GDPR Shot: Heavy fine for personal data’s “graveyard”

Originally published: www.ethemis.gr (in Greek)
Date: 12/12/2019

Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)

A recent decision on October 30, 2019 by the Commissioner for Personal Data Protection of Berlin reveals vividly the danger of accepting the doctrine “keeping everything forever” under the GDPR. This is a practice followed, at least partially, even today in Greece by natural and legal persons, hesitating to adopt and apply reasonable deadlines for the deletion of personal data in relation to the whole range of their activities. Returning again to Germany, the case in question concerned a real estate company. The competent supervisory authority found following an on-the-spot inspection that the company was using an archiving system for personal data of lessees, which did not allow for the deletion of data that was no longer needed. The entry therein took place without considering whether the storage of personal data was permissible or necessary. As a result, the archiving system included personal data of lessees many years ago, which were no longer necessary for the purpose of their initial collection, such as payroll documents, bank documents, tax documents, etc. Despite the fact that the first on-the-spot inspection took place in June 2017, the company had not yet taken the appropriate measures during the second on-the-spot inspection in March 2019. Under these circumstances, the Commissioner for Personal Data Protection of Berlin decided to impose a fine of 14,5 million euros for violations of Article 25 par. 1 GDPR (data protection by design and by default) and Article 5 GDPR (principles relating to processing of personal data).