On 9 June 2026, the Berlin Regional Court I (case ref. 526 OWi LG 1/20) issued a long-awaited judgment in Germany's most prominent GDPR fine case: Deutsche Wohnen SE must pay a fine of €900,000 for violations of the General Data Protection Regulation. At first glance this may sound like a significant penalty – but it represents a drastic reduction from the original fine of €14.5 million imposed by the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) back in 2019. The judgment is not yet final; it can be challenged by way of further appeal (Rechtsbeschwerde).
This case has captivated German data protection law scholarship and practice since its inception in 2019. It raised fundamental questions: Can legal entities be fined directly under the GDPR without requiring proof of culpable conduct by a specific senior official? What standards apply when calculating GDPR fines? And which factors can mitigate a sanction? The answers provided by Berlin Regional Court I offer important guidance for companies seeking to build their data protection compliance on a legally sound footing.
The underlying facts of this long-running case are deceptively technical: Deutsche Wohnen SE used an archive system to store personal data of its tenants that had no mechanism to delete data that was no longer required. In concrete terms, this meant that information such as pay slips, bank statements, extracts from employment and training contracts, and tax, social security and health insurance data of tenants remained permanently stored – even when there was no longer any legal basis for retaining it. The Berlin data protection authority documented this practice from 25 May 2018, the date the GDPR entered into force, until 5 March 2019.
This approach to data storage cuts to the heart of two core GDPR principles: the principle of data minimisation (Art. 5(1)(c) GDPR), which requires that personal data be limited to what is necessary in relation to the purposes of processing, and the storage limitation principle (Art. 5(1)(e) GDPR), which stipulates that data may only be retained for as long as necessary for its intended purpose. When – as in the Deutsche Wohnen case – a system technically lacks a deletion function, these principles cannot be structurally observed. This makes the case emblematic of a widespread problem in companies with legacy IT infrastructure: older systems not designed with GDPR compliance in mind and for which simple retrofitting is not possible.
The proceedings have a convoluted procedural history. After the BlnBDI issued the €14.5 million fine notice in 2019, Deutsche Wohnen challenged it before the courts. The Berlin Regional Court initially stayed the proceedings in 2021, reasoning that German law did not permit direct corporate sanctions against legal entities under the GDPR. Following a referral by the Berlin court, the Court of Justice of the EU (ECJ) ruled in 2022 (C-807/21) that legal entities may be fined directly under the GDPR even without prior proof of a culpable act by a natural person – provided national law so permits. The proceedings were then resumed and have now reached a first – not yet final – conclusion with the June 2026 judgment.
The 2022 ECJ ruling continues to be of fundamental importance: direct GDPR liability for legal entities is settled law in Germany. Companies cannot defend themselves by arguing that no specific individual within the organisation was identifiably responsible. Liability falls on the company as such – and therefore on senior management, which bears ultimate responsibility for ensuring GDPR compliance.
The reduction from €14.5 million to €900,000 – just over six percent of the original amount – was undoubtedly the most significant outcome of the judgment from the company's perspective. The court justified this reduction on the basis of several mitigating factors. First, it noted that the violations occurred exclusively during the introductory phase of the GDPR, a period in which both authorities and companies alike were grappling with implementation of the new requirements. In this context, the court explicitly acknowledged that the Berlin data protection authority itself had experienced difficulties documenting the actual state of affairs in a manner suitable for court proceedings.
The court also took into account that Deutsche Wohnen had proactively engaged external auditors and consultants to implement new GDPR-compliant systems. The company had therefore not merely reacted passively to the fine notice but had already taken concrete steps to remedy the deficiencies. This was treated as a mitigating factor. Finally, economic considerations also fed into the fine calculation: the court did not apply a rigid percentage of annual turnover but conducted a case-by-case balancing exercise that gives effect to the principle of proportionality.
The LG Berlin I judgment contains several important messages for corporate data protection practice. First: the GDPR principles of data minimisation and storage limitation are not mere policy statements but enforceable duties backed by fines. Every system that processes personal data must be technically capable of deleting data that is no longer needed. Companies that neglect this when introducing new IT systems or continuing to use legacy systems commit a structural compliance violation.
Second, the judgment demonstrates that cooperation and proactive action in remedying data protection deficiencies can reduce fines. Companies that act swiftly and demonstrably in response to a supervisory authority's findings, engage external experts, and show transparency towards the authority improve their position in any subsequent fine proceedings. Third, the procedural history underscores the complexity of GDPR fine proceedings: from the original finding in 2019 to the current judgment in 2026, seven years have elapsed – including two stays of proceedings, an ECJ referral, and a fresh start. Anyone caught up in such proceedings should seek specialist legal advice at the earliest opportunity.
Companies should regularly verify that all deployed IT systems – particularly archive systems, CRM systems, and document management systems – have functioning deletion capabilities. In addition, a retention and deletion policy under Art. 5(1)(e) GDPR should be introduced, specifying concrete retention periods and automated deletion triggers for each category of data. Compliance with this policy must be technically enforced and regularly audited. Thorough documentation is equally important: evidence of active implementation of data protection measures can act as a mitigating factor in fine proceedings and should therefore be carefully maintained from the outset.
The LG Berlin I judgment is good news for Deutsche Wohnen, but offers no general all-clear for companies. While the court demonstrates that fines are calibrated proportionately and mitigating factors are taken into account, it also makes clear: companies that structurally violate the fundamental data protection principles of the GDPR face direct liability – without any need to prove a specific responsible employee. Given the continued high level of GDPR fines worldwide, robust data protection compliance management remains indispensable for every organisation that processes personal data.
Do you have questions about GDPR compliance or data protection fine risks in your organisation? The lawyers at HUFELD PartGmbB are here to provide comprehensive advice. Get in touch now.
Are you looking for a specific topic?
.png)
.png)
.png)