GDPR vs. Archiving Obligations
In recent weeks, a new discussion has flared up around one of the numerous legal issues in the GDPR. As if the GDPR has not yet brought enough uncertainty and is therefore, as one might think, jeopardizing the fundamentally correct idea of improved data protection due to the frustration of companies, service providers, the self-employed and freelancers.
What happened?
This was triggered by the recent decision of the Berlin Commissioner for Data Protection and Freedom of Information against Deutsche Wohnen SE. The latter has issued a fine of around EUR 14.5 million for breaches of the GDPR. During on-the-spot audits in June 2017 and March 2019, the supervisory authority found that the company used an archive system for storing the personal data of tenants that did not provide for the possibility of using data that was no longer required. to remove it. Personal data of tenants have been stored without checking whether storage is permissible or even necessary. In individual cases examined, it was therefore partially time-old private data of affected tenants to be consulted, without these still serving the purpose of their original survey. This involved data on the tenants’ personal and financial circumstances, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data and bank statements.
What is the problem?
Data protection experts are of the opinion that the authority has been sloppy in its legal recourse to “privacy by design” and has done data protection a disservice. Because now there is a fine, Deutsche Wohnen will take action against it, but other companies and data protection officers still do not know which tenant data should have been deleted at what time; and therefore cannot apply these findings to their own databases and perhaps do better.
So what?
In this case, it is about archiving processes. While this concerns applications from tenants in this case, the problems are applicable, but also to accounting processes, job applications, support requests, taxes, travel expense reports, holiday applications and thousands of other aspects. In many of these circumstances, there are again legal obligations for archiving and in many other aspects it is mandatory or at least relevant that the archiving is audit-proof so that changes can be tracked by controlling authorities. such as the tax offices. It is therefore the purpose of many archiving operations to prevent certain operations, and thus related documents or data, from being deleted or changed. Is that the case in each of those cases by Article 6(6) of the 1 sentence 1c GDPR, which allows data processing to fulfil legal obligations? This may be possible in many cases, but what about situations in which audit security is perhaps only sensible but not explicitly regulated by law?
The Data Protection Authority in Berlin
The data protection authority in Berlin has expressed its own opinion on this in its press release, and it will be very interesting to see whether it holds up in court.
Data cemeteries, as we found at Deutsche Wohnen SE, unfortunately meet us frequently in supervisory practice. Unfortunately, the explosiveness of such grievances is only clearly demonstrated to us when, for example, cyber-attacks have led to abusive access to the mass-hoarded data. Even without such serious consequences, however, we are dealing with a blatant breach of the principles of data protection, which are intended to protect those affected from such risks. It is gratifying that the general data protection regulation has introduced the possibility of sanctioning such structural deficiencies before the data GAU occurs. I recommend that all data processing bodies check their data archiving for compatibility with the GDPR.
Even if cyber attacks are indeed relevant and everyone should take technical and organizational precautions against data theft, the fact that we are talking about data cemeteries is quite harsh. Many companies would probably even want to have to store less data for a few years and reduce certain tendencies towards excessive bureaucracy. Especially in the areas of tax law, social security law or employment law, you can quickly grow grey hair when you think about all the obligations that exist, which in turn are often only indirectly standardized or shaped by court rulings.
And now?
The fear is quite justified that in the coming years the dispute between data protection and bureaucracy, between cyber security and the legitimate interests of tax, customs and social security authorities, will be played out on the backs of the self-employed or SMEs. Whether this is of economic and data protection is open to question. In the worst-case scenario, the economy will have to pay even more for obligations and even more costs for improved software solutions. We can therefore look forward to seeing how this procedure proceeds.
