The General Data Protection Regulation 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens in the European Union and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The law came into force on May 25, 2018 and has gathered momentum. One of the major deterrence in adopting GDPR is its penalty. We have already seen a first multi-million GDPR fine in Germany. Earlier in the year, Google was fined Euro 50 million for GDPR violation.
GDPR tentacles reach out with multi-million euro fine
Deutsche Wohnen is a German property company, and is one of the 50 companies that compose the MDAX index. On October 30, 2019, the Berlin Commissioner for Data Protection and Freedom of Information (DPA) imposed a hefty penalty of Euro 14.5 million. The reason for penalty being over retention of personal data. The audits were conducted in June 2017 and March 2019 that revealed improper data storage and retention. According to the audit results, certain personal data that was no longer required for the business operations was still retained by the company in its archives. The company was hence found guilty of not having a proper data retention management in place which directly infringes the GDPR requirement. The company had retained personally identifiable information (PII) of its tenants such as tax data, social security numbers, bank statements, employment contracts, payslips etc. The company should have provided a facility to its tenants for erasure of these data that are no longer required or necessary.
The German DPA found the acts and omissions of Deutsche Wohnen to be a clear violation of Article 25(1) and Article 5 of the GDPR. Article 25 (1) requires data controllers to provide for appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to implement the same in the processing activities. Article 5 of GDPR articulates about 'data minimisation'. This article states that personal data should be limited, relevant for the purposes for which they are processed and the PII should be kept in the format that permits identification of the data subjects for a period for which it is required for business purposes. The DPA found this to be a clear violation of 'data minimisation' and 'privacy by design'.
Calculation of penalty
For severe violations, as listed in Article 83(5) of GDPR, the fine can be up to 20 million Euros or up to 4 percent of the company's total global turnover of the preceding fiscal year, whichever is higher. For catalogue of less severe violations as per Article 83(4) of GDPR the fines can be up to 10 million Euros or up to 2 percent of the entire global turnover of the preceding fiscal year, whichever is higher.
In the given case the German DPA seems to have applied the recently published fining guide of the German supervisory authorities. It looks the DPA had enforced 2 percent of the annual revenues. The DPA had not enforced the higher fine of 4 percent as the company had taken a few measures to try to remedy the infringement as already notified back in June 2017.
Upped the ante
The data commissioners in Europe have really upped the ante now in enforcing the GDPR. Now it is over 1.5 years that GDPR has come into force. The initial euphoria of GDPR had died down but its severity is growing. The data commissioners, through this fine, seem to convey the message that companies should not be lethargic as to complying with the GDPR requirement. The companies should keep looking at their internal privacy policies and constantly monitor their privacy processes.
Wake up alarm
The companies should consider this to be a wake-up alarm and relook their policies and privacy processes internally. They should enforce retention policies for emails and other PII. The companies should ensure that the retention policy is adhered to by creating retention categories and tags or setting customs retention periods for individual users or emails. The process should automatically evaluate the retention policy on every scheduled run. If the policy has been changed at any time, the module should automatically enforce the new policy and purge emails tagged for deletion on its next run. This allows the companies for intelligently controlling not only retention but also the destruction of email.
GDPR: What the corporates say
Julie Bernard, Chief Marketing officer at Verve, said the mobile marketer would shut its operations in Europe because the regulatory environment are not favourable to their particular business model. Jeremy Ables, CEO of Uber Entertainment, said, "We'll keep playable for as long as we are legally allowed to, but the day GDPR hits, we'll pull it down so as to be in compliance." Virender Aggarwal, CEO of Ramco Systems said that, "We had ensured to be one of the forerunners in implementing the GDPR and other privacy processes in our system. We are conscious of the importance of GDPR and have proper team in place to bring in the processes".
The take from multi-million Euro GDPR fine
German DPA are giving more importance to details of records management and data deletion lifecycle. They seem to give more importance to prevent unnecessary risk and harm to data subjects particularly where cyber breaches occur. The German DPA developed the new fining model and Deutsche Wohnen has been the first casualty. German companies, in particular, have been casual in implementing the data retention policies and this fine/penalty should be taken as a wake-up alarm for all such companies who are yet to take GDPR seriously.
K Satish Kumar is a keynote speaker, author, the Global Head of Legal and Chief Data Protection Officer of Ramco Systems. Among the many awards he has received, the coveted are “Top 50 Legal Leaders 2019” by Legal IP Gorilla in Singapore, “GC PowerList India 2018” by London based Legal 500 , “Legal Counsel of the Year -2018” by INBA. He is actively involved in many pro bono activities through Chennai Lawyers. The author can be reached at email@example.com. The views expressed are personal. Read his columns