BREBAU GmbH – €1,900,000 Fine (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
BREBAU GmbH was fined €1.9 million for collecting sensitive information about over 9,500 potential tenants without a good reason. This included details like skin color, religion, and health status, which are protected under privacy laws. The ruling highlights the importance of only collecting necessary information and respecting people's privacy rights.
What happened
BREBAU GmbH processed sensitive personal information about prospective tenants without a valid reason.
Who was affected
Over 9,500 prospective tenants whose sensitive data was collected by BREBAU GmbH.
What the authority found
The DPA ruled that BREBAU GmbH violated GDPR by processing unnecessary sensitive data and obstructing transparency requests.
Why this matters
This case shows that companies can face serious penalties for mishandling sensitive information. It serves as a warning for businesses to ensure they only collect data that is necessary and to be transparent with users.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is BREBAU GmbH. Its business consists mainly of building and managing residential apartments. During its investigation the DPA of Bremen found that BREBAU was processing information of over 9,500 prospective tenants about their the skin colour, ethnicity, religion, religious affiliation, sexual orientation, health status and even the hairstyle, body odour and personal appearance. The DPA of Bremen (LfDI Bremen) held that processing this data was not necessary for the conclusion of rental agreements and that this kind of data is particularly protected under the GDPR. Furthermore, it found that BREBAU GmbH also deliberately thwarted requests from data subjects for transparency about the processing of their data. Regarding the amount of the fine, the DPA concluded that, because of the extraordinary gravity of the violation, a significantly higher fine would actually have been appropriate. However, the DPA reasoned that the amount of the fine could be reduced considerably because BREBAU GmbH cooperated extensively in the supervisory procedure, endeavoured to minimise the damage, to clarify the facts on its own and to ensure that such violations would not be repeated.
Related Enforcement Actions (0)
No other enforcement actions found for BREBAU GmbH in DE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 March 2022
Authority
DPA LfDI
Fine Amount
€1,900,000
About this data
Cite as: Cookie Fines. BREBAU GmbH - Germany (2022). Retrieved from cookiefines.eu
Last updated: