Berlin Regional Court I (Landgericht Berlin I) issued a landmark ruling (PM 24/2026) reducing the GDPR fine against Deutsche Wohnen SE from approximately €14.5 million to just €900,000. The court reviewed the proportionality of the fine originally imposed by the Berlin Data Protection Commissioner and arrived at a substantial downward correction. The case concerns violations of the principles of data minimization and storage limitation under Art. 5(1)(c) and (e) GDPR, committed between May 2018 and March 2019. This makes it one of the most closely watched and consequential GDPR enforcement cases in Germany to date.
The background of the case dates back to 2017, when the Berlin data protection authority discovered that Deutsche Wohnen was storing personal data of tenants — including payslips, bank statements, self-disclosure forms, and copies of identity documents — in a legacy archive system that did not permit targeted deletion. This violated the principle of data minimization under Art. 5(1)(c) GDPR and the principle of storage limitation under Art. 5(1)(e) GDPR. The Berlin Commissioner imposed the approximately €14.5 million fine in October 2019 — at the time one of the highest GDPR fines ever issued in Germany. The current ruling sets an important new benchmark for how courts can review and correct such fines.
The Berlin Regional Court based its reduction on several key mitigating factors. Deutsche Wohnen had proactively engaged external consultants, auditors, and IT specialists to bring its systems into compliance after the issues came to light — the court explicitly recognized this compliance engagement as a mitigating circumstance. In addition, the court took into account that the violations occurred during the immediate implementation phase of the GDPR — a period in which both authorities and companies were still grappling with how to interpret and technically implement the new requirements. Finally, the court noted that even the Berlin data protection authority itself had difficulties fully documenting the facts in a way that would withstand legal scrutiny, which weakened the basis for a high fine.
Another significant dimension of the case concerns the long-debated question of whether GDPR fines can be imposed on legal entities without proving individual fault by a natural person. The Federal Court of Justice (BGH) had clarified in a parallel proceeding that the principle of discretion embedded in German administrative fine law applies and that authorities have latitude in imposing fines. The Berlin Regional Court has now demonstrated that courts can not only formally review such fines but also substantially correct them downward where proportionality is not maintained. The ruling is not yet final; a constitutional complaint remains possible.
The storage limitation principle under Art. 5(1)(e) GDPR requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed. Complementing this, Art. 5(1)(c) GDPR provides that only data that is genuinely necessary for the specific processing purpose may be collected and stored — the principle of data minimization. While these principles may sound abstract, they present significant practical challenges, particularly when it comes to legacy IT systems that have no built-in deletion functionality. The Deutsche Wohnen ruling makes clear that legacy systems do not provide a free pass: companies that cannot technically delete personal data must retrofit or replace their systems accordingly.
The situation is especially critical for systems developed before the GDPR entered into force in May 2018 and that lack automated deletion capabilities. For such systems, companies must implement technical retrofits, develop migration solutions, or transition to GDPR-compliant successor systems. Citing technical difficulties does not relieve a company of responsibility — but it can be recognized as a mitigating factor in fine proceedings, provided the company is actively and demonstrably working toward a solution. This is precisely the lesson of the Deutsche Wohnen ruling: those who act proactively and engage external expertise can expect significantly lower sanctions if enforcement proceedings arise.
Companies are required under the GDPR to establish and implement a structured deletion policy. This policy must address, for each category of personal data, the processing purpose, the applicable legal basis, the relevant retention period, and the precise deletion process including technical verifiability. A deletion policy is not merely a legal document but a technical and organizational instrument that must be jointly developed by IT and legal departments and reviewed on a regular basis. In enforcement proceedings, data protection authorities and courts examine not only whether such a policy exists, but also whether it is genuinely implemented and whether the defined retention periods can actually be met in technical terms.
The Berlin Regional Court ruling has significant practical implications for GDPR enforcement in Germany. It demonstrates that fines imposed by data protection authorities are subject to substantive judicial review and that proportionality is a central corrective mechanism. Documented compliance efforts, external advisory engagement, and evidence of improvement measures can demonstrably lead to a substantial reduction of a fine in contested proceedings. This is an important signal for businesses: investing in data protection compliance pays off not only by avoiding proceedings in the first place, but also if a fine procedure does ultimately arise.
At the same time, companies should not misread the ruling as an invitation to disregard data protection requirements. The core message of the case is clear: storing personal data without the technical capability to delete it constitutes a GDPR violation — and fines may follow. The reduction in this particular case was attributable to special circumstances, above all the fact that the violations occurred during the initial rollout phase of the GDPR. For violations occurring today — more than seven years after the GDPR took effect — courts and authorities will have little justification for applying similar leniency on the basis of an introductory period.
The Deutsche Wohnen ruling provides concrete guidance for companies to act on. A comprehensive inventory of all data systems — with particular focus on legacy IT that lacks deletion functionality — is the essential starting point. On this basis, deletion policies should be created or reviewed for each category of personal data. Companies should engage external data protection advisors or auditors to close compliance gaps and ensure that documentation is robust enough to withstand legal scrutiny. Regular data protection audits and thorough documentation of all measures taken are critical not only for ongoing compliance, but also as evidence in the event a regulatory procedure arises.
The Deutsche Wohnen ruling from Berlin Regional Court is more than an isolated case: it offers valuable insight into how courts assess and correct GDPR fines and which factors carry decisive weight. For businesses, the message is clear: data deletion obligations are a technical reality to be implemented, not abstract requirements to be filed away. At the same time, the ruling demonstrates that proactive compliance engagement, external expertise, and documented improvement measures can carry significant weight in enforcement proceedings. Companies that structure and fully document their data protection compliance protect themselves not only against regulatory proceedings, but also against disproportionate sanctions.
Do you have questions about GDPR data deletion obligations or data protection compliance in your organization? The lawyers at HUFELD PartGmbB are here to provide comprehensive advice. Get in touch now.
Are you looking for a specific topic?
.png)
.png)
.png)