Introduction
Since the General Data Protection Regulation (GDPR, German: DSGVO) came into effect in May 2018, numerous court rulings and statements from supervisory authorities have given the legislative text practical substance. For property managers providing HOA management and rental management who work with sensitive owner and tenant data on a daily basis, this results in concrete requirements. This article provides an overview of the most important aspects.
Data Collection in the Letting Process
Permissible Self-Disclosures
The Conference of Independent Data Protection Supervisory Authorities (DSK) has updated its guidance on obtaining self-disclosures from prospective tenants. The requirements are strictly enforced by supervisory authorities.
The basic principle applies: only data that is necessary for the decision on concluding the contract may be collected. The necessity criterion is to be interpreted narrowly.
Timing of Data Collection
Not all data may be requested at the point of first contact. A differentiated approach is required:
Permissible at initial contact:
Permissible only upon serious interest:
Permissible only after contract conclusion:
Retention of Applicant Data
Documents from rejected applicants must generally be deleted once it is certain that no tenancy will be established. A retention period of up to six months may be justified for defense against potential discrimination claims.
Data Protection Officer
Appointment Obligation
Since 2019, the rule is: a Data Protection Officer must be appointed if at least 20 persons are regularly engaged in the automated processing of personal data. The previous threshold of 10 persons was raised.
Regardless of the number of persons, the appointment obligation applies if the core activity consists of extensive processing of special categories of data.
Responsibilities
The Data Protection Officer monitors GDPR compliance, advises the data controllers, and serves as a point of contact for data subjects and supervisory authorities. The officer may be appointed internally or externally.
Record of Processing Activities
Every property management company is required to maintain a record of all processing activities. This must include, among other things:
The record must be made available to the supervisory authority upon request.
Information Obligations
Data subjects -- owners, tenants, prospective tenants -- must be informed about the processing of their data. The information must be precise, transparent, and comprehensible. It includes, among other things:
The information is typically provided through privacy notices that are handed over or made accessible at the time of data collection.
Data Processing Agreements
Where personal data is processed by service providers -- such as IT service providers or external billing companies -- a data processing agreement is required. This governs in particular:
Current Developments: AI in Property Management
The increasing use of AI applications raises new data protection questions. When using AI tools for text processing, translation, or analysis, the following must be examined:
Conclusion
The GDPR poses diverse requirements for property managers. Careful implementation is not only legally mandated but also builds trust with owners and tenants. Regular review and adaptation of processes are essential given the ongoing legal developments.
---
*This article is for general information purposes and does not constitute individual legal advice.*
