Hamilton Perspectives Nyhetsbrev

GDPR for property owners and property managers

The EU General Data Protection Regulation (GDPR) which was en­for­ced on 25 May last ye­ar can­not ha­ve elu­ded anyo­ne. It in­tro­du­ces a num­ber of new ob­li­ga­tions and requi­re­ments on com­pa­ni­es who pro­cess per­so­nal da­ta in­clu­ding pro­per­ty ow­ners or pro­per­ty ma­na­gers. Let’s ta­ke a quick look at how pro­per­ty ow­ners and pro­per­ty ma­na­gers will be af­fec­ted with re­spect to per­so­nal da­ta re­la­ting to te­nants.

The ba­sics

GDPR is ap­pli­cab­le on pro­ces­sing of per­so­nal da­ta re­la­ting to so cal­led da­ta sub­jects. The da­ta sub­jects are na­tu­ral per­sons or so­le tra­ders who­se per­so­nal da­ta is pro­ces­sed, e.g. employe­es, con­sul­tants, te­nants, sup­pli­ers and part­ners. GDPR is ge­ne­ral­ly not ap­pli­cab­le to the pro­ces­sing of da­ta strict­ly re­la­ted to com­pa­ni­es or or­ga­ni­sa­tions. Personal da­ta, on the ot­her hand could be any kind of in­for­ma­tion that may be linked to a spe­ci­fic da­ta sub­ject, such as na­me, apart­ment num­ber, con­tact in­for­ma­tion, me­di­cal con­di­tions, in­for­ma­tion on a per­son’s be­ha­vi­or and pay­roll in­for­ma­tion.

Make an in­ven­to­ry of per­so­nal da­ta

A key ele­ment in get­ting your com­pa­ny re­a­dy for GDPR com­pli­an­ce is to con­duct an in­ven­to­ry of all per­so­nal da­ta that you hold. Once com­ple­ted, this may be used in the pro­cess of re­vi­ewing and ad­ap­ting your pro­ces­sing pro­ce­du­res to GDPR. The in­ven­to­ry can al­so ser­ve as a ba­sis for the man­da­to­ry re­gis­ter of pro­ces­sing ac­ti­vi­ti­es that com­pa­ni­es must keep. Basically, the in­ven­to­ry may be car­ri­ed out by an­swering so­me fun­da­men­tal ques­tions about the da­ta pro­ces­sing:

  • Who do we col­lect per­so­nal da­ta about?
  • What ty­pes of per­so­nal da­ta do we pro­cess?
  • Why do we pro­cess this per­so­nal da­ta and what do we ac­tu­al­ly do with it?
  • How do we col­lect the per­so­nal da­ta?
  • How and whe­re do we sto­re the da­ta?
  • How do we pro­tect the da­ta in its sto­rage (pas­swords, encryp­ting etc.)?
  • How long do we sto­re the da­ta for?
  • Is the per­so­nal da­ta sha­red with, or trans­fer­red to, anyo­ne out­si­de of the or­ga­ni­sa­tion?

Determine what per­so­nal da­ta is ne­ces­sa­ry and law­ful to pro­cess be­fo­re en­te­ring in­to a le­a­se agre­e­ment. For ex­amp­le, it is ge­ne­ral­ly con­si­de­red law­ful to use per­so­nal da­ta for ad­mi­ni­s­te­ring ap­pli­ca­tions to le­a­se a re­si­den­ti­al unit or com­mer­ci­al pre­mi­ses, for as­ses­sing an ap­pli­cant’s su­i­ta­bi­li­ty (wit­hin re­a­so­nab­le li­mits), for sta­tistics, and even for mar­ke­ting ac­ti­vi­ti­es to pe­op­le in li­ne for a le­a­se. Personal da­ta col­lec­ted may be any kind of in­for­ma­tion, such as the ap­pli­cant´s na­me, cur­rent ad­d­ress, con­tact in­for­ma­tion, eco­no­mic con­di­tions, desi­red ac­com­mo­da­tion etc. It is al­so le­gi­ti­ma­te for a pro­per­ty ow­ner to hand­le in­for­ma­tion on cre­dits, re­fe­rences and employer cer­ti­fi­ca­tes when ad­mi­ni­s­te­ring of­fers. When col­lecting per­so­nal da­ta, the da­ta sub­jects must be in­for­med of the pro­ces­sing ac­ti­vi­ti­es car­ri­ed out by the pro­per­ty ow­ner and/or pro­per­ty ma­na­ger. Information must be pro­vi­ded re­gard­less of how per­so­nal da­ta is col­lec­ted. The GDPR sets out strict ru­les on what in­for­ma­tion that should be pro­vi­ded.

During the le­a­se

During the le­a­se, a land­lord is al­lo­wed to hand­le such per­so­nal da­ta that is ne­ces­sa­ry in or­der to main­tain the ob­li­ga­tions un­der the le­a­se agre­e­ment with the da­ta sub­ject who­se per­so­nal da­ta is pro­ces­sed, e.g. da­ta requi­red for pro­ving claims. This co­vers re­gu­lar in­for­ma­tion about e.g. apart­ment num­ber and bil­ling in­for­ma­tion. It may al­so be per­mitted to pro­cess per­so­nal da­ta re­gar­ding distur­ban­ces or unaut­ho­ri­sed suble­a­ses as such in­for­ma­tion ful­fils a le­gi­ti­ma­te pur­po­se of the pro­per­ty ow­ner and pos­sib­ly al­so ot­her te­nants.

After the le­a­se

As a ru­le, per­so­nal da­ta should be de­le­ted when the le­a­se has ter­mi­na­ted un­less kee­ping the per­so­nal da­ta is ne­ces­sa­ry in or­der to ful­fil any ot­her pur­po­se than ful­fil­ment of the ob­li­ga­tions un­der the le­a­se agre­e­ment. For ex­amp­le, in­for­ma­tion requi­red for mo­ni­to­ring claims re­la­ting to the le­a­se may be sa­ved af­ter the ter­mi­na­tion of the le­a­se as the­re are le­gal requi­re­ments to keep ac­counting ma­te­ri­al for a pe­ri­od of 7 ye­ars.