Data Privacy in the Real Estate Sector.

 The EU GDPR: real estate companies should conduct a risk analysis of all processes relevant to data protection.

Datenschutz in der Immobilienwirtschaft, Insight von Albrecht von Wilucki und Sebastian Wypior, Rechtsanwälte der Kanzlei Buse Heberer Fromm

The EU General Data Protection Regulation is directly applicable everywhere in the EU as of 5/25/2018. All relevant data protection processes up to this point should correspond to the stipulations set forth in the GDPR. So much to do, so little time. Companies in the real estate sector are now also in the process of preparing risk assessments for digital building (BIM).

As managing director or board member in the real estate industry, one has to ask what needs to be done now in order to be prepared for the GDPR? The answer sounds simple: All relevant data protection processes in the company should be subject to a risk assessment. This refers to all ongoing and also completed processes with reference to personal data. These include, for example, employee or customer data. Specifically, it covers information such as names, dates of birth, addresses and bank details of individual persons. However, also includes ‘newly’ acquired personal data, such as the data obtained from the “IoT” (Internet of Things).

Personal data may be collected by the operator or administrator of a property, for example, with a central administration server made up of tenants or owners who turn their heating or lighting on and off, for example using an app from a smartphone or remote control. Their energy consumption can be regularly evaluated using smart meters. The data flow is then transmitted from the smartphone or another device via the management server to the router of the tenant or owner. This, in turn, actuates the thermostat for the heating or lighting.

Profiles can be created regarding the heating behavior or nightly returns of tenants or owners from the personal data stored on the management server. Is that permitted?

Lawfulness of Processing

An instance of data processing falls under data protection laws if there is a personal reference to the processed data. This applies to information that refers to an identified or identifiable natural person. Information regarding legal entities (companies) is excluded from processing which relates to data protection. Permission is required for instances that fall under data protection processes: The right to process results can occur based on permission or consent from the person concerned. In companies, the legal basis for the processing employee data can also be based on an employment agreement.

Consent for Profiling and Scoring

Only those who have received complete and understandable information in advance can effectively consent to processing. This has already been clearly established in the data protection principle requiring transparency. Data processing is only legal if the data subject has given consent to the processing of his/her personal data for one or more specific purposes. It follows that s/he must know the purpose or purposes before submission of consent. This stipulation applies to something known as profiling, i.e. any kind of automated processing of personal data that is used to evaluate personal aspects of natural persons. This concerns aspects of the behavior, place of residence or change of location of the natural person. Analyzing this type of data and using it to generate forecasts is called profiling. Anyone wishing to take advantage of the opportunity to link thermostats, lighting systems and other household appliances with the Internet needs to provide a declaration of consent along with comprehensive and comprehensible information. The same applies if landlords or managers undertake to install “intelligent” smart meters in the framework of “green leases” in order to increase the environmental friendliness and sustainable use and management of an object.

Further regulations of the GDPR must be observed. As soon as the responsible party implements procedures that carry out an automated decision (“scoring”), including profiling, he must inform the parties involved. This, of course, also relates to the particular scope and the intended effects of such procedures.

After carrying out a risk analysis regarding the legality of all processing procedures, the consent forms and the information sheets given to the involved parties must be adapted to meet the requirements of the GDPR. While the affected parties’ rights (access, rectification, erasure) do not change significantly with the GDPR, the responsible persons must now fulfill the documentation requirements with regard to the rights concerned.

Privacy by Design and Privacy by Default

Data protection principles must already be taken into account during the planning of manufacturing processes and the programming of software. The GDPR requires the person responsible to make technical and organizational arrangements for the protection of personal data.
The systems used for this (hardware and software) must fulfill these specifications by default and system properties (design).

Data Processing by Third PartiesData processing is frequently carried out by third parties, for example in the context of outsourced IT processes or call center services. It is already enough if a third party has read access to personal data. The transmission of data to third parties is not required. According to the current legal situation, data processing by third parties is only permitted if a data processing agreement is concluded in addition to the actual service contract. That does not change even with the entry into force of the GDPR. Part of the risk analysis is to examine whether the existing contract for data processing contracts (if available) meets the requirements of the GDPR. In most agreements of this type, this will no longer be the case without amendments after 05/25/2018.

If the third party who processes personal data on behalf of the company is located outside the EU/EEA, it is necessary to examined whether transferring the data to the third country is permissible.

Data Processing Within the Company

Companies in the real estate sector are often organized as a group. This company structure is defined in the GDPR as a company group, consisting of a controlling company and the companies dependent on it. Unfortunately, the GDPR does not provide any special privileges for this type of company structure. The respective companies are treated among one another as third parties. Reasonable justification is therefore required for any transfer of personal data within the corporate group and further processing by individual companies within the group. Otherwise, data processing is prohibited. Even if the old and new legal situation is the same, the risk analysis should also cover the review of the group’s data flow.

It is mandatory to check whether there are several persons responsible for processing the personal data. For instance, two companies in one company group could take over the responsibility of processing employee data for the other companies in the group. These jointly responsible companies are then obliged to establish a transparent agreement, specifying which of them fulfills which obligation in accordance with the GDPR. In addition, the agreement must reflect the actual functions and relationships of the mutually responsible parties in relation to the affected parties (in the example, workers). The essential points of this agreement have to made available to those affected.

Data Protection Impact Assessment

If particularly sensitive data is processed, or if the risk is particularly high for those affected by the use of new technologies, the responsible person must carry out a data protection impact assessment. If risks can’t be adequately ruled out, the person responsible must seek advice from the responsible data protection authority. In the real estate sector, this is necessary in the monitoring of publicly accessible areas such as lobbies or shopping centers, for example. This is also necessary when profiling is performed.

Documentation Requirements

The GDPR imposes extensive documentation requirements on the responsible parties. Those responsible must document that they respect all basic data protection principles. In addition, the responsible persons must keep a list of all processing activities. This includes, among other things, the categories of data collected, the purpose of the processing, the deletion periods and the technical and organizational information used to protect the data. The documentation requirements are intended to enable the responsible party to be in a position, at any time, to guarantee that the data subjects’ rights of access, rectification, erasure and restriction of processing are upheld.

Recommended Action

The GDPR requires more than just a one-time amendment of contracts to meet the new legal situation and the implementation of minor measures to improve data protection. The introduction of the GDPR is intended to ensure that every instance for processing personal data in the company is in accordance with data protection – from the beginning to the end of each instance. Anyone who underestimates this must expect to pay very high fines.

Companies that have not yet dealt with the GDPR should first carry out a risk analysis. This allows companies to determine which personal data has been processed according to which legal basis, and for what purpose. Companies can then decide which measures make sense for their own company in order to ensure that the processing processes are in compliance with data protection policies.