GDPR has controls over subcontractors in its line of fire

GDPR has controls over subcontractors in its line of fire

Mon 14 Mar 2022

Like all industries, the real estate sector has to implement a range of legal, technical and organisational measures to protect the personal data of its employees, customers, prospects and suppliers. Processing must comply with several regulations related to data protection, including, for example, the General Data Protection Regulation (GDPR), applicable since 25 May 2018. Same regulations are today enforced in countries such as China, the USA, Brazil and Singapore to protect access and usage of personal data.  

Depending on the business line within the sector, the processing of personal data can be very diverse in terms of the volume of data processed, the people involved and the geographical scope. Some groups, such as residential rental organisations or online platforms offering rental management services, may collect and process large volumes of personal data on their customers or prospects. In contrast, by its nature the construction sector, for instance, carries out more limited processing of personal data. Although smart buildings could change the situation for the constructor in future.

These companies need to keep track of personal data outsourced to third parties, whether for marketing purposes, an outsourced sales force, IT services or outsourced payroll, for example.

In Europe, the GDPR requires companies to protect the processing of outsourced personal data, particularly under Article 28. As well as the contractual subject, the company must ensure that its subcontractor provides adequate guarantees covering data security and confidentiality measures, for retention periods and access to data, for example.

For a company using an outsourced sales force, it is necessary to ensure that disclosures to customers or prospects are made at the data collection stage. For outsourced payroll services, once again, the company needs to inform its staff that data concerning them is being processed by a third party and to ensure that third party complies with the GDPR.

It is also necessary to maintain the processing register, which is a key part of the regulation. In many property management companies, this register is often incomplete, out of date or simply non-existent. In such cases, particular attention should be paid to create or update this document or tool.

In addition, since March 2021, companies must ensure compliance with the rules applicable to cookies and other trackers when an internet user visits the company’s website.

Key points

  • List all service providers, partners or suppliers who process personal data
  • Diagnose and audit the subcontractor’s GDPR or any privacy rules’ maturity in the context of the service it provides
  • Ensure, if this is not the case, that the processor applies the personal data regulations and respects its contractual commitments
  • Inform clients, prospects and employees of the outsourced processing of personal data by a sub-contractor.