The EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018. The changes will also affect housing companies and building managers, because housing companies process personal data as part of their daily operations. Personal data files can also emerge in surprising routine matters, such as the use of smart locks on doors or video surveillance.

Currently, the Personal Data Act regulates the processing of personal data. The new GDPR expands and defines in more detail the rights of individuals to their own personal data and the obligations of the controllers and processors. The purpose of the regulation is also to update data protection regulation to correspond with advancing technology.

“The General Data Protection Regulation gives better consideration to the requirements of digitalization. The goal is to increase the transparency of personal data processing and to strengthen the rights of the data subjects to monitor the processing of their personal data. So individuals will have stronger rights, and the controllers processing the personal data will have more obligations. In addition to liability for damages, infringement may also result in financial penalties,” says Associate Aleksi Lundén.

Housing companies have a lot to do

Since housing companies and building managers maintain lists of residents and share registers, among other things, under the GDPR they are controllers and processors of personal data. Housing companies and building managers are also responsible for ensuring that the processing of personal data is set up in accordance with the requirements. The new data protection regulation means updates to documents, procedures and internal instructions. Agreements with service providers, e.g. data system suppliers and IT support, must be brought up-to-date.

“Housing companies must identify what personal data they are processing in their operations, and they must ensure that the processing meets the requirements imposed by the GDPR and other legislation. Housing companies must provide the data subjects with certain information, like the contact information of the controller, why the data is collected, and who are the recipients of the personal data. The collection of unnecessary data must be avoided, and the data storage period must be carefully considered,” says Aleksi Lundén.

The collected data can be processed only for the predetermined purpose, and it cannot be given to a third party without legitimate reason.

“The processes must be in order, and housing companies and building managers should also be prepared for problem situations. For instance, if personal data are destroyed or subjected to a data breach, the authorities must be notified, when feasible, within 72 hours of becoming aware of it.”

Smart locks and video surveillance create a personal data file

Data protection issues can emerge also in surprising situations. Many housing companies have replaced traditional locks with digital smart locks that accumulate data about, e.g., an individual’s access rights and movement. Video surveillance systems have also become more common in housing companies.

“Electronic locking and monitoring systems collect data about people’s movements and thus form a personal data file under the scope of the GDPR. The housing company’s data protection records must indicate what data is collected by the systems and why, who is the controller of the data, and where the data will be disclosed,” says Aleksi Lundén.

The individual in the personal data file also has the right to request his/her data to be removed if any of the preconditions of the legislation are fulfilled, such as unlawful use of the personal data. The storage period or criteria for determining the storage period of the personal data must be agreed upon. The personal data must be removed in accordance with them. So the ability to erase data must be verified with system suppliers. In terms of video surveillance, it must be ensured that the surveillance is not an act of eavesdropping or visual oversight, as defined in criminal law.

“If smart locks or video surveillance are being considered, be sure to pay attention to the issues imposed by the GDPR.

Take action now

The board of a housing company is ultimately responsible for the decisions and the lawfulness of the activities – even though the building manager is often the one running the operations.

“Board members usually are not experts in legislation related to housing companies. Building managers, on the other hand, are professionals in the sector, and they must know the legislative framework in more detail. In fact, I encourage housing companies to address the GDPR-related changes with their building managers. And the time to act is now because May is just around the corner,” says Aleksi Lundén.

Lexia’s tips for housing companies and building managers

• Determine the current situation: what personal data is collected and why, who is processing the data, what is the data used for, and is all the collected data necessary
• Consider how long the data must be stored
• Ensure that the erasure of personal data is possible if necessary
• Review service providers and agreements: who is processing personal data, is the data disclosed to a third party, and what is included within the scope of agreements – take into consideration that the GDPR calls for certain issues to have been agreed upon in writing between the controller and the processor
• Update data protection records and internal instructions
• Act now! May is just around the corner
• Invest in comprehensive thinking: data protection applies to the activities of the entire housing company or building manager company
• Seek outside help if you feel your own know-how is insufficient

Further information:

Aleksi Lundén, Associate, tel. +358 40 512 5424, [email protected]