Since the GDPR's entry into force, 63 fines (+10 in comparison to the 2023 ETR) have been imposed on data controllers in the Real Estate sector. Insofar as the amounts of the fines were published, those fines as of now amount to slightly over EUR 2.6 million (a very modest increase of roughly EUR 20,000 in comparison to the 2023 ETR). The absolute amount of fines remains low in comparison to other sectors. The steep relative increase of 2022 was largely due to one exceptionally high fine issued by the DPA of Bremen (Germany), that so far has remained an exception. Fines have been issued by DPAs from 13 different countries, mostly to homeowner associations and real estate management companies.
Just shy of 40 % of the fines in the Real Estate sector – 25 out of 63 – have been issued for non-compliance with general data processing principles, with an insufficient legal basis for data processing being in second place at slightly above 30 % (19 out of 63 fines). Fines being issued due to insufficient technical and organizational measures to ensure information security are especially rare in comparison to other sectors.
Let's take a closer look
- The majority of published fines in this sector range from EUR 500 to EUR 50,000. This is mainly due to the structure of data controllers fined in the Real Estate sector, as most are comparatively small businesses or homeowner associations. One exception is a fine of EUR 400,000 that has been issued by the French DPA (CNIL) for a lack of security measures and excessive data storage (ETid-24). Another particularly high fine of EUR 1.9 million has been issued by the DPA of Bremen (Germany) for data processing with an insufficient legal basis, including the unlawful processing of special categories of personal data in 2022 (ETid-1103) and accounts for the majority of the current total amount of known fines issued in the Real Estate sector. These comparatively high fines remain outliers and no comparable fines have been issued throughout 2023.
- A substantial fine of EUR 14.5 million initially issued by the DPA of Berlin to a property company for the indiscriminate and unlimited retention of personal data (including sensitive data such as tax-, social security- and health insurance data) has been overturned by the Berlin Regional Court in February 2021 (ETid-98, ETid-99). This was based on the fact that, according to German law, a fine can only be issued to a company if the offence is attributable to an individual, such as a managing director or employee. The case was then appealed to the Appellate Court of Berlin, which on 06.12.2022 in turn referred it to the European Court of Justice for a preliminary decision on whether the Regional Court's decision aligned with European law. On 05.12.2023 the European Court of Justice ruled that while culpability is indeed required for a fine to be issued, it is not always necessary to attribute the offence to an individual. If the controller is a company instead of a natural person, it shall suffice if the offence is attributable to the company itself. In light of this decision the Appellate Court of Berlin overturned the initial decision of the Regional Court of Berlin and referred the case back to the Regional Court of Berlin for a new decision which, at the time of the editorial deadline of this report, is still pending.
- The topic of video surveillance in particular continues to dominate GDPR fines in the Real Estate sector. The widespread use of CCTV systems in residential buildings and properties entails a variety of risks regarding data protection. In some cases, data subjects have not been informed of the surveillance measures or (e.g., in the case of ETid-1523) the provided information did not meet the requirements of Art. 13 GDPR. Furthermore, there usually is no justification for CCTV systems to record audio and thereby potentially tenants’ and visitors' conversations. Data controllers also need to ensure that the data collected by the CCTV system is sufficiently secured against unauthorized access and they may not actively publish data themselves. Perhaps most relevant, data controllers must be careful with placement of cameras: A significant part of fines in the context of CCTV surveillance were issued because cameras would capture images of public property such as public streets or walkways (e.g., ETid-2163) or even capturing the inside of private apartments if the resident opened the door as in the cases of ETid-486 and ETid-1627.
- In many cases it is an established practice to publish documents on notice boards accessible to the public or at least to anyone within the building, e.g., to inform owners and renters of developments and relevant dates of interest for the whole property such as scheduled maintenance work. Recently however there have been cases where homeowners' associations published enforcement notices containing personal data of property owners on such notice boards (see ETid-2010 or ETid-2162). On a similar note, fines have been issued for the unauthorized public display of pictures of properties that also included individual persons without their approval (see. ETid-1971 and ETid-1998) on the controllers' websites for marketing purposes. These fines highlight the importance of adherence to general data processing principles regarding any information made publicly available. This is of particular relevance for the Real Estate sector, where there is a regular need to publish certain information, e.g., in the form of notices on notice boards or the publication of photographs of buildings and flats as part of offers for lease.
Main takeaways
The Real Estate sector requires the processing of sensitive data, as prospective tenants provide landlords with information such as ID-documents and detailed financial information, whereas landlords would be well advised to only collect data in the rental application process that is strictly necessary for the rental. Furthermore, data controllers routinely collect and process data by using CCTV systems to protect their property against theft, vandalism, and other inconveniences. Adequate technical and organizational measures must be in place to ensure adherence to GDPR with a special focus on general processing principles such as data minimization or storage limitation.
Where a need for any kind of publications arises, caution should be paid to avoid unintentional disclosure of personal data, e.g., identifiable persons on pictures in advertisements or offerings for rent.
Read more:
- Numbers and figures
- Enforcement Insights per country
- Enforcement Insights by business sector:
- Methodology and contacts
- Enforcement Tracker
