BREBAU GmbH – €1,900,000 Fine (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
BREBAU GmbH faced a fine for improperly collecting sensitive information about over 9,500 potential tenants. The company gathered details like skin color, religion, and health status, which are protected under privacy laws. This case highlights the importance of handling personal data carefully and respecting privacy rights.
What happened
BREBAU GmbH processed sensitive personal information about prospective tenants without a valid reason.
Who was affected
Over 9,500 prospective tenants whose sensitive data was collected by BREBAU GmbH.
What the authority found
The DPA ruled that BREBAU GmbH had no valid legal basis for processing this sensitive data, violating GDPR protections.
Why this matters
This ruling emphasizes that companies must have a clear reason for processing sensitive personal data. It serves as a warning for businesses to ensure they comply with privacy laws to avoid hefty fines.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is BREBAU GmbH. Its business consists mainly of building and managing residential apartments. During its investigation the DPA of Bremen found that BREBAU was processing information of over 9,500 prospective tenants about their the skin colour, ethnicity, religion, religious affiliation, sexual orientation, health status and even the hairstyle, body odour and personal appearance. The DPA of Bremen (LfDI Bremen) held that processing this data was not necessary for the conclusion of rental agreements and that this kind of data is particularly protected under the GDPR. Furthermore, it found that BREBAU GmbH also deliberately thwarted requests from data subjects for transparency about the processing of their data. Regarding the amount of the fine, the DPA concluded that, because of the extraordinary gravity of the violation, a significantly higher fine would actually have been appropriate. However, the DPA reasoned that the amount of the fine could be reduced considerably because BREBAU GmbH cooperated extensively in the supervisory procedure, endeavoured to minimise the damage, to clarify the facts on its own and to ensure that such violations would not be repeated.
Related Enforcement Actions (0)
No other enforcement actions found for BREBAU GmbH in DE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 March 2022
Authority
DPA LfDI
Fine Amount
€1,900,000
Enforcement Tracker ID
ETid-1103
GDPRhub ID
gdprhub-4742About this data
Cite as: Cookie Fines. BREBAU GmbH - Germany (2022). Retrieved from cookiefines.eu
Last updated: