Owner management companies must comply with the Companies Act 2014.
Owner management companies evidently process data which detail of the financial management, property title, list of names and address of members.
The companies act states that a members register is a public document.
All personal data detailed in the register of members has to comply with data protection laws.
Members data has to be processed fairly, transparently, lawfully. There must be legal basis for the processing. GPDR rules regarding the lawfulness of processing, conditions of consent etc. must be adhered to. The data must be collected for specified, explicit and legitimate purposes. The data obtained should follow a minimal data retention principle so data obtained should only be limited to the purpose for which it is processed and not held unnecessarily. If a member ceases to be a member or resident having their personal data on a register is not necessary.
Members have a right of access to their personal data.
Careful consideration is needed regarding any disclosure of personal data matters.
Processing personal data in relation to legal proceedings to a legal advisor can be a legitimate processing reason or disclosure to Gardai for law enforcement purposes can have a legitimate purpose also as this is set out at s.41 of the Dat Protection Act 2018.
CCTV footage involves data processing. Persons who control a CCTV system are controllers or processers of individuals personal data.
The controllers / processors of the CCTV have to comply with GDPR provisions and principles of lawfulness, appropriate purposes, necessity, proportionality, security, retention, transparency must apply. A CCTV data protection policy is necessary.
An owner management company will likely need to engage a property management company.
A property management company will likely be deemed a processor under the GDPR regulation. Written authorisations are needed. A contract should be in place between the property management company property management company.
In the event of a data breach the controller must notify the data protection commission within 72 hours.
It may be necessary to notify the affected persons but a risk assessment must be done if this issue arises.
A landlord is required by law as a unit owner to give to the owners management company the information regarding tenants / habitual occupiers as stated under S.8(3) of the multi-unit developments act 2011.
Need Legal Advice? No problem. Contact Us Today!
We can assist with legal advice on GPDR matters & Irish data protection law matters.
