What digital data rules are in place for asset and property management contracts?

The planning, management and monitoring of a real estate portfolio, and operative property management in particular, involves the processing of a large amount of personal digital data, and this is increasing considerably thanks to the trend towards IT-supported handling of recurring business processes. Personal information is collected from potential tenants, names and addresses of tenants are saved, their bank account information is used to process payments, utility costs are recorded for each rental share and passed on, data on defects is collected, and lists of commissioned craftsmen are kept.

For this reason, real estate or property management offices must pay special attention to the specifications of the EU GDPR in order to ensure that their processing of digital data is legally compliant. This begins with the creation of a procedure index in which all processes involving the processing of personal data are to be recorded in an overview, usually as a table. This index is meant to give the responsible managers an overview and grant them the ability to arrange and conduct these procedures in compliance with data protection laws.

The EU GDPR fundamentally holds that the processing of personal data requires the (previous) consent of the affected person, except for in heavily regulated cases in which it is unnecessary. It is often overlooked that the pertinent digital data does not only comprise the data of a tenant that is actively entered in a database and stored there for further processing. Such data is also created when a potential tenant or a craftsman contacts the management office through an e-mail – with the name and e-mail address of the sender – that is saved in the e-mail system and kept over time, even if simply to inform the potential tenant of upcoming or existing properties.

Another important principle of European data protection regulations is data minimisation. Accordingly, it is prohibited to digitally collect as much data as possible about a tenant in order to establish a comprehensive picture of their person and background, even in cases in which the data could become relevant in the future for some uncertain reason. Only the collection of data that currently needs to be processed is allowed.

In accordance with this principle, management must delete personal data without delay as soon as the purpose of data storage is no longer valid. For example, this applies to the name and contact data of potential tenants for an apartment once this apartment has been given to a different applicant and a lease has been signed. Likewise, all digital data on a former tenant must be deleted within certain lengths of time after the rental relationship has ended. In the case of the Berlin data protection authority mentioned at the beginning, salary slips, personal information forms, excerpts from work and training contracts, tax information, social and health insurance data and bank account statements were all archived even years later although it was not necessary for them to be retained at all (though an aggravating factor was that the company had ignored a previous recommendation from the data protection authority).

It is thus crucial to create a deletion concept for all incoming digital data.

If apps are also used that are managed by IT companies on the back end, corresponding order data processing agreements regarding the processed personal data must be concluded that ensure that the property management entity remains the responsible party in charge of the data.

Tenants, potential tenants and craftsmen must furthermore consistently be informed of all processing of their digital data as well as of their existing rights in this context, be it information on the type and use of the data or on the right to demand deletion of the saved data at any time.

With regard to technology and organisation, the law requires of data processors, in this case the property and asset management entity, that the IT system they use is itself sufficiently secured, be it against external attacks from third parties or against unintentional deletion or impairment of the data such as through fire or water. These technical-organisational measures must also be documented in writing and be presented to the responsible data protection authority upon request.

In summary, data protection regulations bring extensive obligations for the responsible parties in portfolio and property management requiring significant personnel, time and financial resources.

There is ultimately no alternative, however, since clients can legally expect their implementation and, for their part, are only secured in terms of data protection law if the management firm they hire complies with the relevant guidelines.