Posts
|
06.07.2026
The Berlin Regional Court (LG) has reduced the fine imposed on the property group Deutsche Wohnen for breaching the General Data Protection Regulation (GDPR). Instead of the originally set fine of 14.5 million euros, the company now only has to pay 900,000 euros (Ref.: 526 OWiG LG 1/20 of 9 June 2026). The company had come under scrutiny from the Berlin Data Protection Commissioner because spot checks revealed that it had not automatically deleted tenants’ data – in particular, proof of identity and details of financial standing – even though, in the authority’s view, this data was no longer required.
With its ruling, the Berlin Regional Court has now upheld the liability of companies to pay fines under the GDPR, thereby following the guidelines of the European Court of Justice (ECJ). In 2023, the CJEU had clarified that the imposition of fines on companies does not require a natural person in a managerial position to have committed a tortious act (principle of imputability). However, the company must be held responsible for a culpable breach. On this basis, the case had been referred back to the Regional Court by the Higher Regional Court to examine the question of fault. The Regional Court has now concluded that, whilst Deutsche Wohnen did act culpably, because the company had been cooperative and had endeavoured to establish a system compliant with data protection regulations, the court considered a fine of 14.5 million euros to be too high.
„The ruling shows that companies can successfully defend themselves against very high GDPR fines,“ says lawyer Zeynep Kenar. „Anyone who cooperates, documents their processes properly and demonstrates that they are working towards a solution that complies with data protection regulations has a good chance of having the fine reduced.“.
The decision of the Berlin Regional Court is not yet final. Both Deutsche Wohnen and the Berlin Data Protection Commissioner may lodge an appeal, meaning that the courts may still be called upon to consider the standards of corporate liability under the GDPR.