How clued up are you on Article 5?

It was announced recently that Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, Deutsche Wohnen, the highest German GDPR fine to date.


The infraction related to the over retention of personal data. The Berlin DPA considered retaining data substantially longer than necessary a breach of the GDPR in three respects:

  1. The controller did not have a legal ground to store personal data longer than was necessary;
  2. They failed to comply to data protection by design requirements under Article 25
  3. It was infringement of the general processing principles set out in Article 5 GDPR.


Deutsche Wohnen failed to establish a GDPR-compliant data retention and deletion procedure for tenants’ personal data. This was aggravated by the fact that in 2017, the Berlin DPA had already flagged the non-compliance with its retention obligations during an on-site audit. A second audit revealed that the organisation was still unable to demonstrate a clean-up of its database.

Berlin DPA justified the decision by saying Deutsche Wohnen could have readily complied in two ways. The first by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods and the second by using commercially available data hygiene solutions such as suppression files to ensure data was kept up to date.

The decision of the Berlin DPA emphasises the importance of getting into the detail of Article 5 and ensuring that data is processed and managed responsibly. The Bavarian DPA has recently announced it will focus on this area too. German data protection experts are saying that it is becoming increasingly clear that the German DPAs attach particular importance to personal data deletion and data hygiene given the capacity for “data graveyards” to cause unnecessary risk and harm to data subjects - both alive and deceased - particularly where cyber breaches occur. As a result of this potential damage it has been suggested that Article 5 will become more of a priority for the data protection bodies of other countries moving into the new decade. The question, therefore, must be: How clued up are you on Article 5?