Digital smart lock alternatives have emerged alongside conventional mechanical locks and keys, and the new systems also collect the users’ personal data. When thinking about making the switch to smart or digital locks, housing companies must also consider the issue from a data protection perspective, because the processing of personal data is strictly regulated.
Smart or digital locks do make things easier in many respects, but a housing company, as a controller, is responsible for compliance with the Personal Data Act or the General Data Protection Regulation that takes effect in May 2018. When, e.g., an access right that is linked to an individual or some other information related to the individual, such as what time an individual has accessed a specific space, is recorded into the system, it’s considered personal data.
The building manager, building maintenance company or other party that handles personal data for the housing company’s locks is also responsible for compliance with the legislation. As the controller, the housing company must keep a filing system record that is compliant with the Personal Data Act, and it must take care of also other reporting obligations. In conjunction with a locking system upgrade, at the very least it is recommended to review the filing system record, because digital and smart locks collect personal data.
The General Data Protection Regulation imposes new requirements
With the new General Data Protection Regulation (GDPR) applicable next year, the filing system record and other data submitted to the data subject must be re-verified. With the new regulation, the controller is obligated to disclose, among other things, the period of time for which the personal information will be stored, or, if that is not possible, the criteria used to determine this period. In fact, the requirements of the new GDPR must be taken into consideration when acquiring a new lock system. It is advisable to verify from the service provider already during the purchasing phase that data can be erased from the system.
The housing company must find out from the service provider the following questions essential in terms of data protection:
- whose personal data is recorded in the system
- what personal data is recorded in the system
- where the data is recorded
- how long the data remains in the system
- is it possible to change the storage period
- is it possible to change the storage period criteria
- how personal data is erased
- who has access to the data in the system
Collected data must not be used for just any purpose
The processing of personal data must be planned in advance. Before collecting data, the purpose of the processing and the sources of the personal data acquisition, among other things, must be determined. The collected data must not be used or processed for anything other than the predetermined purpose.
A person’s movement in the housing company must not be monitored without grounds that are consistent with the purpose. For example, if the building’s access control is to be used to verify information about who has visited the housing company’s premises during a specific time period, this purpose must be taken into consideration in advance. The housing company determines who processes personal data in line with the purpose. An individual who has processed personal data has an obligation of professional secrecy with respect to the data related to the data subject.
Data is collected on residents as well as on other individuals at the premises, like maintenance and janitorial personnel. A consideration in terms of service providers’ employees is that, in addition to the Personal Data Act, the issue is regulated also by the Act on the Protection of Privacy in Working Life. According to it, matters related to the organizing of access control must be processed through the cooperative or consultative procedure. The housing company must verify from the service providers that they have taken the required measures.
The housing company should also verify that, in addition to data protection, the lock service provider will take care of data security. The new General Data Protection Regulation imposes the obligation to report data breaches, so they must be prepared for. In fact, something to keep in mind is that data protection issues also affect housing companies.
Know the terminology
Data protection = safeguarding an individual’s privacy by protecting the individual’s personal data in line with the legislation
Data security = securing data, systems and data communications
Personal data = all information that can be related to an identifiable person, such as a name, identification number, location data, photo or online identifier
Data subject = a natural person to which the personal data is related
Processing = any operation that is performed on personal data or on sets of personal data, such as collection, recording, organization, storage, retrieval or erasure
Filing system = any structured set of personal data that are accessible according to specific criteria
Controller = a body that controls the filing system and determines the purposes and means of the processing of personal data
Processor = a body that processes personal data on behalf of the controller
The writer is an Associate with Lexia Law Firm’s construction, housing and environment practice
The writer is an Associate with Lexia Law Firm’s IP, Technology and Media practice