The fine print

As the dust settles from the Deutsche Wohnen news, the real estate sector must get to grips with what exactly a robust data retention policy looks – and many are looking to their lawyers to help understand why it is so important and what they need to do now. In this article, I outline what happened in this case, and look at how solicitors can help their real estate clients understand and meet their obligations under the General Data Protection Regulation (GDPR).

What happened?

The autumn headlines focused on the size of the penalty imposed on Deutsche Wohnen. There have been a host of smaller fines across Europe since GDPR came in, but only four have run into the millions. This one put the property firm squarely in the same ‘sin bin’ as data heavyweight Google. Yet the breach didn’t feel that dramatic from a consumer perspective. Next to the intrusion of unconsented advert personalisation or the insecurity of data loss, merely failing compliance-wise to implement a sufficiently robust data retention policy was almost pedestrian. But Maja Smoltczyk, the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit (BBDI)), clearly disagreed.

Like many real estate companies engaged in managing and letting property, Deutsche Wohnen collected and filed personal information about its tenants, present and past. It kept an archive of information that included salary statements, employment terms, training records, payslips and bank statements, as well as details of health insurance, tax and social security.

A fundamental tenet of GDPR is data minimisation. Article 5 requires data retention to be adequate, relevant, and limited to no longer than is necessary for the “purpose” for which it was collected. Deutsche Wohnen stumbled at this hurdle. According to the BBDI, Deutsche Wohnen was holding onto data for too long, and its infringement highlighted its corresponding failures of the design requirements (article 25(1) requires technological design to implement the data protection principles effectively).

The business was warned during an on-site data protection audit in June 2017, but failed ultimately to put a GDPR-compliant data archiving system in place. When the BBDI made a return visit in March 2019, it was still holding onto too much data belonging to past tenants. Its failure to heed the warning with sufficient rigour didn’t tend the regulator to leniency. Smoltczyk said: “Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods, thereby allowing differentiated deletion periods as such solutions are commercially available.”

Interestingly, this is the largest GDPR fine issued in Germany to date, but it could have been bigger. Article 5 infringement carries a maximum penalty of 4% of annual worldwide turnover – which would have been around €28m in this case – but the BBDI calculated the penalty based instead on about 2% of annual revenues. It explained that this was to take into account the firm’s nascent attempts to address the issues identified, and the fact that the BBDI didn’t find evidence to suggest it was actually misusing its access to the unlawfully stored data.

Of course, the fact that this is a German fine is not important. GDPR has pan-European application, and will live into UK legislation post-Brexit. 18 months after it became law in the UK (on 25 May 2018), it is vital, therefore, that real estate firms here have their houses in order. For the first time, real estate lawyers might be asked to think practically about the value and (potential) use of their clients’ property management data sets, in the context of GDPR compliance.

What data do your clients hold?

Property ownership and/or management is clearly a data-heavy exercise. In collating even basic tenant inventories, landlords record names, addresses and phone numbers. Key-holders will routinely provide contact details for out-of-hours emergencies. Even cursory investigations into tenant covenant strength at the start of a transaction can generate personal and employment references and banking details, stored so that the landlord can collect rent, enforce guarantees or simply understand cashflows.

As the sector begins to digitise, proptech products that help landlords address bricks-and-mortar sustainability or model the environmental impact of a building are producing new repositories of data on patterns of use by individuals. Ever-more sophisticated security systems do the same, issuing swipe cards, recording car number plates or even employing facial recognition tools.

The fact that this is a German fine is not important

Meanwhile, management companies can maximise value by optimising operational efficiencies (even in terms of maintenance or space configuration), which requires a high degree of literacy about the occupants of a building. The creation of targeted marketing strategies for vacant properties or increasing tenant loyalty might also involve tracking tenant trends over time.

All this new data might be complex, multi-layered and unstructured but, whether gathered actively or passively, intentionally or by accident, it is there, and it is subject to the requirements of GDPR.

What are the rules?

A company must have a genuine business or legal reason for retaining data for longer than is otherwise necessary, considering the purpose for which it was collected. This sounds simple enough, but the problem comes down to the thorny issue of clarifying compliance and robustly implementing it.

There are no prescriptive rules or timetables to follow. GDPR doesn’t state exactly how data must be categorised, for example, just that it cannot be kept for longer than is necessary. Moreover, GDPR obligations remain fully alive even where the data is buried away and seemingly out of reach; and any retention beyond the original purpose timeline attracts other obligations around minimisation and data subject protection (by, for example, going through the laborious process of anonymising retained data).

How can you help your clients?

The area is a potential minefield, but lawyers can help their clients to think about data, which in turn will help them formulate the sort of robust data management strategy that might have saved the assault on Deutsche Wohnen’s coffers. Ask your clients these questions.

1. Are there regulatory or statutory requirements for the data to be kept?

There might be many, often jurisdictionally specific, regulatory reasons why specific data must be retained. Look to the requirements of financial regulators or tax laws, for example.

2. Are there contractual requirements for the data to be kept?

Answering this question will require understanding the nuances in any transactional documents the clients have entered into. Regarding leases, for example, to what extent might contractual obligations survive the end of the letting term? Tenants who have left a building might still need to be contacted in the foreseeable future to enable the settlement of a dilapidations claim. Previous tenants from years past might be resurrected when a landlord wants to enforce the terms of a guarantee (or authorised guarantee agreement), even though they actually closed the front door many years previously.

3, Are there genuine business needs for the data to be kept and does that involve greater transparency around the identified lawful basis under GDPR?

This is a challenging question. Data collected for property management might, in today’s world, be repurposed with improved analytics tools, and mined for sophisticated reviews. If you own a tenanted portfolio, data collected now can inform future letting strategies, or help you plan better for a building’s operating costs, with long-term knowledge of use patterns allowing you to plan for maintenance or capital projects. Clients need to consider transparency when the data is collected, obtaining consent for current and anticipated processing (although of course this won’t necessarily help with data the client already holds).

4. Can the data be redacted, minimised or otherwise further protected? Is it routinely reviewed and removed from the archive?

Deutsche Wohnen’s archiving system did not facilitate data erasure – data was held for a potentially unlimited time. Many firms routinely deposit historic information in data graveyards. But the rights of data subjects have been reanimated with GDPR, and real estate firms need to conduct granular analysis to establish a legitimate reason for retention or deletion, and design appropriate and robust processes. One option might be to separate out different data streams against identified lawful bases and/or individual users, and deal with each separately, staggering deletion dates according to a specific purpose timeline.

Since, under GDPR, individuals may at any time request a copy of the data held on them, firms must ensure that processes are in place to change or update data on request from the subject (the tenant, for example).

Conclusion

The multi-million-euro German fine is not final; Deutsche Wohnen is expected to raise an appeal challenge in court. In this case, its chances of success are likely to rely on the articulation of the design requirements in article 21, and their application to its home-built archiving system.

However it ultimately ends, this has been an awakening for the industry. Just like other firms controlling and processing personal data, real estate companies are subject to GDPR, and face financial liability for failures to address compliance and demonstrate accountability. Vague processes and policies are not sufficient; it’s not enough to feel confident about there being no data leaks or misuse. Companies must work hard to identify the vulnerabilities that could undermine adopted data retention or records management policies. These are not always obvious, but lawyers used to providing answers can and must help to ask the right questions.