Real Estate companies subject to GDPR fines
By: Privacy Minders
On General Data Protection Regulation’s (GDPR’s) 2nd birthday (25.05.2020), the European Commission made the following observation:
‘’The GDPR has changed the landscape in Europe and beyond. Nonetheless, compliance is a dynamic process and does not happen overnight. The national data protection authorities, as the competent authorities to enforce data protection rules, have often not yet reached their full capacities. We therefore call upon Member States to equip their data protection authorities with the adequate human, financial and technical resource to make effective use of their enforcement powers’’.
Similarly, the European Parliament has recently noted that the 17 Data Protection Authorities (DPAs), despite having seen their role increased considerably with investigative and sanctions powers, have insufficient and limited resources to effectively perform their tasks and almost none of the DPAs received the requested amount of budgetary increases in 2019.
Nevertheless, the DPAs are currently conducting big investigations into data protection violations and have so far exercised their extensive powers in numerous occasions by running investigations, dealing with complaints and issuing penalties against non-compliant organisations from various industries. The real estate industry did not remain untargeted.
On October 2019, the German Data Protection Authority imposed a € 14.5 million fine against a real estate company for GDPR violations. This company was storing personal data of tenants without having a lawful basis (art. 6 of the GDPR) and assessing if that data was necessary. Additionally, the Company’s systems did not allow to delete obsolete data. During the investigation held by the Authority, it was also found that they were not implementing the GDPR principle of privacy by design (art. 5 and 25(1) of the GDPR).
The UK Information Commissioner’s Office (ICO) fined a housing developer which failed to respond to a subject access request (SAR) within the prescribed 40-day time period. A subject access request allows someone to request all the personal information an organization holds about them. This request was submitted on April 2017 and for that purpose, the provisions of the Data Protection Act 1998 were applicable. Under the GDPR, organizations have to respond to Data Subject Requests within 30 days.
On June 2019, the French Data Protection Authority CNIL received a complaint about a website operated by a real estate company. After investigation, CNIL found that documents submitted to the website by applicants for rentals were accessible to other users when they were slightly modifying the URL displayed in the browser. The Company had not taken appropriate technical measures to ensure that the users accessing the documents were the ones who had uploaded them. So, it failed to fulfil its obligation to keep the users’ personal data secure (art. 32 of the GDPR). Moreover, the data was retained for a period longer than necessary for the purposes of processing. According to CNIL, this data had to be deleted or, at least, archived to another database if the Company needed the data for complying with legal obligations or defending legal claims. Based on these findings, CNIL decided to impose a €400.000 fine on the Company for the GDPR violations.
Real estate companies, as well as companies from various industries, will fall under the scrutiny of the Cyprus Commissioner for Personal Data Protection. She has recently mentioned in an online podcast that she will now launch GDPR compliance audits to Cyprus small- and medium-sized companies, which form the majority of Cyprus’ companies and are sometimes under the false impression that GDPR does not concern them.
The DPAs have the right to proceed with ex officio audits but also with audits as a result of complaints submitted to the DPAs, which have now significantly increased as the expert group survey and the EU Fundamental Rights Agency’s (FRA) 2019 Fundamental Rights report point out.
Privacy Minders advises and invites organisations to immediately look into their GDPR compliance status and make structured and consistent efforts to improve their data protection scheme, not only to avoid legal and other implications, but also to gain and maintain consumer trust, the loss of which can lead to severe repercussions.