Berlin: €14.5m cut to €900k — deletion obligation confirmed

Summary — On 9 June 2026, the Berlin Regional Court confirmed a GDPR breach by Deutsche Wohnen for using an archiving system that did not allow deletion of data that were no longer necessary. The 2019 fine was reduced from €14.5m to €900k, but the deletion obligation was reaffirmed.

The facts

The court found the company failed to timely adapt its IT systems to enable deletion of former tenants’ personal data. While the amount was reduced, the core violation — archiving without a deletion mechanism — was upheld.

This ruling follows the CJEU judgment of 5 December 2023 (Case C‑807/21, Deutsche Wohnen), which clarified that fines can be imposed directly on legal persons where at least negligence is established. With this clarification, Berlin courts could rule again on substance and quantum in 2026.

Legal framework and basis

• Article 5(1)(e) GDPR — storage limitation: data must not be kept in an identifiable form longer than necessary. Archiving without a deletion mechanism breaches this principle. For a structured overview, see our page on GDPR and retention obligations.
• Articles 24 and 25 GDPR — accountability and privacy by design: system architecture must embed data expiry and deletion.
• Article 83 GDPR — fines must be effective, proportionate and dissuasive; after CJEU C‑807/21, a fine may target the legal person if the infringement is at least negligent.

Key prior case law

• CJEU, 5 December 2023, C‑807/21, Deutsche Wohnen — direct fines against legal persons; fault (intent or negligence) required; no strict no‑fault liability.

What this means for Luxembourg organisations

• Operational takeaway: freezing data is not enough; archiving and backup systems must support selective and auditable purging at end of retention, including in DR/BC scenarios. For hands‑on governance and the DPO mandate, see our certified DPO and compliance leadership service.
• Tangible CJEU effect: authorities can target the legal person when negligence is shown. The cut to €900k illustrates proportionality review without diluting the deletion duty.
• Near‑term risks: targeted inspections on retention, deletion logs, and purge capability (ERP/EDM/archives), including processors (Art. 28).

Luxembourg entities should confirm retention schedules, evidence deletions, and document legal exceptions. See our overview of GDPR in Luxembourg and CNPD expectations.

Practical actions for this week

• Map archiving and backup zones lacking automated purge; set per‑purpose retention and effective deletion mechanisms (logical/physical removal; WORM retention only where justified).
• Implement timestamped deletion logs and test an end‑to‑end deletion path (production → archive → backup), with DPO/IT validation and a test report.
• Recalibrate processor clauses: require selective deletion capability, purge plans, and periodic retention reviews.

Key takeaways

• Architectures that block deletion breach Article 5(1)(e) GDPR.
• Post C‑807/21, fines can target the legal person where at least negligence is present.
• Judicial review may reduce the amount but does not neutralise the deletion obligation.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.