Beware software with no delete function

By Andrew Mason

You may have missed the fine of €14½ million imposed by the data protection authority of Berlin on Deutsche Wohnen SE, a property management company who were found to use software systems that do not allow for the deletion of data.  This regulatory action resonated with the Outsourced DPO because it is a situation he has come across countless times in the UK’s social housing industry.

The similarities are striking.  Deutsche Wohnen SE was found to be holding data on the personal and financial circumstances of tenants, salary certificates, self-disclosure forms, extracts from employment and training contracts, tax, social and health insurance data as well as bank statements.  They were warned by the Berlin data protection authority in 2017 to make amends and despite having made some preparations to correct the situation were found in March 2019 to have insufficient measures in place to demonstrate compliance with both Article 5 of the GDPR (data retention) and Article 25(1) relating to privacy by design and by default.

During a recent compliance audit of a large housing association, the Outsourced DPO was critical of the customer’s housing management and document management systems for not allowing for data to be erased.  The Outsourced DPO rated the housing association’s compliance with the 5th data protection principle as “non-compliant” and advised urgent corrective action.

Personal data was found dating back to the mid-1990s including transcripts of conversations, bank statements, survey forms, correspondence about repairs and maintenance, scanned copies of passports, bank statements, medical forms etc.  The retention of most of this historic information could not be satisfactorily justified to the Outsourced DPO and, in his opinion represents a ticking time bomb that the housing association is making insufficient effort to defuse!  It won’t take much to trigger an explosion either – a subject access request followed by an erasure request or objection to processing will undoubtedly flush out all of this historic information and the housing association’s inability to erase it.

The social housing industry needs to be cognisant of the Berlin fine and apply collective pressure on their software vendors to correct this major flaw in their systems.

For more information about DPP’s Outsourced DPO Service please refer to our website or contact [email protected]

Phillip Brining 


Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021