The EU General Data Protection Regulation (GDPR) which was enforced on 25 May last year cannot have eluded anyone. It introduces a number of new obligations and requirements on companies who process personal data including property owners or property managers. Let’s take a quick look at how property owners and property managers will be affected with respect to personal data relating to tenants.
The basics
GDPR is applicable on processing of personal data relating to so called data subjects. The data subjects are natural persons or sole traders whose personal data is processed, e.g. employees, consultants, tenants, suppliers and partners. GDPR is generally not applicable to the processing of data strictly related to companies or organisations. Personal data, on the other hand could be any kind of information that may be linked to a specific data subject, such as name, apartment number, contact information, medical conditions, information on a person’s behavior and payroll information.
Make an inventory of personal data
A key element in getting your company ready for GDPR compliance is to conduct an inventory of all personal data that you hold. Once completed, this may be used in the process of reviewing and adapting your processing procedures to GDPR. The inventory can also serve as a basis for the mandatory register of processing activities that companies must keep. Basically, the inventory may be carried out by answering some fundamental questions about the data processing:
- Who do we collect personal data about?
- What types of personal data do we process?
- Why do we process this personal data and what do we actually do with it?
- How do we collect the personal data?
- How and where do we store the data?
- How do we protect the data in its storage (passwords, encrypting etc.)?
- How long do we store the data for?
- Is the personal data shared with, or transferred to, anyone outside of the organisation?
Determine what personal data is necessary and lawful to process before entering into a lease agreement. For example, it is generally considered lawful to use personal data for administering applications to lease a residential unit or commercial premises, for assessing an applicant’s suitability (within reasonable limits), for statistics, and even for marketing activities to people in line for a lease. Personal data collected may be any kind of information, such as the applicant´s name, current address, contact information, economic conditions, desired accommodation etc. It is also legitimate for a property owner to handle information on credits, references and employer certificates when administering offers. When collecting personal data, the data subjects must be informed of the processing activities carried out by the property owner and/or property manager. Information must be provided regardless of how personal data is collected. The GDPR sets out strict rules on what information that should be provided.
During the lease
During the lease, a landlord is allowed to handle such personal data that is necessary in order to maintain the obligations under the lease agreement with the data subject whose personal data is processed, e.g. data required for proving claims. This covers regular information about e.g. apartment number and billing information. It may also be permitted to process personal data regarding disturbances or unauthorised subleases as such information fulfils a legitimate purpose of the property owner and possibly also other tenants.
After the lease
As a rule, personal data should be deleted when the lease has terminated unless keeping the personal data is necessary in order to fulfil any other purpose than fulfilment of the obligations under the lease agreement. For example, information required for monitoring claims relating to the lease may be saved after the termination of the lease as there are legal requirements to keep accounting material for a period of 7 years.