Are you ready for the new privacy regulation yet?

Currently, we are still dealing with the Personal Data Protection Act, but as of May 25, 2018, the European Privacy Regulation will apply throughout Europe. The privacy regulation applies, for example, when data of customers, tenants or employees are stored. Almost every organization in the real estate world will therefore have to deal with it, especially in the context of real estate investment. Among other things, the new privacy legislation brings with it various obligations regarding the processing of personal data. Also, the processing of personal data is not permitted under all circumstances. So it's high time to get started and see where you stand!

What is personal data?

Personal data is said to exist when a particular person can be identified from it. Data of legal entities, such as a private limited company, or deceased persons are not regarded as personal data. Personal data therefore includes data such as a name and an address, but also a telephone number, an e-mail address, a license plate number, a bank account number and even an IP address. When such data from, for example, customers or employees of your organization are processed, you will have to comply with the obligations set forth in the Privacy Ordinance.

Conditions for processing personal data

The Privacy Ordinance places various obligations on the processing of personal data. It is therefore important to consider what personal data you process within your organization and for what purposes. You must avoid storing all kinds of personal data that you do not actually need. After all, there must be a legitimate basis for processing every personal data.

The first possible basis involves unambiguous consent. If the person whose data is being processed has given permission to do so, then it is allowed. An example is permission to use measurement data from a smart meter. It is important to note that the basis for consent does not apply, for example, in the relationship between an employer and an employee. This is because it must be a completely freely given consent, which is of course not the case in a relationship of authority.

It may also be lawful to process personal data for the performance of a contract. For example, when you need to deliver an order to a customer, it is necessary to have his or her address information, while in order to enter into a rental agreement, it is necessary to have a name, among other things. Furthermore, the processing of personal data may be permissible because of a legal obligation. For example, an employer who must store data about his staff in personnel records or a real estate agent who is obliged to record data of buyers and sellers of real estate.

If none of the aforementioned bases apply, data may in principle only be processed if there is a legitimate interest in doing so. This may, for example, be a business interest. It must be necessary to process certain data. It is also important that the data are processed in the least intrusive way and that there is always a balance between the business interest and the interest of the data subject.

Security

The processing of personal data no longer needs to be reported to the Personal Data Authority. However, the processing of personal data is subject to a documentation obligation. This means that it must be recorded which security measures have been taken to protect personal data. The privacy regulation stipulates that personal data must be secured technically and organizationally. This means that, for example, the right software must be used. Which software is the right one is difficult to say at first glance. It depends, among other things, on the personal data being stored. If highly privacy-sensitive data is involved, such as medical data, heavier security measures will be needed. Also, software that provides an adequate level of security today may be obsolete tomorrow.

Besides using the right software, it is important within an organization to consider who has access to personal data and to keep this group as limited as possible. In this way, the risk of personal data unintentionally ending up in the streets can also be reduced.

What can you do?

In the context of preparing for the privacy regulation, the first thing to consider is how this new legislation will affect your organization. This means that it will be necessary to examine what personal data are collected and processed within your organization and for what purpose. Based on this, it can be determined what further steps your organization will need to take and what obligations your organization has. In any case, it should be avoided that all kinds of personal data are collected and stored wrongly, when in fact this is not necessary. If you are aware of this, the first step has already been taken.