporate liability under GDPR after the CJEU's 2023 ruling.