Luxembourg: Property Managers: You Should Get Yourselves Data Protection Compliant

It's been over two years since the GDPR entered into force and yet all property managers have not yet integrated data protection regulatory requirements into their daily lives. The lines below are an opportunity to give a brief reminder on the subject.

Who is concerned?

Simply put, from the moment you receive personal data in the context of your professional activity (all information connected in one way or another to a natural person), you are processing personal data and you should come into compliance with the General Data Protection Regulation (GDPR). Thus, that concerns owners, tenants, your technical and commercial partners' personnel, your employees, etc.

What are your vulnerabilities?

The most obvious: your website which is often your window towards the outside – it is an easy point to monitor which has been a topic of discussion, particularly with respect to the use of cookies – as well as the holding of presence lists at co-owner general meeting or changing of tenants. The most frequently used: a complaint filed by an unhappy customer, a tenant or a competitor. The most official: an audit by the CNPD which organises sectorial audits, the last of which targeted e-commerce platforms.

What to do?

Map out the data processing and document it in a register. You should ask yourself: What am I doing? Why? Do I have the right? Based on this, you can put into place the appropriate documents, thereby informing the persons whose data you process (owners, tenants, salaried employees, etc.) of the modalities of the processing and signing agreements with your partners to provide a framework for it. Data security comes through an analysis of your physical and software security measures: if you have a cutting-edge computer system but your premises are not protected, you are only partially protected…

A little advice?

Remember to keep your data breach register updated. A simple email containing personal data sent the wrong person constitutes a data breach and should be recorded therein (something the CNPD can check). You will understand with this example that coming into GDPR compliance implies the putting into place of a certain number of documents which should be thought of, from the start, as easy to use and evolving so as to remain easy to use on a daily basis.

Originally Published by Law & Legal Counsel column – NEOMAG 37

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.