Real Estate Agent Triggers GDPR Complaint Wave: 340 Complaints, €680,000 in Damages
A real estate agency stores tenant applications without legal basis and triggers a wave of 340 GDPR complaints. The data protection authority strikes hard.
Misconfiguration
€680K
€310K GDPR Fine
The Incident
Grundstein Real Estate GmbH in Frankfurt, Germany, was a thriving brokerage. Managing director Ralf Brenner, 48, and his team of twelve managed approximately 600 rental properties and placed over 1,200 apartments per year. Business was good — too good to bother with "bureaucratic nonsense" like data protection. At least that's how Brenner saw it.
The process for rental applications had been the same for years: applicants sent their documents via email. Pay stubs, credit reports, ID copies, employer references, sometimes even bank statements. Everything as PDF attachments, all to a single email address: applications@grundstein-realestate.de.
From there, documents were moved into a shared folder on the company server — organized by property, not by applicant. Every employee had access to everything. No access restrictions, no encryption, no expiration dates. The oldest applications in the system dated back to 2019.
In September 2025, something happened that Brenner hadn't anticipated. A former employee — Marco Lehmann, terminated in April 2025 after a conflict with management — retained access to the shared folder after his departure. His VPN credentials had not been deactivated. Out of revenge, he posted a screenshot to a local Facebook community group showing the folder structure with hundreds of applicant names, accompanied by the comment: "Want to know how Grundstein Real Estate treats your data? Just ask."
The post went viral in Frankfurt's renter community. Within 48 hours, over 8,000 people had seen it.
What followed was an avalanche.
The Escalation
Days 1–3 (September 2025): The Facebook post triggered a wave of outrage. Dozens of former apartment applicants recognized their names in the folder structure. The first ones filed data subject access requests under Art. 15 GDPR. Within three days, 87 access requests arrived at Grundstein Real Estate.
Weeks 1–2: Brenner was overwhelmed. The email inbox was flooded with inquiries. The team had no processes for handling data subject requests. Brenner instructed his staff to ignore the requests for the time being — a fatal decision, as Art. 12 GDPR sets a one-month deadline for responses.
Week 3: The first applicants whose requests went unanswered contacted the Hessian Data Protection Authority. Complaints arrived in waves — first 20, then 50, then 100. By the end, there were 340 individual complaints.
Month 2: The data protection authority ordered an on-site inspection. Two auditors visited the offices. What they found:
- 46,000 application documents from rental applicants, some dating back six years
- No legal basis for storage after the conclusion of the rental process
- No deletion schedule — not a single file had ever been deleted
- No access controls — all 12 employees had full access to all applications
- No consent for storage beyond the original purpose
- Active VPN access for a terminated employee, five months after departure
- No records of processing, no data protection policy, no staff training
Month 3: The authority imposed a fine of €310,000. Simultaneously, it ordered the deletion of all application documents for which no active processing purpose existed — effectively everything except current application proceedings.
Month 4: A Frankfurt law firm launched a coordinated compensation campaign on behalf of 180 affected individuals. Each claimant sought €500 to €2,000 under Art. 82 GDPR.
The Damage in Detail
Financial Breakdown
| Cost Item | Amount |
|---|---|
| GDPR Fine | €310,000 |
| Compensation (Settlement with 180 Claimants) | €135,000 |
| External Legal Counsel and Defense | €85,000 |
| External Data Protection Consulting | €45,000 |
| Technical Implementation of Deletion Processes | €32,000 |
| Processing 340 Complaints and 87 Access Requests | €28,000 |
| New IT Infrastructure and Access Controls | €25,000 |
| Reputation Damage (Lost Business) | €20,000 |
| Total Damage | €680,000 |
Reputation Damage
In Frankfurt's real estate industry, Grundstein became the cautionary tale. Landlords who listed properties through Grundstein received complaints from rental applicants who refused to submit documents through the agency. Three major property management companies terminated their contracts. On Google Reviews, the firm dropped from 4.2 to 1.8 stars.
Local press — Frankfurter Rundschau, Frankfurter Neue Presse — covered the story extensively. One detail generated particular outrage: an applicant whose 2020 credit report was still on file had contained a negative entry that had since been cleared. The old credit report could — theoretically — have been used against them in a new application. The case became a symbol of the power imbalance between landlords and tenants.
Legal Consequences
The €310,000 fine was justified as follows:
- Art. 5(1)(e) GDPR (Storage Limitation): 46,000 applications without retention schedules, some six years old. Primary violation: €150,000.
- Art. 6 GDPR (Lawfulness of Processing): No legal basis for continued storage after the rental process concluded. €80,000.
- Art. 12/15 GDPR (Data Subject Rights): 87 access requests were not answered within the required timeframe. €50,000.
- Art. 32 GDPR (Security of Processing): Missing access controls, active VPN access for a former employee. €30,000.
Business Impact
Managing director Brenner was required to appoint a Data Protection Officer, create records of processing activities, and train all staff — everything he should have done from the start. The cost of these measures was modest. The cost of failing to take them: €680,000.
Three employees resigned because they no longer wanted to be associated with the firm's public image. Brenner seriously considered closing the company and restarting under a new name — a sign of how deep the reputational damage ran.
What Went Wrong
1. Email as the application channel: The central email address for applications was the root cause of all problems. Documents landed unstructured, unencrypted, and without metadata (expiration dates, purpose limitation) on the server. There was no automated processing, no categorization, no deadline management.
2. No offboarding process: The terminated employee's VPN access should have been deactivated on the day of termination. There was no checklist, no process, no accountability for IT offboarding.
3. "We've always done it this way": Brenner's fundamental attitude toward data protection was toxic. He viewed the GDPR as bureaucratic harassment, not as a protection measure for the people whose most intimate financial data his company processed. This attitude permeated the entire organization.
4. Missing document workflow: A professional document workflow would have prevented the problem from the start. Secure upload links with automatic expiration dates would have ensured that application documents did not remain indefinitely accessible after the rental process concluded. Individual links per applicant would have enabled clean assignment and deletion.
5. No access controls: The fact that every employee had access to all applications — including salary statements, credit data, and ID copies — fundamentally violated the need-to-know principle. The agent handling a property in one district had no need to access applications for an apartment in another.
Lessons Learned
Real estate agents process highly sensitive data. Rental applications contain a nearly complete financial biography: income, debts, creditworthiness, employer, identity documents. This data deserves the same protection as health or financial data.
Upload links instead of email. With secure upload links, agents can create an individual link for each property or each applicant — with password protection, expiration dates, and file size limits. Applicants upload their documents directly, bypassing insecure email. After the rental process concludes, the link can be deactivated and the data deleted on schedule.
Retention schedules are not optional. Application documents that no longer serve an active purpose must be deleted. The rule of thumb: six months after the rental decision, unless a statutory retention obligation exists.
Offboarding is data protection. Every departing employee must be disconnected from all systems on their last day. This is not an IT task — it is a data protection obligation.
Professionalize your application process. Try SendMeSafe free for 14 days — secure upload links for rental applications, with expiration dates and audit trails. No credit card required.
Frequently Asked Questions
How long may rental application documents be stored?
After the rental process concludes, the legal basis for storage expires. Data protection authorities recommend a maximum retention period of six months after the apartment has been allocated — to allow for potential discrimination claims. After that, all documents must be deleted unless the applicant has expressly consented to longer storage. In the Grundstein Real Estate case, applications sat undeleted on the server for six years — a clear violation of Art. 5(1)(e) GDPR.
May real estate agents request credit reports and ID copies?
Credit reports may be requested if they are necessary for the rental decision — though only a current self-disclosure report, not the detailed B2B credit report. ID copies are controversial: data protection authorities recommend collecting only the data necessary for identity verification and redacting certain information (e.g., document number, serial number). In any case, copies must be deleted after the process concludes.
What happens if I receive a GDPR complaint as an agent?
You will first receive a hearing notice from the relevant data protection authority with an opportunity to respond. Take this seriously and respond within the deadline — preferably with legal counsel. Cooperative behavior has a mitigating effect on fines. Simultaneously, you should immediately remedy the complained-about condition to demonstrate that you are taking the issue seriously. A single complaint rarely leads to a large fine — but 340 complaints, as in the Grundstein case, is a signal no authority ignores.
How can I make my application process GDPR-compliant as an agent?
Three measures will get you started: First, replace email applications with secure upload links — per property or per applicant, with automatic expiration dates. Second, define a retention period (e.g., three months after the lease is signed) and implement it technically. Third, restrict access to application documents to only those employees who are actually working with the relevant property.