GDPR for Property Management Companies | Property Law Update 007
As a property management company, the likelihood of you being impacted by the GDPR is essentially guaranteed - whether it be throughout the course of your liaising's with independent contractors or during dealings with prospective buyer(s) and guarantor(s), this EU issued regulation is going to impact your data handling practices.
GDPR
GDPR, being the common abbreviation used to refer to the General Data Protection Regulation, constitutes a tremendous modernisation of data protection law as the legislation attempts to keep up with technological developments that simply didn't exist at the time of the Data Protection Act 1998.
A property management company, for the purposes of the regulation, would be deemed a "data controller" of any information held in relation to previous, current and even prospective tenants/guarantors. As a data controller, the company is subject to a number of obligations including the responsibility to register with the Information Commissioner and regulate your "data processing" practices (or lack of, as the case may be).
The core principles of the GDPR, which set out the central responsibilities for organisations, are as follows:
Data should be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Right of Access
Data subjects (being the person to whom the data relates) retain the right to access the data held by you which relates to them. In issuing what is known as a Subject Access Request ("SAR"), a data subject can effectively obligate your firm to provide any/all of the personal data you hold pertaining to that individual.
To make the administrative headache worse, GDPR also requires your response to SARs to be 100% free of charge unless the request is “manifestly unfounded or excessive” in which case a “reasonable fee” can be charged - in lieu of the fact that such charges were previously permissible under the Data Protection Act 1998.
The Right to Rectification
In addition to the above, it is imperative that the retained data is accurate. Following receipt of a request for the amendment of any personal data, such a rectification must be undertaken within one month of their request - which can be extended to two months in the event of complex matters.
However, it is worth noting that if the personal data in question has been disclosed to any third parties, the data subject should be informed of this.
The Right to Erasure
Whilst I continue to voice my dismay that the 'right to be forgotten' doesn't apply to everyday life, it does apply to data regulation...
As an unqualified right, data subjects have the discretion to request the deletion or destruction of their personal data - unless there is a sound reason for its continued processing.
There are a very limited number of reasons which sufficiently justify your refusal to erase personal data, the reasons typically relevant to management companies are:
- To facilitate your compliance with a legal obligation for the performance of a public interest task or the exercise of official authority;
- In circumstances involving the exercising of ones human right to freedom of expression/information; or
- For the purpose of defence of legal claims.
In the event whereby any personal data affected by a request for erasure has been disclosed to a third party, such a party must be informed of the erasure - unless, of course, this would require disproportionate effort or is deemed impossible.
The Right to Restrict Processing
In the event a data subject exercises this right, you may continue to hold such data, but must not process it. In practice, this may in fact require holding sufficient information regarding the data subject so as to ensure that the restriction is respected, but no more.
The right to restrict processing is only applicable in the following scenarios:
- Whereby the processing of such data, despite being objected to, is necessary for the performance of a public interest task or based on legitimate interests and thus override the subjects interest;
- In the event that you suspect (or are expressly told) that the data held is inaccurate, the processing of that data should be restricted until its accuracy can be verified;
- Whereby you no longer require the data, but the data subject requires it to establish, exercise, or defend a legal claim; or
- In the event that processing the data is unlawful but the data subject requests restriction - rather than erasure.
In the event whereby any personal data affected by a request for erasure has been disclosed to a third party, such a party must be informed of the erasure - unless, of course, this would require disproportionate effort or is deemed impossible.
The Right to Object
Following the passing of the GDPR, data subjects have gained the discretion to object to specific uses of their personal data and must be informed of such a right clearly, explicitly, and separately from other information.
In the event the data processing is predicated on your interest data processing must cease, unless:
- You are able to illustrate legitimate grounds under which you should be permitted to continue (such grounds being significant enough to override the interests, rights, and freedoms of the data subject); or
- If necessary for the establishment, exercise, or defence of legal claims.
The Right to Data Portability
To facilitate a data subjects use of personal data across a plethora of the services offered, the GDPR affords them the right to obtain a copy of their personal data from a respective controller (in a required format) and have in transferred - however, the right to portability is only applicable:
- To data that is provided directly by the data subject;
- Where the processing of such data is carried out by automated means; and
- Where such data is processed either with the data subject’s consent or for the performance of a contract; and
- You must respond to requests for data portability within one month - this can be extended by up to two months where the request is complex or if you receive a number of requests.
If you've made it this far, thank you very much for taking the time to indulge in this content. As always, if you have any questions or (much appreciated) feedback please feel free to reach out:
- 0161 817 5175
- [email protected]
- https://www.aticuslaw.co.uk/
The view expressed herewith is exclusively my own. The contents of this article is not legal advice and should not be relied upon as such. Please note no attorney-client relationship shall be formed should any adverse consequence arise from reliance upon the information provided within this article.