Germany Germany

BREBAU GmbH

1,900,000 €

GDPR enforcement action by Data Protection Authority of Bremen on 2022-03-03.

Rank · Sector
#1
of 86 in Real Estate
Rank · Germany
#6
of 116
Rank · All fines
#126
of 3,051

Case details

Authority
Data Protection Authority of Bremen
Date
2022-03-03
Controller / Processor
BREBAU GmbH
Sector
Real Estate
Quoted Articles
Art. 5 (1) GDPR, Art. 6 (1) GDPR, Art. 9 GDPR
Type of violation
Insufficient legal basis for data processing

Summary

The DPA of Bremen has imposed a fine of EUR 1.9 million on the housing association BREBAU GmbH.

BREBAU GmbH had processed upwards of 9,500 datasets about potential tenants without a valid legal basis. In particular, the DPA found that the controller had processed particularly sensitive data as defined by Art. 9 GDPR. For example, the controller unlawfully processed information about the skin color, ethnic origin, religious affiliation, sexual orientation and health status of the data subjects. BREBAU GmbH also deliberately ignored requests from data subjects for transparency about the processing of their data.

In imposing the fine, the DPA took into account, as an aggravating factor, the extraordinary depth of the violation of the fundamental right to data protection.

However, because BREBAU GmbH cooperated fully during the investigation, made efforts to mitigate the damage, clarified the facts on its own and ensured that such violations would not be repeated, the amount of the fine could be reduced.

Open original source Links to the regulator's original publication or another source.

Related fines