Data protection in the real world: Apartment tenants, owners, OMCs, and property management companies

By |2018-12-12T11:09:25+00:00October 12th, 2018|Categories: GDPR|Tags: , , , , , |

Objective

Data protection rules can be difficult to understand and apply. Providing examples can be useful to show how some of the concepts look in the real world.

In this article, I look at data protection in the context of property management. Specifically, I discuss how the concepts of data controller, data processor, and lawful basis apply in the interactions between an apartment tenant, apartment owner, Owner Management Company (OMC) and a property management company.

Disclaimers

I don’t work in the industry so this is written with an outsider’s perspective.

This article is not legal advice (I am not a legal advisor). It is written in good faith but without warranty of any kind.

The entities

If you own an apartment, you probably already know the role of each  entity involved in the day-to-day management of your apartment scheme.

But for others, it’s useful to introduce each entity and clarify their roles.

Apartment tenant – The person who lives in the apartment.

Apartment owner – The person who owns the apartment.

Obviously, if the apartment owner also lives in the apartment, there is probably no tenant. But for the purposes of this article, let’s assume the owner lives elsewhere and has leased the property to a tenant.

Owner Management Company (OMC) – The legal entity that owns the common areas of the apartment scheme and the apartment block itself. This is usually a limited company. Each apartment owner is a shareholder in the OMC and the directors are usually some of these apartment owners.

Property Management Company – The legal entity that has been appointed by the OMC to manage the day-to-day running of the apartment scheme.

For example, the Property Management Company may be responsible for:

  • Collecting annual management fees from apartment owners
  • Ensuring the bins are emptied on a regular basis.
  • Cleaning common areas such as halls, gardens etc.
  • Enforcing house rules and investigating complaints.

The contracts

Before I talk about data protection, I want to cover the contracts or other binding agreements that are likely to exist between each of the entities. 

This is an important area to consider because ‘performance of a contract’ is one lawful basis allowed under GDPR for the processing of personal data.

However, as I will discuss later, an organisation may not always be able to rely on this lawful basis.

As shown above:

  • The tenant will have a contract (e.g. a lease) with the owner.
  • The owner will have a contract with the OMC, usually signed when the owner purchases the property.
  • The OMC will have a contract with the property management company.

The interactions

 

Now that we have looked at the contracts, let’s look at a few sample processing activities and who interacts with whom in each activity.

4 sample interactions between apartment tenants, owners, OMC, and property management company.

As shown above:

  1. The tenant and apartment owner will communicate on a frequent basis to ensure the tenancy is going according to plan.
  2. The apartment owner may engage with the OMC from time-to-time.
  3. The directors of the OMC will engage with the property management company – e.g. to make sure the property management company is meeting its contractual obligations.
  4. The apartment owner or tenant will engage with the property management company. For example, if they notice the lock on the main door of the block is broken. [Yes, this is a tenant from heaven who actually cares about the state of the apartment block].

From a data protection perspective, the most important point to note is that the interactions between parties do not always correlate with the contracts that exist.

For example, the property management company only has a contract with the OMC. However, it interacts a lot with apartment owners and tenants.

Let’s talk about data protection

OK, I have described the legal contracts likely to be in place between entities and some sample interactions that occur between them.

Now it is time to talk about data protection.

There is personal data involved in each of the five sample processing activities I have described above. Therefore, data protection rules apply in all five activities.

So, where would I start with data protection?

I would start by asking three initial questions for each activity:

  1. Who is the data subject?
  2. Who is the data controller?
  3. What is the lawful basis for the activity?

If you are unsure about these terms, take a look at the explanations in ‘What has GDPR got to do with me?

Why these 3 questions?

  • Firstly, for clarity. By nailing this now, you won’t doubt yourself later.
  • Secondly, to be sure you know what your obligations are. There are data protection obligations on both data controllers and on data processors. But the obligations are not the same.
  • Finally, if you are the data controller, the most important thing is to identify the lawful basis that allows you (and your processors) to perform this activity.

Why is the lawful basis so important?

Apart from the fact you cannot process personal data without a lawful basis, the rights of a data subject differ depending on your lawful basis.

If you are unclear about your lawful basis, you will be unsure about the rights.

An unreasonable or ill-informed data subject will be able to take full advantage of you.

Let’s see how this plays out for each of the sample processing activities.

Activity 1: Owner and tenant

To simplify this, I will describe the activity as the apartment owner communicating with the tenant to ensure they are paying their rent. 

Who is the data subject? The tenant.

Who is the data controller? The apartment owner.

What is the lawful basis for this activity? Necessary for the performance of a contract (that exists between the data controller and the data subject).

Activity 2: Owner and OMC

To simplify this, I will describe the activity as the OMC communicating with the apartment owners in relation to the annual general meeting (AGM) of the OMC. 

Who is the data subject? The apartment owners.

Who is the data controller? The OMC.

The Property Management Company is usually the entity that sends the letters to the apartment owners.

It performs this activity because it has been instructed to do so by the OMC.

Just because an entity performs an activity does not mean it is the data controller for that activity.

This is an important point to remember when I get to activity 4.

What is the lawful basis for this activity? Necessary for the performance of a contract (that exists between the data controller and the data subject).

Activity 3: OMC and Property Mgt Co

To simplify this, I will describe the activity as the Property Management Company taking calls from directors and staff of the OMC to discuss the day-to-day maintenance of the apartment scheme. 

Who is the data subject? The directors and staff of the OMC.

Who is the data controller? The Property Management Company.

What is the lawful basis for this activity? Legitimate interest (of the property management company and of 3rd parties, such as the OMC).

Why is the lawful basis not ‘performance of a contract’?

Because there is no contract between the data subjects and the data controller.

The contract is betweeen the property management company and the OMC (the legal entity). It is not with the directors and staff of the OMC.


Activity 4: Apartment owner or tenant and Property Mgt Co

To simplify this, I will describe the activity as the Property Management Company handling a complaint from an apartment owner or tenant about a broken lift. 

Who is the data subject? The apartment owner / tenant.

Who is the data controller? The OMC.

Why is the property management company not the controller?

I will give a detailed justification in the next section below*.

What is the lawful basis for this activity? Legitimate interests (of property management company and of 3rd parties, such as the OMC and apartment owners and other tenants)

Why is the lawful basis not ‘performance of a contract’?

‘Performance of a contract’ could be the lawful basis for the interaction between the apartment owners and the Property Management Company. This is because there is a contract between the data subject (apartment owner) and the data controller (the OMC), and this activity could be regarded as necessary for the performance of this contract.

However, there are no contracts between the OMC and the tenants (the other data subjects involved in this activity). So, this is not available as a lawful basis for the processing of the tenants’ personal data in this scenario.

* Activity 4: The data controller

OMC is a data controller

The OMC is the legal owner of the apartment block. It has a contract with apartment owners to keep the block maintained and in return owners pay an annual management fee to the OMC.

The OMC could maintain all aspects of its property itself. However, it has decided to outsource most / all of its day-to-day responsibilities to the Property Management Company.

The OMC could replace the Property Management Company with another at any point in time.

Consider all of this alongside the definition of a data controller.

The entity that ‘determines the purposes and means of the processing of personal data’.

Article 4(7) of GDPR

The OMC determines the purpose (interacting with owners and tenants to ensure its property is maintained and to ensure it is meeting its contractual obligations with owners). It is also determining the means (outsourcing this activity to the Property Management Company).

The OMC is a data controller for this activity.

Property Management Company is a data processor

The Property Management Company is only interacting with owners and tenants because the OMC has asked them (through a contract) to do so.

The Property Management Company is performing activities on behalf of the OMC.

Consider this alongside the definition of a data processor.

The entity that ‘processes personal data on behalf of the controller’.

Article 4(8) of GDPR

The Property Management Company is a data processor for this activity.

You may argue that the Property Management Company is the one deciding how to perform the activities so it must be a data controller.

I know the OMC does not have a clue about how to manage the tasks involved in maintaining an apartment scheme. The Property Management Company is the subject matter expert.

The same could be said of any business that uses Microsoft Office 365 or G-Suite as its email provider. Microsoft and Google are the experts when it comes to operating an email platform. This is why businesses outsource this activity to these experts.

However, from a data protection perspective, none of that matters.

Microsoft / Google are data processors for processing activities related to the smooth running of their email platforms. The businesses that use them are the data controllers for the personal data flowing through through their email accounts.

If an entity determines the purpose and means, they are a controller. This is the likely to be the case even if they rely on the expertise of others to actually perform the activity.

The key takeaway

GDPR lawful basis for each activity

A business needs to identify the main interactions it has with individuals, and the ways in which it processes the personal data of individuals.

However, just because the business interacts directly with an individual does not automatically mean it is the data controller for that activity.

Similarly, even if a business does not directly interact with an individual, it may still be a data controller.

The impact

You need to ensure all of the organisations involved in the processing activities agree on who is a controller and who is a processor for each activity.

You need to ensure your contracts with these organisations reflect this agreement.

As the OMC directors are usually volunteers (e.g. apartment owners of a scheme), it can be a challenge for the OMC to recognise that it is a data controller for a lot of the activities undertaken by the property management company.

A Property Management Company may need to help the OMC to get this nailed. At a minimum, it should ensure its contract with the OMC makes this clear.

About the Author:

Hi, I am Sam Glynn of Code in Motion. I hold various data protection certifications (CIPP/E, CIPM, CDPO) and regularly train future DPO's on behalf of the IAPP. I help businesses that are struggling to comply with data protection rules. I provide pragmatic guidance using plain English.