24. Jun 22

GDPR violations met with a heavy fine from Bremen’s data protection commissioner

The Bremer Landesbeauftragte für Datenschutz und Informationsfreiheit (LfDI) – Bremen’s Federal Commissioner for Data Protection and Freedom of Information – has issued a housing association with a fine in response to violations of the General Data Protection Regulation (GDPR).

One of the aims of the Regulation is to strengthen the protection of sensitive personal information by requiring businesses to comply with more demanding data protection standards, with violations of the GDPR potentially leading to severe penalties.

We at the commercial law firm MTR Rechtsanwälte can report on a real estate firm in Bremen that recently found itself faced with a fine to the tune of around 1.9 million euros for violating the GDPR. The penalty was announced and imposed by Bremen??’s Federal Commissioner for Data Protection and Freedom of Information on March 3, 2022.

The commissioner detailed in a press release how the housing association had processed data from more than 9,500 prospective tenants without a legal basis. This included storing information that was not required for the conclusion of the lease agreement, e.g., regarding hairstyles and body odor. The commissioner also reported that data of a sensitive and personal – and therefore protected – nature relating to ethnic origin, religious affiliation, sexual orientation, and health had been processed.

Citing the extreme severity with which the fundamental right to data privacy had been violated, the commissioner contended that they would have been justified in issuing a substantially larger fine than the approximately 1.9 million euros that was imposed pursuant to Article 83 of the GDPR. Indeed, it was only by cooperating fully and demonstrating a willingness to come clean that the company was able to avoid this outcome. It also made efforts to mitigate the damage. Additionally, the company wants to ensure that violations of this kind or not repeated.

The extent of the fines in cases involving violations of the GDPR are to be determined on a case-by-case basis, with Art. 83(2) GDPR specifying the nature, gravity, and duration of the violation as the key criteria here. The Regulation provides for the possibility of fines of up to ten million euros or up to 2% of total worldwide annual turnover, though the penalty can be doubled in the case of particularly serious violations.

It is therefore in the interests of businesses to give due consideration to data protection and to comply with the GDPR. Our team of lawyers includes data protection experts who can provide counsel.

For more information:


Do you have any questions?
Make an appointment at one of our locations in Cologne, Berlin, Dusseldorf, Frankfurt, Hamburg, Munich or Stuttgart!