• Audit security not a general argument for undifferentiated storage of data
• EuroCloud sees tendency towards higher fines
On 05.11.2019, the Berlin Data Protection Supervisory Authority announced the imposition of a fine amounting to 14.5 M Euro.* It goes without saying that, for Germany, the size of this fine is sensational. But what is particularly critical is the reason for this fine, which rubs salt into the wound of a practical problem: the lack of and too undifferentiated deletion of data and the violation of Privacy by Design.
“This fine must now act as a wake-up call. The current broadly-used generalized argument of audit security does not carry water. Now a supervisory authority has made this painfully clear,“ says Dr. Jens Eckhardt, Board Member for Law and Compliance at EuroCloud Deutschland_eco e.V. “However, this does not mean that audit-proof storage is not necessary. This has not changed. But the two conflicting obligations need to be resolved through specific and differentiated definition of the data to be stored on the basis of the respective legal purpose and permissible period of storage,” Eckhardt continues.
The German-language press release from the supervisory authority names the following reasons for the fine:
- The company stored personal data longer than required. A trigger for this was the undifferentiated storage of the data. The supervisory authority makes it clear that audit security cannot be used as a generalized argument for undifferentiated storage. Specifically, the supervisory authority sees a violation of the principle of data minimization, which requires that it be determined what data can be stored for what purpose and for how long (Art. 5 GDPR). Although the argument of audit security is an important argument with legal obligations from trade and tax law behind it, the fine – not surprisingly – makes clear: The argument is generalized. There needs to be a differentiated concept for storage and deletion.
- The supervisory authority also imposed the fine because the sanctioned company does not use software that enables differentiated storage. The supervisory authority sees here a violation of the principle of data-protection-friendly design of technology (Art. 25 GDPR). In other words: The supervisory authority disallowed the argument that the software in use is not able to delete in a differentiated manner.
With a view to the impact, the size of the fine – almost – pales in comparison to the aspects mentioned. This is because the size of the fine is largely the result of the turnover of the sanctioned company. The fact that the supervisory authority had already previously criticized the storage practice will also have played a role. This is at least suggested in the press release. As a result, the fine itself is not readily transferrable to other situations.
That being said, the new model for calculating fines employed by the German Data Protection Supervisory Authorities is highly likely to have played a role in the size of the fine. The German supervisory authorities presented a model for the calculation of fines on 16.10.2019. This model determines a base value for calculating the fines on the basis of the turnover of the company.** Building out from this base value, individual aspects and the criteria in Art. 83-3 GDPR for the calculation of fines are weighted. As a result of the process of justification, this model will tend to lead to higher fines. This recent fine may well be proof of this.
* https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PM-Bussgeld_DW.pdf; German language press release, dated 07.11.2019