Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Monaco
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
English Français
Back to main
Publication

GDPR Enforcement in Real Estate

Deep dive into relevant data protection enforcement cases and insights for real estate

19 May 2026 Monaco 5 min read

On this page

    Since the GDPR's entry into force, 82 fines related to the Real Estate sector (+15 in comparison to the 2025 ETR) have been imposed on data controllers. Insofar as the amounts of the fines were published, those fines as of now amount to slightly over EUR 3 million (an increase of roughly EUR 200k in comparison to the 2025 ETR). Both the absolute amount of fines and the individual fines remain low in comparison to other sectors.

    The increase in comparison to the 2025 ETR is mostly owed to two fines issued by the Italian Data Protection Authority (Garante) of EUR 100k and EUR 40k for insufficient fulfilment of information obligations and non-compliance with essential data processing principles. Fines have been issued by DPAs from 13 different countries, mostly to homeowner associations and real estate management companies.

    Roughly 35% of fines in the Real Estate sector – 30 out of 85 – have been issued for non-compliance with general data processing principles, with an insufficient legal basis for data processing being in close second place at 31% (27 out of 85 fines).

    Key numbers

    82
    Total number of fines
    3,051,571
    Total amount
    37,214
    Average amount
    1,900,000
    Biggest fine

    Let's take a closer look

    • The majority of published fines in this sector range from EUR 500 to EUR 50,000. This is mainly due to the structure of data controllers fined in the Real Estate sector, as most are comparatively small businesses or homeowner associations.
       
    • A substantial fine of EUR 14.5 million initially issued by the DPA of Berlin to a property company for the indiscriminate and unlimited retention of personal data (including sensitive data such as tax, social security and health insurance data), which would have significantly boosted the total amount of fines in the Real Estate sector, has been overturned and the court process in this regard is ongoing (ETid-98, ETid-99).
       
    • Issues connected to the direct marketing activities of real estate businesses are becoming increasingly relevant to Data Protection Authorities. Since the 2025 version of the ETR, 7 fines have been issued for non-compliant direct marketing activities – accounting for nearly half of all new fines issued since then.

    Main takeaways

    While most fines are comparatively small, Data Protection Authorities have issued more substantial fines to larger companies, while still remaining an exception. One example of such substantial fine is a fine of EUR 400,000 that has been issued against a real estate development and administration company by the French DPA (CNIL) for a lack of security measures and excessive data storage (ETid-24)*.
    Another example is a fine of EUR 100,000 imposed on a real estate management company by the Spanish Data Protection Authority (aepd) for the insufficient fulfilment of information obligations as well as taking insufficient technical and organisational measures to ensure information security (ETid-2527)*.
    Another particularly high fine of EUR 1.9 million has been issued by the DPA of Bremen (Germany) for data processing with an insufficient legal basis, including the unlawful processing of special categories of personal data in 2022 (ETid-1103)* and accounts for the majority of the current total amount of known fines issued in the Real Estate sector.
    A EUR 14.5 million fine (ETid-98, ETid-99)* had originally been overturned based on the fact that under German law an offence attributable to a natural person such as a managing director or employee of a company is required in order to issue a fine to said company. Subsequently, an appeal against this decision has been filed with the Appellate Court of Berlin, which on 06.12.2022 in turn has referred the case to the European Court of Justice for a preliminary decision on whether the Regional Court's decision is in line with European law. On 05.12.2023 the European Court of Justice ruled that while culpability is indeed required for a fine to be issued but that it is not always necessary to attribute the offence to a natural person. If the controller is a company instead of a natural person, it shall suffice if the offence is attributable to the company itself. In light of this decision, the Appellate Court of Berlin overturned the Regional Court of Berlin’s initial decision to set aside the fine and remanded the case to the Regional Court of Berlin for a new decision, which was still pending at the time of the editorial deadline of this report and expected to come to a conclusion in 2026.

    * (ETid-24), (ETid-2527), (ETid-1103), (ETid-98, ETid-99)

    Compliance hotspots

    • The topic of video surveillance in particular continues to dominate GDPR fines in the Real Estate sector. The widespread use of CCTV systems in residential buildings and properties entails a variety of risks regarding data protection. In some cases, data subjects have not been informed of the surveillance measures or (e.g. in the case of ETid-1523) the provided information did not meet the requirements of Art. 13 GDPR. Furthermore, there usually is no justification for CCTV systems to record audio and thereby potentially tenants’ and visitors' conversations. Data controllers also need to ensure that the data collected by the CCTV system is sufficiently secured against unauthorised access and they may not actively publish data themselves. Perhaps most relevant, data controllers must be careful with placement of cameras: A significant share of fines in the context of CCTV surveillance were issued because cameras would capture images of public property such as public streets or walkways or common areas of private property (e.g. ETid-2163 or ETid-2395) or even the inside of private apartments if the resident opened the door as in the cases of ETid-486 and ETid-1627.
       
    • In many cases, it is an established practice to publish documents on noticeboards accessible to the public or at least to anyone within the building, e.g. to inform owners and renters of developments and relevant dates of interest for the whole property, such as scheduled maintenance work. Recently, however, there have been cases where homeowner associations published enforcement notices containing personal data of property owners on such noticeboards (see ETid-2010 or ETid-2162). On a similar note, fines have been issued for the unauthorised public display of pictures of properties that also included individual persons without their approval (see ETid-1971 and ETid-1998) on the controllers' websites for marketing purposes. These fines highlight the importance of adherence to general data processing principles regarding any information made publicly available. This is of particular relevance for the Real Estate sector, where there is a regular need to publish certain information, for example in the form of notices on noticeboards or the publication of photographs of buildings and apartments as part of advertisements for the lease of such buildings or apartments.

    Outlook

    The Real Estate sector has so far been rather consistent with regard to which areas are of particular interest to Data Protection Authorities. Due to the large amount of personal data processed by real estate companies, particularly data relating to tenants, owners and visitors, AI may be of some interest to them. We expect Data Protection Authorities to be on the lookout for non-compliance with regard to the use of AI (e.g. preselection of potential tenants, surveillance of buildings, predictive maintenance). Nonetheless, the topics of video surveillance and public communication via noticeboards etc. will remain relevant and should remain a focus for companies to ensure compliance with data protection requirements.

    previous page

    13. GDPR Enforcement in Public Sector & Education

    next page

    15. GDPR Enforcement in Transportation & Energy

    More insights
    GDPR

    Explore more

    Expert Guide International

    Remote Working Legislation, Laws & Regulations in Monaco

    10 min read
    Event Monaco

    IP Insights webinar series 2026

    03 Jun 2026
    Publication Monaco

    GDPR Enforcement Tracker Report 2024

    15 May 2024 1 min read
    Back to top Back to top
    Warning: Fraudulent emails and messages
    Find out more
    If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.