Recently it became known that the German real estate company Deutsche Wohnen SE is to pay a fine of 14.5 million euros for a violation of the European Data Protection Regulation (EU-GDPR). The reason for this was the use of an archive system for storing personal tenant data that was not designed to remove data that was no longer needed. According to Maja Smoltczyk, the Berlin Commissioner for Data Protection and Freedom of Information, that private information should have been stored without a check being made as to whether this was legally and actually necessary. In some cases, information that was years old - such as bank statements, salary statements or insurance data - from tenants was accessible, although it was no longer needed for its original purpose. A first examination of Deutsche Wohnen took place as early as 2017, i.e. during the transitional period when the GDPR came into force. But in fact, no adequate measures were taken to remedy the situation.
Only data that is actually required may be stored
The real estate company has thus clearly violated the regulation that came into force in 2018, which stipulates that data storage systems must comply with strict data protection requirements. Among other things, it states that only data that is actually required may be stored. Moreover, exposed data always provides a target for hackers. The right to be forgotten (Article 17) is also part of the regulation and ensures that data subjects can insist on the deletion of personal data. However, if companies, such as Deutsche Wohnen in this case, use archiving systems whose structure does not provide for deletion, this point cannot be met.
IT solutions must comply with GDPR
IT solutions used in organisations must also comply with the requirements of the GDPR. This includes the aspect that concrete IT security measures must be implemented, which include a series of technical and organisational measures. A GDPR-compliant solution must include, for example, pseudonymisation and encryption of data. A company such as Deutsche Wohnen must also take measures to permanently ensure the confidentiality, integrity, availability and resilience of the systems and services involved in data processing.
Regular checks required
It also requires regular review, assessment and evaluation of secure data processing. According to Article 25 of the GDPR, the principles of data protection should already be taken into account when implementing products, services and applications that process personal data. The corresponding technical implementation should ensure that only certain data is collected, that this data is pseudonymised and encrypted as quickly as possible, that the data is processed only to the extent necessary and that it is deleted after the storage period has expired. Apart from this, only certain persons should be allowed to have access to it.
Maximum encryption is necessary for secure data storage
In order to avoid infringements, data controllers must urgently ensure that systems and applications for storing and processing personal data have a privacy-friendly policy framework. Because if the data to be processed is already reduced to a minimum at the technical level, but protection is ensured thanks to technical and organisational measures, the processing risk for those responsible also falls significantly. In addition, a maximum secure encryption standard should be used, for example in e-mail traffic, but also when data is exchanged via file sharing. Ideally, solutions for this offer client-side encryption, so that the information is already encrypted at the end device. Protection against unauthorized access to stored content is provided by reliable rights management. Authorizations must be transparent, so that data processing can be traced if data subjects request information.
Data protection and data security have top priority
Organisations that handle personal information and store it in the cloud urgently need to ensure that a high level of data protection and security is maintained at all times. Some companies seem to be unaware of the scope of their actions if they simply bypass the issue. As IT service providers, we demand that companies in every industry take action as quickly as possible to actually guarantee the high level of protection of stored data, because they owe it to their customers. We at DRACOON are committed to ensuring that each individual retains control over his or her data and therefore the institutions that store and use this information are obliged to handle it responsibly in accordance with legal requirements, after all they are also liable for it.
And so they are also obliged to use suitable IT solutions that are in line with the strict GDPR guidelines.