Skip to content
Zoek

Property management

Property management

This factsheet addresses the particular issues facing the property management business.

Purpose of this factsheet

The GDPR (General Data Protection Regulation) came into effect on 25 May 2018. It changes, updates and extends the scope of data protection law across the whole of the EU. There are many helpful guides as to the general requirements, including those provided by country regulators.

These factsheets have been developed by DLA Piper in collaboration with RICS to give professionals more insight into the specific ways in which GDPR will impact their business.

This factsheet addresses the particular issues facing the property management business. We have a range of other factsheets tailored to the business needs of other professionals, which you can access here.

Key features of GDPR

The main areas for firms and individual professionals to address can be summarised as follows:

  • Transparency
  • Accountability
  • Processes and controls
  • Enforcement and fines
  • Data subject rights
  • Ongoing nature of obligations

Transparency

You must be clear with your clients, marketing prospects, sub-contractors and employees about:

  • What data you're going to collect and use
  • Why you need this data - the purposes for which you need to process the data
  • How you're going to process the data and in which countries will data be processed
  • Whether you need to transfer the data to third parties

You must have clear, updated notices for all the relevant groups of people whose data you use. These notices must be easily found and always available and you must notify people appropriately of the existence of these notices (e.g. on your website, with your terms and conditions, at a sensible stage in any online purchasing process, and embedded in your HR recruitment processes).

Accountability

  • Demonstrate that you have a clear view of the data flows across your entire business.
  • Identify the lawful basis for processing data in each case. For example:
  1. to fulfil contractual obligations
  2. to satisfy a legal requirement
  3. legitimate interests
  4. consent
  • If you are relying on consent, demonstrate it was freely given and is capable of being withdrawn.
  • For individual RICS professionals within firms, you will be able to rely on the firm processes and governance, provided you have reasonably satisfied yourself that it is being conducted in a diligent and compliant way.

Processes and controls 

  • Governance Framework: you need to manage your compliance. This will include setting policies, running training and the potential appointment of a Data Protection Officer (DPOs): For example, if a significant proportion of your work is for local government, or other authorities, you should consider voluntarily appointing a DPO.
  • Privacy by design: you should incorporate a stage into your decision-making process to assess whether there will be any significant data aspects to new projects, systems or processes and, if so, evaluate what that impact will be.

Enforcement and fines

  • Regulators have a mandate to enforce compliance with the GDPR and greater enforcement rights. For example, regulators may impose a large fine of up to the greater of €20 million or 4% of annual global turnover in the event of particularly harmful breaches.

Data subject rights

  • You need to have processes in place to change or update data on request.
  • Individuals may request a copy of the data you hold on them at any time. You should ensure you have systems in place which can identify, retrieve and securely deliver responses to any requests.

Ongoing nature of obligations

  • Compliance with the GDPR is best achieved when it is adopted by the executives of your organisation and disseminated downwards.  Depending on the focus of your business, your surveyors and marketing executives will all need training to enable them to take responsibility for data security and management and to adopt good practice in how they carry out their roles.

Related Property Management training

Case study A: Property management

Scenario:

  • Company C is responsible for all aspects of FM and property management for the offices of an international bank. As well as the usual building maintenance, repairs and cleaning, this includes CCTV and security, car parking, HSE checks and incidents and the provision of front of house staff.
  • The bank flows down its own security and data protection requirements into contracts with all of its suppliers.

Issues:

  • Company C provides the services using multiple third parties under contracts for which it acts as agent for the bank.  It therefore has no direct contractual relationship with those service providers.
  • Data regarding visitors is likely to be stored for ease of admittance after the first visit.
  • Health and safety incident reports involve recording the name and any injuries of the individuals involved. This information is kept for six years in the event of litigation.

GDPR points to note:

  • This is an overview of some key considerations: it is not an exhaustive list of the steps to take in order to ensure GDPR compliance.
  • It is assumed in each case that there is a comprehensive governance structure in place, and, for example, considerations of data retention and minimisation are embedded in the policies, systems and processes adopted by the organisation.
  • Employee data issues also need to be considered and addressed in every case: this is a significant area for most businesses.
  • Review of data processing activities: Company C should think about in what capacity it is processing the data (whether as a data processor or data controller). Where it is a data processor, company C will want to ensure that it has a contract in place with the data controller (in this case, the bank) setting out its obligations. It will also need to keep a record of its activities. Other obligations remain the responsibility of the data controller, although the company may be asked to support these activities (e.g. posting notices regarding the use of CCTV).
  • Under the GDPR, number plates, CCTV footage which shows individuals, photos on security passes or in a record of a visitor and all the details of the staff employed by contractors to provide services will all be personal data. There is a question as to whether company C is the data controller.  This, broadly, is the organisation/person which determines why data is collected and how it is used. The criteria for admitting individuals are set by the bank (i.e. they must be validated by an on-site employee of the bank). The method of recording the name, company and ID photo of the visitor is determined by the off-the-shelf software used by the reception staff.  On balance, it is likely that the bank is the data controller in these circumstances.
  • Record of processing activities: Company C must create or update appropriate, compliant records of all the data processing activity identified in the first step.
  • Lawfulness of processing: in order to continue processing this data, company C must identify the relevant legal ground in each case. For example, in relation to its clients, company C is likely to have a legitimate interest, since it needs to keep information about contact points with its clients. In relation to the front of house staff, even if their contract is directly with the bank, then the Company might review whether they have a 'legitimate interest' in processing this data.
  • Transparency: Company C should review and, where appropriate, update all documentation relating to its processing activities. This will include fair processing notices on its website and associated with its terms of business and contract terms with its own network of third party suppliers.  Company C will also need to review employment contracts and its suite of relevant privacy and security policies.
  • Retention periods: in relation to the retention periods, company C has to establish that it has a legal basis for keeping the data.  In respect of visitors, if it is company C that has determined that photo and name information should be retained for ease of access, it will also have to ensure that this is clearly notified to visitors and, in any event, it would be good practice to have a 'long stop' date after which this data is deleted, even if it means refreshing the registration (e.g. every 6 or 12 months). Regarding health and safety incident reporting, if this period corresponds to the statute of limitations (i.e. the length of time after an incident when someone can bring a claim), then the lawful ground would be that it is required to fulfil a legal requirement.
  • The bank is required to include provisions in its contract with company C to deal with data processing activities. As an organisation regulated by the relevant financial services authority, the bank is likely to include security requirements which are more stringent than average but still commensurate with the state of the art in the industry. As such, company C will need to understand how the costs of compliance are defrayed and/or, if the costs increase, how this is accommodated in its arrangements with the bank (e.g. if charging is on a cost-plus model).

Case study B: Property management

Scenario:

  • Company CA manages residential properties on behalf of its clients.  Tenants enter into contracts directly with the landlord, and Company CA conducts surveys amongst tenants for the benefit of its clients.

Issues:

  • The company is conducting surveys for the benefit of the landlords: to provide them with data about use of the properties, e.g. in order to maximise occupancy and rental yields.

GDPR points to note:

  • This is an overview of some key considerations: it is not an exhaustive list of the steps to take in order to ensure GDPR compliance.
  • It is assumed in each case that there is a comprehensive governance structure in place, and, for example, considerations of data retention and minimisation are embedded in the policies, systems and processes adopted by the organisation.
  • Employee data issues also need to be considered and addressed in every case: this is a significant area for most businesses.
  • Review of data processing activities: Company CA should identify all the categories of personal data currently being processed for which it is the data controller and should also identify the purpose of the processing, and the systems and locations in which it is held. This will include databases of landlords and tenants, results of surveys and any personal data retained in relation to subcontractors whom company CA engages to carry out any of the property management activities.
  • Where the landlords are making decisions about the use and processing of tenants' data, they will be the data controller. It is their responsibility to ensure that they have oversight of how the data is being processed, the lawful grounds for doing so (e.g. entering into and managing the leases) and transparency in terms of communicating the purposes to the individuals by means of fair processing notices and appropriate rental documentation.
  • Record of processing activities: Company CA must create or update appropriate and compliant records of all the data processing activity identified in the first step.
  • Lawfulness of processing: in order to continue processing this data, company CA must identify the relevant legal ground [hyperlink to legal bases in main text] in each case. For example, in relation to its landlords, this is likely to be justifiable in the performance of the contracts with those landlords. In relation to tenants, even though their tenancy agreement is directly with the landlord, then the company might review whether they have a 'legitimate interest' in processing this data.
  • In relation to the surveys, if they are carried out by the company, on its own initiative, then the company will be the data controller if any personal data is collected. If, however, the survey responses are genuinely anonymous and there is no way of tracing them back to the participants, then it is more likely than not that no personal data has been collected.
  • Transparency: Company CA should review and, where appropriate, update all documentation relating to its processing activities. This will include fair processing notices on its website and associated with its terms of business and contract terms with its own network of third party property management subcontractors. Company CA will also need to review employment contracts and its suite of relevant privacy and security policies.

DLA Piper