When property giant Deutsche Wohnen SE was hit with Germany’s first major GDPR fine last November, shockwaves rippled across Europe. As the dust settles, Vinod Bange and Clare Harman Clark explain why it is so important for the real estate sector to get to grips with a robust data retention policy.
The autumn headlines predictably focused on the massive €14.5m (£13.3m) penalty. There have been a host of smaller fines since the General Data Protection Regulation (GDPR) came in, but only four have run into the millions. This one put the German property firm squarely in the same sin bin as data heavyweight Google, and yet the breach somehow didn’t feel that dramatic. Rather than intrusive ad personalisation or worrying data losses, Deutsche Wohnen had fallen short of compliance obligations: its data retention policy was not sufficiently robust. The accusation feels almost pedestrian, although clearly Maja Smoltczyk, Berlin’s commissioner for data protection and freedom of information (the DPA), disagreed.
According to the DPA, by holding on to data for too long, Deutsche Wohnen infringed data protection by design requirements (Article 25(1)) and the general processing and data minimisation principles in Article 5. The firm was warned during an on-site audit in June 2017, but when the DPA made a return visit in March 2019, it was still keeping too much data unlawfully. It had failed to address GDPR’s fundamental tenet: personal data cannot be held for longer than is necessary given the “purpose” it was collected for.
The failure to heed its warnings didn’t tend the regulator to leniency; however, Germany’s largest GDPR fine to date could actually have been much bigger. Article 5 infringement carries a maximum penalty of 4% of annual worldwide turnover, but taking into account the nascent measures Deutsche Wohnen had taken to address the issues (and the fact there was no evidence of actual data misuse), the DPA based its penalty on about 2%. This reduced the sum from an eye-watering maximum of around €28m. Still, for the record, the fact it was imposed by a German regulator is not important. GDPR was implemented in UK legislation with the Data Protection Act 2018 in May 2018 and it will live on in the post-Brexit world.
It is vital therefore that our own real estate firms have got their houses in order and have thought rigorously about their use of property management data.
Data, data everywhere
Property ownership/management has always been a data-heavy exercise. Like many real estate companies, Deutsche Wohnen collected plenty of personal information about tenants present and past. Its archives included salary statements, employment terms, training records, pay slips and bank statements, as well as details of health insurance, tax and social security. Names, addresses and numbers are indeed routinely included in tenant inventories. And undertaking even basic investigations into covenant strength means gathering references and bank details.
As the sector digitises, these data repositories are bulging, by accident if not design. Proptech products helping landlords address sustainability or model environmental impact will track individual patterns of use. Sophisticated security systems do the same, issuing swipe cards, recording number plates or, at the more extreme end, employing facial recognition. Optimising operational efficiency (for example by space configuration) requires a high degree of tenant literacy. Meanwhile, targeted strategies for marketing estate vacancies or increasing tenant loyalty might involve tracking trends over time. This new data is complex, multi-layered and often unstructured, but it too is subject to GDPR.
What exactly are the rules?
If getting hold of data isn’t the difficult bit, knowing how to handle it can be. The thing is: there are no prescriptive rules or timetables to follow. GDPR doesn’t state exactly how data must be categorised, just that companies keep it for no longer than is necessary. The problem comes down to the thorny issue of clarifying compliance and robustly implementing it.
Alongside comprehensive governance, the formulation of a robust data management strategy will consider the following:
Accountability – are there regulatory, statutory or contractual requirements for retention?
There might well be many regulatory or tax reasons why data must be retained. However, answering this question fully means tracking the key features of letting documents. When tenants leave a building, for example, certain obligations hang around; there may be a dilapidations claim to settle, or you might resurrect the ghosts of tenants past under an authorised guarantee agreement. GDPR obligations are ongoing, and require a clear view of data flows across your operations.
Transparency – identifying a lawful basis for retention; articulating genuine business need
Until now, most firms were more concerned with protecting data against wilful or accidental loss, rather than deleting it.
It’s no major surprise, perhaps, that Deutsche Wohnen’s archiving system did not facilitate erasure – once stored, data was held for a potentially unlimited time. The GDPR shift to justifying and jettisoning data is challenging. Therefore, particularly now, property managers are acutely aware that data collected for one reason today might be mined and repurposed tomorrow with improved analytics tools. After all, to draw big data conclusions, you need a lot of data.
So how long is it actually necessary to hold data? Historic lettings might well inform future strategy on a tenanted portfolio. Operating costs can be better managed as data saved now informs maintenance schedules or capital projects. It might not help the further reaches of existing repositories, but future-proofing strategies might well mean getting transparent consent for current and anticipated processing. Still, tailoring accessible notices when data is collected is only half the story; consent must be freely given and capable of being withdrawn.
Processes and controls – how sophisticated is your data storage?
Many firms routinely deposit historical data in data graveyards, but simply archiving the details of years, processes and occupiers past is not sufficient; the rights of those data subjects have been reanimated with GDPR. The privacy by design requirement in Article 25 requires technological design to implement the data protection principles effectively. Article 5, meanwhile, ensures retention must be adequate, relevant and limited to what is necessary.
So far so good, but with minimal tick-box guidance, building a robust process for retention or deletion is complex. It starts at the outset of a transaction or project by considering data aspects. Establishing legitimate reasons to hold on to information requires granular analysis and applying perhaps multiple retention periods with staggered deletion dates. Meanwhile, can data be redacted, minimised or further protected? This is laborious work, and managing compliance might involve training or appointing a data protection officer. Can personal data be easily reviewed, retrieved and even updated? Individuals may exercise their own GDPR rights at any time and insist that what you have is securely delivered to them.
A rude awakening
This isn’t the end of the story. Deutsche Wohnen is expected to challenge the multi-million-euro fine, and its success is likely to rely on analysing those Article 21 design requirements, and their application to its home-built archiving system. And yet, whatever happens, this is an awakening for the industry. Just like other firms controlling and processing personal data, real estate companies are subject to GDPR, and can face serious financial liability for failures to address compliance and demonstrate accountability.
Vague processes and policies are not sufficient; it’s not enough to protect against dramatic data leaks or misuse. Companies need sophisticated data management policies, and when it comes to identifying vulnerabilities, data protection lawyers used to providing answers can start to ask the right questions.
Vinod Bange is a commercial technology and data partner and Clare Harman Clark is a senior professional support lawyer at Taylor Wessing LLP
