May 25th, 2018: EU GENERAL DATA PROTECTION REGULATION

most important facts to know for the real estate sector

On 25th of May 2018 essential changes are coming for all companies that are processing personal data. For example, corporations who recording data of suppliers, customers, sending newsletters, and so on are directly affected. In fact it is relevant to all companies – especially in the marketing department. In the real estate sector, the new regulation relates to data of tenants and lessors as well as data of tenancy agreements.

To be well prepared for the new regulations, metamagix offers an advanced anonymization and data extract module (metamagix.ICRS Anonymization & GDPR). Primarily corporations should do an analysis of the actual state of the handling of personal data. This means to become clear which personal data is processed as well as which personal data is recorded and how long the personal data may be stored. It is important to have a record of processing activities (including contact data of your own business, purpose of the processing, description of the categories of data subjects and of the categories of personal data, envisaged time limits for deletion of the different categories of data and a general description of the technical and organisational security measures).

Especially in the sector of data handling we are expecting big changes. From May 2018 persons have to assent the recording of their personal data – currently this is only necessary with sensitive data. A further subject is to automate conversion of personal data to be able to supply information in the future. All persons have to be informed about the data handling and for the automatization of targeting, the users have to agree as well. For printed mailings you do not need an explicitly agreement from the consumer. When using digital media, the regulations a bit different: in this case you need the unambiguous agreement from the users, e.g. in showing interest or an interaction with your company.

A further task is the obligation to disclose the held data to persons. Therefore the company has to provide information of the recorded data and the use of it on request. To support companies to handle with this new regulation and to avoid penalties, metamagix developed an advanced anonymization module in cooperation with clients. “In the real estate sector the primary field of application of GDPR is handling data like name, address and birth date of tenants. This data has to be recorded for at least seven years after expiration of a contract – the ‘Right to be forgotten’” explains Randolph Kepplinger, managing partner of metamagix. “Software accordingly has to automatically delete or anonymize this personal data after expiration of the deadline – and ICRS does exactly that, reliable and automated.” elaborates Kepplinger. In addition to the automated processing the new module offers the possibility to manually anonymize the data in case of a request. And the software covers the regulations of “Right to Access”: this is also easily done in ICRS.  In case of an enquiry of the contract partner, a zipped information file with all data stored for the person can be generated and handed over to the person.

Furthermore it is possible in the ICRS-CRM module to incorporate checkboxes and attributes like consent for newsletters or mailings so that this information can be stored alongside contracts and other agreements with clients and suppliers.

In general the GDPR will harmonize the data privacy laws in the EU and replace the national laws. The institutional rules of action bring clear structures to the individual legislations of the member states that currently have a high level of creative leeway.

According to Kepplinger it is a critical point of GDPR to record and store personal data outside the EU because you need an explicit agreement of the parties – and this agreement may be withdrawn at any time. This also affects cloud hosting as well as development and support in non-EU-countries.

If there is a data breach you have to inform the national regulation authority and the aggrieved client within 72 hours. Violations of the new regulation can also be caused by a data loss. The punishment in case of a violation of the new regulation range partially lies in a range of million Euros. More