Since the GDPR's entry into force, 70 fines related to the Real Estate sector (+7 in comparison to the 2024 ETR) have been imposed on data controllers. Insofar as the amounts of the fines were published, those fines as of now amount to slightly over EUR 2.8 million (an increase of roughly EUR 200,000 in comparison to the 2024 ETR). The absolute amount of fines remains low in comparison to other sectors. The increase of roughly 10 % in comparison to the 2024 ETR is mostly owed to two significant fines issued by the Spanish Data Protection Authority (aepd) and one similarly significant fine issued by the French Data Protection Authority (CNIL). Fines have been issued by DPAs from 13 different countries, mostly to homeowner associations and real estate management companies.
Roughly 37 % of fines in the Real Estate sector – 26 out of 70 – have been issued for non-compliance with general data processing principles, with an insufficient legal basis for data processing being in second place at 30 % (21 out of 70 fines).
Let's take a closer look
- The majority of published fines in this sector range from EUR 500 to EUR 50,000. This is mainly due to the structure of data controllers fined in the Real Estate sector, as most are comparatively small businesses or homeowner associations. Nonetheless data protection authorities have issued more substantial fines to larger companies, though these remain an exception. One example of such a substantial fine is a fine of EUR 400,000 that was issued against a real estate development and administration company by the French DPA (CNIL) for a lack of security measures and excessive data storage (ETid-24). Another example is a fine of EUR 100,000 imposed on a real estate management company by the Spanish Data Protection Authority (aepd) for the insufficient fulfilment of information obligations as well as taking insufficient technical and organisational measures to ensure information security (ETid-2527). Another particularly high fine of EUR 1.9 million has been issued by the DPA of Bremen (Germany) for data processing with an insufficient legal basis, including the unlawful processing of special categories of personal data in 2022 (ETid-1103) and accounts for the majority of the current total amount of known fines issued in the Real Estate sector.
- A substantial fine of EUR 14.5 million initially issued by the DPA of Berlin to a property company for the indiscriminate and unlimited retention of personal data (including sensitive data such as tax, social security and health insurance data) was overturned by the Berlin Regional Court in February 2021 (ETid-98, ETid-99). This was based on the fact that under German law an offence attributable to a natural person such as a managing director or employee of a company is required in order to issue a fine to said company. Subsequently, an appeal against this decision was filed with the Appellate Court of Berlin, which on 6 December 2022 in turn referred the case to the Court of Justice of the European Union for a preliminary decision on whether the Regional Court's decision is in line with European law. On 5 December 2023 the Court of Justice of the European Union ruled that while culpability is indeed required for a fine to be issued, it is not always necessary to attribute the offence to a natural person. If the controller is a company instead of a natural person, it shall suffice if the offence is attributable to the company itself. In light of this decision, the Appellate Court of Berlin overturned the Regional Court of Berlin’s initial decision to set aside the fine and remanded the case to the Regional Court of Berlin for a new decision, which was still pending at the time of the editorial deadline of this report.
- The topic of video surveillance in particular continues to dominate GDPR fines in the Real Estate sector. The widespread use of CCTV systems in residential buildings and properties entails a variety of risks regarding data protection. In some cases, data subjects have not been informed of the surveillance measures or (e.g. in the case of ETid-1523) the provided information did not meet the requirements of Art. 13 GDPR. Furthermore, there usually is no justification for CCTV systems to record audio and thereby potentially tenants' and visitors' conversations. Data controllers also need to ensure that the data collected by the CCTV system is sufficiently secured against unauthorised access and they may not actively publish data themselves. Perhaps most relevant, data controllers must be careful with placement of cameras: A significant share of fines in the context of CCTV surveillance were issued because cameras would capture images of public property such as public streets or walkways or common areas of private property (e.g. ETid-2163 and ETid-2395) or even the inside of private apartments if the resident opened the door (as in the cases of ETid-486 and ETid-1627).
- In many cases it is an established practice to publish documents on noticeboards accessible to the public or at least to anyone within the building, e.g., to inform owners and renters of developments and relevant dates of interest for the whole property such as scheduled maintenance work. Recently however there have been cases where homeowners' associations published enforcement notices containing personal data of property owners on such noticeboards (see ETid-2010 or ETid-2162). On a similar note, fines have been issued for the unauthorised public display of pictures of properties that also included individual persons without their approval (see. ETid-1971 and ETid-1998) on the controllers' websites for marketing purposes. These fines highlight the importance of adherence to general data processing principles regarding any information made publicly available. This is of particular relevance for the Real Estate sector, where there is a regular need to publish certain information, for example in the form of notices on noticeboards or the publication of photographs of buildings and apartments as part of advertisements for the lease of such buildings or apartments.
Main takeaways
The Real Estate sector requires the processing of sensitive data, as prospective tenants provide landlords with information such as ID documents and detailed financial information, whereas landlords would be well advised to only collect data in the rental application process that are strictly necessary for the rental and to take the necessary measures to ensure the security of processing of personal data. Furthermore, data controllers routinely collect and process data using CCTV systems to protect their property against theft, vandalism and other inconveniences. Adequate technical and organisational measures must be in place to ensure adherence to GDPR with a special focus on general processing principles such as data minimisation or storage limitation.
Where a need for any kind of publication arises, caution should be paid to avoid unintentional disclosure of personal data, e.g., identifiable persons on pictures in advertisements for the sale or lease of real estate.
