With the proliferation of new technologies and the digitalization of the real estate sector, data protection claims its place in residential and commercial real estate projects, services and transactions.
Smart meters in residential properties, remote controlled heating or access to your doorbell camera could raise questions about data protection. Collecting the vaccination status of your visitors means that you are processing special categories of personal data subject to a stricter legal regime.
The Information Commissioner’s Office (ICO) is particularly vigilant about the use of CCTV and, more recently, facial recognition and biometric verification technologies in real estate.
When does data protection apply?
The General Data Protection Regulations (GDPR) and the Data Protection Act of 2018 impose certain obligations on “controllers” and, to a lesser extent, on “subcontractors”. Controllers are responsible for compliance with data protection principles, while processors follow the instructions of the controller.
“Personal Data” means any information relating to, relating to or affecting the individual. For example, technical data on energy consumption could reveal an occupant’s location or be used to infer information about their daily routine and habits.
Landlords, landlords and lessees will likely be controllers if they collect personal data in connection with their property. For example, a business owner may operate a CCTV system on their premises. All image data collected by the system will be personal.
On the other hand, a property management company may interact with tenants as contractors on behalf of the landlord, such as collecting an acceptance form for a proposed maintenance project. In this case, the names, addresses, signatures and other personal data will be transmitted by the processor to the owner who is the data controller.
Controllers will be responsible for their subcontractors. If sensitive occupant data is leaked to a malicious third party due to contractor negligence, data becomes unavailable due to system failure, or excessive location data is collected, this could result in liability. of the property owner or manager. For this reason, service providers should be chosen with care, subject to appropriate assessments and data processing agreements.
Key steps towards GDPR compliance
GDPR compliance requires key steps and an initial investment in policies, procedures, and training.
· Perform data mapping and understand your personal data.
· For each activity, establish why you are processing personal data and on what legal basis.
· Update your privacy notices and make them easily accessible to everyone.
· Implement appropriate data protection policies and procedures and ensure staff training.
· Appoint qualified personnel to deal with your data protection compliance.
· Check the reliability of your third parties and conclude the appropriate agreements.
· Review your data sharing agreements and evaluate each law enforcement access request on a case-by-case basis.
· Ensure that personal data transferred outside the UK is properly protected and that the transfer is legal.
Keep a record of your assessments, such as Legitimate Interest Assessments, Transfer Impact Assessments, Data Protection Impact Assessments, Data Breach Log, Data Security Assessments information, etc.
· Implement state-of-the-art information security measures to protect personal data, including regular monitoring, logging and testing.
· Consider data protection implications from the outset of projects.
· Implement a responsive complaints handling and data protection process.
· Register as a fee payer with the ICO.
· Monitor the effectiveness of your compliance framework.
Real estate transactions require careful assessment and allocation of data protection responsibilities between parties to help deal with unexpected situations, such as a data breach or high volume of data access or requests objection from tenants.