BREBAU GmbH: Insufficient legal basis for data processing

The DPA of Bremen has imposed a fine of EUR 1.9 million on the housing association BREBAU GmbH. BREBAU GmbH had processed upwards of 9,500 datasets about potential tenants without a valid legal basis. In particular, the DPA found that the controller had processed particularly sensitive data as defined by Art. 9 GDPR. For example, the controller unlawfully processed information about the skin color, ethnic origin, religious affiliation, sexual orientation and health status of the data subjects. BREBAU GmbH also deliberately ignored requests from data subjects for transparency about the processing of their data. In imposing the fine, the DPA took into account, as an aggravating factor, the extraordinary depth of the violation of the fundamental right to data protection. However, because BREBAU GmbH cooperated fully during the investigation, made efforts to mitigate the damage, clarified the facts on its own and ensured that such violations would not be repeated, the amount of the fine could be reduced.

GDPR Articles: Art. 5 (1) GDPR, Art. 6 (1) GDPR, Art. 9 GDPR
Industry: Real Estate