Hamilton Perspectives

GDPR for property owners and property managers

The EU General Data Protection Regulation (GDPR) which was en­forced on 25 May last year can­not have elud­ed any­one. It in­tro­duces a num­ber of new oblig­a­tions and re­quire­ments on com­pa­nies who process per­son­al da­ta in­clud­ing prop­er­ty own­ers or prop­er­ty man­agers. Let’s take a quick look at how prop­er­ty own­ers and prop­er­ty man­agers will be af­fect­ed with re­spect to per­son­al da­ta re­lat­ing to ten­ants.

The ba­sics

GDPR is ap­plic­a­ble on pro­cess­ing of per­son­al da­ta re­lat­ing to so called da­ta sub­jects. The da­ta sub­jects are nat­ur­al per­sons or sole traders whose per­son­al da­ta is processed, e.g. em­ploy­ees, con­sul­tants, ten­ants, sup­pli­ers and part­ners. GDPR is gen­er­al­ly not ap­plic­a­ble to the pro­cess­ing of da­ta strict­ly re­lat­ed to com­pa­nies or or­gan­i­sa­tions. Personal da­ta, on the oth­er hand could be any kind of in­for­ma­tion that may be linked to a spe­cif­ic da­ta sub­ject, such as name, apart­ment num­ber, con­tact in­for­ma­tion, med­ical con­di­tions, in­for­ma­tion on a per­son’s be­hav­ior and pay­roll in­for­ma­tion.

Make an in­ven­to­ry of per­son­al da­ta

A key el­e­ment in get­ting your com­pa­ny ready for GDPR com­pli­ance is to con­duct an in­ven­to­ry of all per­son­al da­ta that you hold. Once com­plet­ed, this may be used in the process of re­view­ing and adapt­ing your pro­cess­ing pro­ce­dures to GDPR. The in­ven­to­ry can al­so serve as a ba­sis for the manda­to­ry reg­is­ter of pro­cess­ing ac­tiv­i­ties that com­pa­nies must keep. Basically, the in­ven­to­ry may be car­ried out by an­swer­ing some fun­da­men­tal ques­tions about the da­ta pro­cess­ing:

  • Who do we col­lect per­son­al da­ta about?
  • What types of per­son­al da­ta do we process?
  • Why do we process this per­son­al da­ta and what do we ac­tu­al­ly do with it?
  • How do we col­lect the per­son­al da­ta?
  • How and where do we store the da­ta?
  • How do we pro­tect the da­ta in its stor­age (pass­words, en­crypt­ing etc.)?
  • How long do we store the da­ta for?
  • Is the per­son­al da­ta shared with, or trans­ferred to, any­one out­side of the or­gan­i­sa­tion?

Determine what per­son­al da­ta is nec­es­sary and law­ful to process be­fore en­ter­ing in­to a lease agree­ment. For ex­am­ple, it is gen­er­al­ly con­sid­ered law­ful to use per­son­al da­ta for ad­min­is­ter­ing ap­pli­ca­tions to lease a res­i­den­tial unit or com­mer­cial premis­es, for as­sess­ing an ap­pli­cant’s suit­abil­i­ty (with­in rea­son­able lim­its), for sta­tis­tics, and even for mar­ket­ing ac­tiv­i­ties to peo­ple in line for a lease. Personal da­ta col­lect­ed may be any kind of in­for­ma­tion, such as the ap­pli­cant´s name, cur­rent ad­dress, con­tact in­for­ma­tion, eco­nom­ic con­di­tions, de­sired ac­com­mo­da­tion etc. It is al­so le­git­i­mate for a prop­er­ty own­er to han­dle in­for­ma­tion on cred­its, ref­er­ences and em­ploy­er cer­tifi­cates when ad­min­is­ter­ing of­fers. When col­lect­ing per­son­al da­ta, the da­ta sub­jects must be in­formed of the pro­cess­ing ac­tiv­i­ties car­ried out by the prop­er­ty own­er and/or prop­er­ty man­ag­er. Information must be pro­vid­ed re­gard­less of how per­son­al da­ta is col­lect­ed. The GDPR sets out strict rules on what in­for­ma­tion that should be pro­vid­ed.

During the lease

During the lease, a land­lord is al­lowed to han­dle such per­son­al da­ta that is nec­es­sary in or­der to main­tain the oblig­a­tions un­der the lease agree­ment with the da­ta sub­ject whose per­son­al da­ta is processed, e.g. da­ta re­quired for prov­ing claims. This cov­ers reg­u­lar in­for­ma­tion about e.g. apart­ment num­ber and billing in­for­ma­tion. It may al­so be per­mit­ted to process per­son­al da­ta re­gard­ing dis­tur­bances or unau­tho­rised sub­leas­es as such in­for­ma­tion ful­fils a le­git­i­mate pur­pose of the prop­er­ty own­er and pos­si­bly al­so oth­er ten­ants.

After the lease

As a rule, per­son­al da­ta should be delet­ed when the lease has ter­mi­nat­ed un­less keep­ing the per­son­al da­ta is nec­es­sary in or­der to ful­fil any oth­er pur­pose than ful­fil­ment of the oblig­a­tions un­der the lease agree­ment. For ex­am­ple, in­for­ma­tion re­quired for mon­i­tor­ing claims re­lat­ing to the lease may be saved af­ter the ter­mi­na­tion of the lease as there are le­gal re­quire­ments to keep ac­count­ing ma­te­r­i­al for a pe­ri­od of 7 years.