GDPR one year on

The world of property management is a complex one crossing the relationships of the freeholder, management companies, property owners, who then may themselves be landlords and their sub-tenants.  Along with the role of managing agent comes the expectation that things can just get done without some participation from owners and residents on site.  Of course, this challenge is exaggerated somewhat more when there is no concierge or staff on site. 

Below is an advice note for Clients, many of whom are directors of management companies, so are not exempt from being treated as a business when dealing with residents and owners on site.

Put simply there are 5 reasons why you may contact someone.  These are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

As a freeholder or management company director arguably there is a contract in place.  The lease or transfer document for houses creates a contractual reason why communicating with an owner should occur.  Added to that there is the legitimate interest clause that covers situations where…..

And, then there is the …. clause to rely on in an emergency.

What is important, is that when choosing to communicate by email (as opposed to post or hand delivering documents) that you know when you obtained someone email address and what they thought they were giving it to you for at that time.  For example: if someone gave you an email address to consider joining an RTM (right to manage) group but then did not join up, arguably the right for you to use that email address would expire when the purpose for which it was given has ended.

The biggest risk is intentionally or accidentally exposing someone’s email address to another party involuntarily.  This is easily done as in the old days we all used to Cc owners on site.  Now quite clearly unless you can prove that the person giving their email address agreed to this Bcc is the only realistic option.  Along with a note to let people know that others have been Bcc’d for fear of people simply thinking that you forgot to copy everyone else in.  

For communications between directors (where only directors are involved) then Cc would be appropriate.  

Over the year we have received three GDPR complaints.  One where the persons email was exposed by the client in a residents group; another where an owner wished to receive some types of communication – but not others…. this is a very tricky one and almost impossible to police.  And, a third where despite reporting an urgent repair wanted the owner wanted to take no part in being contactable to let the contractor into the building.  Tricky, as the client did not want to foot the expense of paying for office staff attendance either.    

Much has changed in the way we operate at Ringley to deal with this.  We now record the date and time a person gives us their email address.  Every time a member of staff first sends an email out to a person they have to categorise which of the 4 allowable reasons they are relying on as authority to do so.  We also now Bcc groups and include a message explaining why. 

Our over-cautious approach has caused a little upset but not too much – for example where a directors email is sitting on a stray record card, not an owners record card then the system will detect that their email does not appear to actually be a directors email and Bcc all directors for safety.  We believe our data clean up efforts are pretty much complete and our Customer Care team continues to classify all new email addresses put into the system daily.

GDPR has also affected the way that owners can log into the Gateway so as a reminder if you are experiencing a problem this will be because either we do not have your email address correctly assigned to an owners record card, or we have not assigned your email as an ‘owners’ email address.      

Sites, where sub-letting is not controlled by the lease, are problematic as in theory we have to rely on good spirited community ethics and the legitimate interest clause to try to ensure we can engage the many many residents in sublet properties in a community-driven agenda.