BREBAU GmbH – €1,900,000 Fine (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller is BREBAU GmbH. Its business consists mainly of building and managing residential apartments. During its investigation the DPA of Bremen found that BREBAU was processing information of over 9,500 prospective tenants about their the skin colour, ethnicity, religion, religious affiliation, sexual orientation, health status and even the hairstyle, body odour and personal appearance. The DPA of Bremen (LfDI Bremen) held that processing this data was not necessary for the conclusion of rental agreements and that this kind of data is particularly protected under the GDPR. Furthermore, it found that BREBAU GmbH also deliberately thwarted requests from data subjects for transparency about the processing of their data. Regarding the amount of the fine, the DPA concluded that, because of the extraordinary gravity of the violation, a significantly higher fine would actually have been appropriate. However, the DPA reasoned that the amount of the fine could be reduced considerably because BREBAU GmbH cooperated extensively in the supervisory procedure, endeavoured to minimise the damage, to clarify the facts on its own and to ensure that such violations would not be repeated.
GDPR Articles Cited
The controller is BREBAU GmbH. Its business consists mainly of building and managing residential apartments. During its investigation the DPA of Bremen found that BREBAU was processing information of over 9,500 prospective tenants about their the skin colour, ethnicity, religion, religious affiliation, sexual orientation, health status and even the hairstyle, body odour and personal appearance. The DPA of Bremen (LfDI Bremen) held that processing this data was not necessary for the conclusion of rental agreements and that this kind of data is particularly protected under the GDPR. Furthermore, it found that BREBAU GmbH also deliberately thwarted requests from data subjects for transparency about the processing of their data. Regarding the amount of the fine, the DPA concluded that, because of the extraordinary gravity of the violation, a significantly higher fine would actually have been appropriate. However, the DPA reasoned that the amount of the fine could be reduced considerably because BREBAU GmbH cooperated extensively in the supervisory procedure, endeavoured to minimise the damage, to clarify the facts on its own and to ensure that such violations would not be repeated.
Related Enforcement Actions (1)
Other enforcement actions involving BREBAU GmbH in DE
Details
About this data
Cite as: Cookie Fines. BREBAU GmbH - Germany (2022). Retrieved from cookiefines.eu
Last updated: