by Antonio Montanaro, attorney-at-law
Apartment buildings, like companies, public bodies and professionals, are directly involved in the new privacy rules that have revisited the previous legislation and strengthened the rights of individuals on this sensitive aspect.
The apartment building is the “Data Controller” and therefore is required to take all relevant decisions about the purposes, methods and tools used to carry out the processing, while the administrator of the apartment building assumes the role of “Data Processor” or “the person who, on behalf of the Data Controller, performs the tasks assigned to him / her by contract – processing the personal data collected by the Data Controller in the light of satisfying the purposes indicated by the apartment building – Data Controller itself. In doing so, the residents, when appointing the administrator for the tasks referred to in Article 1130 of the Civil Code, must independently verify that the appointed professional meets the requirements of the regulation and guarantees the rights of the interested parties.
What else must the apartment building do?: prepare the information in accordance with the provisions of the GDPR and collect the consent of the residents or those who hold a real right or a right of user on a timeshare, whose data are already (or will be) in possession of the building itself. The building itself must respect and enforce the principles of the European regulation and in particular the rights of the interested parties. It must process the data according to lawfulness, it must provide for the appointment of the Data processors, such as the apartment administrator, but also all those service providers who use personal data, and here the list can become very long.
In the event that particular treatments are carried out, as could happen for example for the installation of a video surveillance system, it will be advisable to carefully evaluate the privacy impact and consequently adopt all possible precautions.
In reality, the apartment building does not realize all of this directly but delegates most of the treatments to the administrator who, in order to carry out their duties, must use the data of the residents as well as anyone holding a real right or a right of user on a timeshare. The administrator, therefore, as the Data Processor, will have to process the data only according to the purposes and methods of his mandate and dictated by law; must guarantee the adequate training of the persons authorized by him to process the data, or his collaborators; he will have to adopt and highlight the procedures in his professional studio; must assist the data controller – that is the apartment building- in guaranteeing the rights of the data subjects as well as possibly communicating with the Privacy Authority to assess the impact of new treatments, as well as other activities that this brief discussion does not allow to elaborate further.
In conclusion, we can see how the new privacy regulation has fully invested in the relationship between the Apartment Building and the figure of the administrator and on this aspect, both figures, must pay particular attention.