Brebau GmbH fined for for lack of legal basis and transparency Summary Our remarks The housing and residential association Brebau GmbH The processing of special categories of personal data processed sensitive data of over 9500 potential tenants. such as skin color, ethnic origin, etc. is not necessary In more than half of the cases, the data collected for fulfilling rental agreements and therefore, such included information about skin color, ethnic origin, processing is considered unlawful. Assessing which religious beliefs, sexual orientation, health status of the personal data categories are necessary for processing data subjects and even physical appearance such as ensures compliance with GDPR regulations. As a data hairstyle and body odor. controller, it is essential to implement efficient and accessible transparency practices to uphold the data In multiple cases, Brebau GmbH prevented data subjects’ right to access. The data subject must upon subjects from accessing their personal data and request be able to access information on (see GDPR, obtaining insight into how their data was processed. Article 15 for an exhaustive list): The Decision of the State Commissioner for • The purposes of the processing, Data Protection Bremen • The categories of personal data concerned, The DPA fined Brebau GmbH 1,900,000 EUR for the • Third party recipients or categories of recipients of violation, stating that the extraordinarily severe nature personal data, of the violation allowed for an even higher fine than the one imposed. Brebau was fined for the following • The existence of the right to rectification and the violations: right to erasure, and the right to complaint with a • Processing categories of personal data that were DPA. not necessary for the fulfillment of the contract. • Not complying with the right to access (GDPR, Article 15) and principle of transparency (GDPR, Article 5(1)(a)) However, as Brebau GmbH cooperated willingly by mitigating the damage, clarifying the facts and ensuring that no such violations would be repeated, the DPA reduced the amount of the fine. Published: 03-03-2022 Journal number: n/a 46 Tags: 01 Legal Basis and principles of processing, 02 right to access and obligation to provide information