The RGPD too often forgotten by real estate agencies

The different actors linked to real estate rental are confronted with the GDPR compliance, and it is unfortunately not rare to notice that nothing is done to inform the owners or the tenants. However, the GDPR must be taken into account in the context of real estate rental, and the CNIL has published a reference framework on this subject. We will not repeat here all the obligations that the GDPR imposes on the different actors, but those that specifically concern the real estate rental. Indeed, all the professional actors of the real estate rental sector must be in compliance, which implies having implemented and documented in detail the measures taken.

• Prospective tenants who must be informed and sign a contract or consent to a privacy policy BEFORE entrusting any data to the agency
• The owner who is the controller is subject to all the obligations of the RGPD except if it is a private management of personal property. If he contracts with an agency, the RGPD aspects must be part of it.
• The tenant chosen by the owner, who, independently of the data given to the agency, will have to sign a lease contract and give additional data such as a bank account
• The real estate agency that will collect data from prospective tenants and submit it to the landlord
• The agent or employee of the agency who in his contract with the agency must have been informed about compliance with the GDPR and signed a confidentiality clause
• The possible network to which the agency belongs, which has a contract with the local agency that must contain the roles of each and notably the terms of compliance with the RGPD.
• The subcontractors of the real estate agency, such as the manager and the host of its database, the manager of its website who has access to online requests for information, etc.

1. The owner wants to rent out the property.
   1. If he or she is doing this himself or herself and is a professional, or a real estate company, he or she will have to offer the applicant tenants a privacy policy to which they will have to agree and he or she will have to keep proof of the applicant's acceptance of this policy.
   2. If he entrusts his property to an agency, he will have to sign a contract with it in which the issue of personal data processing will be specified
2. The prospective tenant will be required to submit a file with a lot of personal data, ID card, salary statements, etc. The landlord or agency will have to get the tenant to sign a contract or at least get the tenant's consent to the privacy policy regarding the data he or she is giving to the agency or landlord. The landlord or agency will need to have the tenant sign a contract or at least obtain the tenant's consent to the privacy policy regarding the data they are entrusting to the agency or landlord.
3. The agency or the owner will analyze the candidates' files and possibly refuse some of them. Their data will have to be destroyed in accordance with privacy policies.
4. The agent or employee of the agency, or the owner, contacts the candidates by messenger or cell phone, to arrange the visiting hours and will therefore collect the candidate's cell phone number.
5. The landlord will choose the successful candidate and sign a lease with him or her. And as part of that contract, the issue of personal data will need to be addressed.
6. The owner's and agency's subcontractors will collect their customers' data and the contract between controller and subcontractor must specify the rules for handling personal data.
7. During the life of the lease, additional data processing may take place, such as work carried out by tradesmen, recovery of unpaid rent, etc.

For all these data processing operations, the GDPR requires a legal basis, without which these processing operations would be purely and simply illegal and punishable. It is up to the data controller to determine the legal basis applicable to the case. There are only three possible legal bases in the context of real estate leasing, and these must be specified in the proposed privacy policies:

• The consent of the person concerned: for example when the candidate tenant entrusts his data to the agency.
• A contract: for example, when a landlord entrusts the task of finding a tenant to an agency
• Legitimate interest: e.g. of the agency to contact former customers for similar commercial proposals

And for all such data processing, privacy policies will have to be drafted and offered BEFORE any collection and processing of personal data. And these privacy policies must include many details:

• The identity and contact information of the data controller (the entity collecting or processing the data)
• The legal basis under which the data is collected and, in case of consent, the fact that the data subject may withdraw consent at any time.
• The type of data collected, taking into account that only the collection of essential data is allowed and that certain types of data cannot be requested, such as the religion of a candidate tenant for example.
• The contact details of its data protection officer. It is recommended that professionals in the sector appoint a data protection officer, who can be shared within a network of agencies for example.
• The purposes of the processing, i.e. the reasons for which the data are collected or processed
• The categories of natural or legal persons who will have access to the data: owner, bank for the bank guarantee, subcontractors of the agency, tax authorities, contractors in case of works, etc.
• The fact that the data will be transferred outside the European Union (in case of using an American host for the agency's database for example)
• The duration of data retention. Indeed, they must be destroyed as soon as it is no longer necessary to keep them, for example the data of an unsuccessful candidate tenant, unless the latter asks to be informed of other rental possibilities. These durations are different in each case: the data of a candidate tenant is kept differently from that of the selected tenant.
• Information on the rights of the persons concerned: right of access, rectification, etc.
• Information on the possibilities of lodging a complaint with the relevant authority (e.g. CNIL)
• The existence of automated profiling techniques, for example to automatically select tenant applicants

To properly inform data subjects, it is recommended that the privacy policy be communicated to them at the first exchange and that in the case of data transfers, the policy be approved before any personal data is transferred. Also, a complete privacy policy should be available on the agency's and owner's website. A link to the privacy policy can also be included in the rental advertisement, in emails to applicants and on the contact form on the real estate agency's website for those interested in a rental advertisement.

It is important to note that the data collected must be only those necessary for the processing concerned. For example, bank details and salary slips can only be collected when the prospective tenant is interested in signing a lease, so that the landlord can make a choice among the prospective tenants. These data cannot be collected for simple visits before the prospective tenant commits to a lease.

It is the responsibility of the data controller to put in place the necessary security measures to safeguard the confidentiality of the data collected, and in particular to limit access to it only to those persons who need it for their job. It would not be correct for all employees of all agencies in a network to have access to all personal data of all applicants in all agencies. Similarly, the choice of agency subcontractors is the responsibility of the data controller, who must select organizations that demonstrate that they are compliant with the GDPR.

Let's not forget that the persons concerned have a right of access, rectification and deletion and that those who collected the data must respond within a month.

It is therefore essential that agencies and owners (when they are professionals) put in place the necessary information for data subjects, the procedures related to this information and the rights of data subjects, not to mention the constitution of a complete RGPD file.