Real Estate

Since the GDPR's entry into force, 53 fines (+23 in comparison to the 2022 ETR) have been imposed on data controllers in the Real Estate sector. Insofar as the amounts of the fines were published, those fines as of now amount to EUR 2.6 million (+2 million in comparison to the 2022 ETR). Although the absolute amount of fines is still low in comparison to other sectors, it is roughly five times the amount of the ETR 2022, thereby representing the steepest increase among all of the sectors highlighted in this report. This increase is largely due to one exceptionally high fine issued by the DPA of Bremen (Germany). Fines have been issued by DPAs from 13 different countries (+2 in comparison to the 2022 ETR), mostly to homeowner associations and real estate management companies.

Nearly 40% of the fines in the Real Estate sector – 21 out of 53 – have been issued for non-compliance with general data processing principles, with an insufficient legal basis for data processing being in second place at close to 30% (15 out of 53 fines). Fines being issued due to insufficient technical and organizational measures to ensure information security are especially rare in comparison to other sectors.

Let's take a closer look


  • The majority of published fines in this sector range from EUR 500 to EUR 50,000. This is mainly due to the structure of data controllers fined in the Real Estate sector, as most are comparatively small businesses or homeowner associations. One outlier at EUR 400,000 has been issued by the French DPA (CNIL) for a lack of security measures and excessive data storage (ETid-24). Another outlier at EUR 1.9 million, which is the main reason behind the significant increase in the total amount of fines issued in the Real Estate sector, has been issued by the DPA of Bremen (Germany) for data processing with an insufficient legal basis, including the unlawful processing of special categories of personal data (ETid-1103).
  • A substantial fine of EUR 14.5 million initially issued by the DPA of Berlin, has been overturned by the Berlin Regional Court in February 2021 (ETid-98, ETid-99). An appeal against this decision has been filed and the case is still pending for preliminary ruling at the European Court of Justice following the decision of the Appellate Court of Berlin (Kammergericht Berlin) of 06.12.2021.
  • One topic in particular continues to dominate GDPR fines in the Real Estate sector: Video surveillance. The increasingly widespread use of CCTV systems in residential buildings and properties entails various risks regarding data protection. In some cases, data subjects have not been informed of the surveillance measures or (e.g. in the case of ETid-1523) the provided information did not meet the requirements of Art. 13 GDPR. Furthermore, there usually is no justification for CCTV systems to record audio and thereby tenants’ conversations. Data controllers also need to ensure that the data collected by the CCTV system is sufficiently secured against unauthorized access and they may not actively publish data themselves. Perhaps most relevant, data controllers must be careful with placement of cameras. A significant part of fines in the context of CCTV surveillance were issued because the cameras could capture images of public property such as public streets or walkways or even capturing the inside of private apartments if the resident opened the door as in the cases of ETid-486 and ETid-1627.

Main takeaways

The Real Estate sector requires the processing of sensitive data, as prospective tenants provide landlords with information such as ID-documents and detailed financial information, whereas landlords would be well advised to only collect data in the rental application process that is strictly necessary for the rental. Furthermore, data controllers routinely collect and process data by using CCTV systems to protect their property against theft, vandalism and other inconveniences. Adequate technical and organizational measures must be in place to ensure adherence to GDPR with a special focus on general processing principles such as data minimization or storage limitation.