GDPR vs. Archiving Obligations
In recent weeks, a new discussion has erupted around one of the many legal issues in the GDPR. As if the GDPR had not yet brought enough uncertainty and thus, as it is thought, the fundamentally right idea of improved data protection, because of the frustration of companies, service providers, self-employed, and freelancers, may be at stake.
The trigger is the current decision of the Berlin Commissioner for Data Protection and Freedom of Information against Deutsche Wohnen SE. The latter has issued a fine of around EUR 14.5 million for breaches of the GDPR.
During on-the-spot audits in June 2017 and March 2019, the supervisory authority found that the company used an archive system for storing the personal data of tenants that did not provide for the possibility of using data that was no longer required. to remove it. Personal data of tenants have been stored without checking whether storage is permissible or even necessary.
In individual cases examined, it was therefore partially time-old private data of affected tenants to be consulted, without these still serving the purpose of their original survey. These were data on the personal and financial circumstances of the tenants, such as salary certificates, self-disclosure forms, extracts from employment and training contracts, tax, social and health insurance data, and
What is the problem?
Privacy experts believe that the agency has been sloppy by resorting to “privacy by design” or has done data protection a disservice. Because now there is a fine, Deutsche Wohnen will take action against it, but other companies and data protection officers still do not know which tenant data should have been deleted and at what time; and therefore cannot apply these findings to their own data sets and perhaps make it better.
This case concerns the archiving of operations. While this concerns applications from tenants in this case, the problems are applicable, but also to accounting processes, job applications, support requests, taxes, travel expense reports, holiday applications and thousands of other aspects. In many of these circumstances, there are again legal obligations for archiving and in many other aspects it is mandatory or at least relevant that the archiving is audit-proof so that changes can be tracked by controlling authorities. such as the tax offices. It is therefore the purpose of many archiving operations to prevent certain operations, and thus related documents or data, from being deleted or changed. Is that the case in each of those cases by Article 6(6) of the 1 sentence 1c GDPR, which allows data processing to fulfil legal obligations?
This may be possible in many cases, but what about the situations in which the security of revision is perhaps only sensible, but not explicitly regulated by law?
The Data Protection Authority in Berlin
In its press release, the data protection authority in Berlin expressed its own opinion on this, which would be very exciting to see if it would stand trial.
Data cemeteries, as we found at Deutsche Wohnen SE, unfortunately meet us frequently in supervisory practice. Unfortunately, the explosiveness of such grievances is only clearly demonstrated to us when, for example, cyber-attacks have led to abusive access to the mass-hoarded data. Even without such serious consequences, however, we are dealing with a blatant breach of the principles of data protection, which are intended to protect those affected from such risks. It is gratifying that the general data protection regulation has introduced the possibility of sanctioning such structural deficiencies before the data GAU occurs. I recommend that all data processing bodies check their data archiving for compatibility with the GDPR.
Even if cyberattacks are indeed relevant and should take technical and organizational precautions against data theft, the circumstance of talking about data cemeteries is quite harsh. Many companies would probably even want to have to store less data for a few years and reduce certain tendencies towards excessive bureaucracy. Especially in the area of tax law, social security law or labour law, grey hair can grow quickly when one thinks about which obligations all exist, which in turn are often only indirectly standardized or shaped by court rulings.
The fear is quite justified that in the next few years the dispute between data protection and bureaucracy, between cybersecurity and legitimate interests of tax, customs and social security authorities, on the backs of the self-employed or the middle class will be is carried out. Whether this is of economic and data protection is open to question. In the worst-case scenario, the economy will have to pay even more for obligations and even more costs for improved software solutions. We can therefore look forward to seeing how this procedure proceeds.