For the first time in history, the Berlin DPA considered that retaining data much longer than necessary is considered to a breach of GDPR.

Last October, the Berlin Commissioner for Data Protection and Freedom of Information ( Berliner Beauftragte fur Datenschutz und Informamtionsfreiheit - Berlin DPA ) issues a 14,5 million fine on a German real estate company, which is called die Deutsche Wohnen SE. This is actually the highest German GDPR fine to that date.

Three different arguments are used to justify that decision :
- first of all the controller did not have a legal ground to store the personal data that long
- second it was an infringement if the data protection by design requirements under article 25 of the GDPR
- finally, it was an infringement to the article 5 of the GDPR, which is focused on the general processing principles

This decision is following the multi-million GDPR fines in France ( for the SERGIC company in June 2019 ), in the UK but also in Danemark in 2018, and lay the emphasis on the importance for all the businesses to manage correctly their data retention lifecycle : processes for identification, retention, retrieval and disposal of files and electronic records across all the functions shall be in place and functions shall be dedicated to operationalize this same processes across the different sites.

This is also the reason why it is important to hire legal counsels, specialized in data privacy, across the businesses. All the companies have data, and may retain them most of the time without being aware of their actions.

So remember that any information that can identify an individual, even an email address, can be considered as personal data. Be sure that all the actions necessary are in place in order to stay compliant with the European legislation, and especially during this sanitary world crisis.

And finally : don't trust the "GDPR myths" either : a personal data must not be deleted as soon as it had been used, as it may be often heard, but as soon as it is no longer needed. Retaining data for regulatory or legal requirements ( as sensitive data ) are potentially valid purposes but it may be appropriate sometimes to only keep a part of what has been collected, or anonymize where it is no longer useful to identify the concerned individuals.