How will the new Data Protection Law affect residents’ associations?

On 25 May, new European regulations came into force establishing new more ‘harmonized’ legal provisions across the European Union, reinforcing the rights of individuals with regard to the assignment and processing of their personal information. And naturally enough, the real-estate sector has also had to adapt to these new regulations. So how will the new Data Protection Law affect residents’ associations?

Who is the data controller?

Two key participants play a direct role in either the collection or the administration of the personal data of residents: the head of the residents’ association and the property-management companies.

The former, as legal representative of the residents’ association, may be said to be the direct controller of the processing of the information, while the latter have a more indirect advisory and consultancy role. In fact, the contract they execute with the residents’ association for the provision of their services, as well as the Horizontal Property Law, confers on them legitimacy for the processing of the said data.

Where the residents’ association does not have a Management Company or external Consultants, the processing of information by the head of the residents’ association should be limited to the scope of his/her functions, and there is a complete ban on allowing access to the said data to third parties without the consent of the owner.

Duties of residents’ associations following the new Data Protection Law

• To notify a file entitled ‘administration of the residents’ association’ and of employees, should there be any, to the Data Protection Agency.
  
  
• The contractual regulation of all possible data processors at the residents’ association, and to be in possession of the confidentiality documents signed by the officers of the residents’ association (head, deputy head, etc.) and by the employees (should there be any).
  
  
• To have an up-to-date security document with contents meeting the minimum requirements imposed by the regulations.
  
  
• If the residents’ association has a website, it will also be necessary to include the corresponding legal notices with regard to the GDPR and the Law on Services of the Information Society and Electronic Commerce (LSSICE).
  
  
• If there is a video-surveillance system installed, then there is a mandatory requirement to put up a notice to this effect approved by the Spanish Data Protection Agency (AEPD) informing residents of this fact.

In the event that the residents’ association has procured the administration of data-protection from the property-management company, the latter shall be responsible for proper compliance with the requirements of the new GDPR, given its role as data processor of the data with regard to the residents’ association.

Were you aware of how the new Data Protection Law affected your residents’ association?