1. What are current regulations on Data Protection in Spain?
Since May 25, 2018, the European General Data Protection Regulation (GDPR) is the regulation governing use of data in Spain.
At the moment, the Congress of Deputies is drafting an Act (Ley Orgánica) with the purpose of adapting our national/ internal Law to community regulations.
2. Should Community of Owners adapt to the new General Data Protection Regulation?
Yes, of course, as an entity with has personal data under administration.
3. What data should be subject to treatment within the scope of the Communities of Owners?
Current regulations establish no limits on what data the Community of Owners can treat, these are usually:
- Name of owners
- Identification documents
- Telephone numbers
- Addresses
- Emails
- Bank accounts
But any other data can be managed by Community of Owners if they are owners ‘data and are necessary for the usual activity of the Community
4. Should the files be notified to the Spanish Agency for Data Protection?
With the entry into force of the GDPR the indicated registration disappears, but there is an obligation to internally keep a record of the treatment activities.
5. Is the Community of Owners obliged to have it?
Community of owners is just obliged if the treatment that it carries out may entail a risk for the rights and freedoms of the interested parties, not be occasional, or include special categories of personal data. In any case it is highly advisable as it is a proof of "active responsibility" and facilitates the correct compliance with the regulations.
6. What is the record of treatment activities?
The record of treatments must have the following content:
a) The name and contact details of the person responsible
b) The purposes of the treatment;
c) A description of the categories of stakeholders and the categories of personal data;
d) The categories of recipients to whom the personal data were communicated or communicated, including the recipients in third countries or international organizations;
e) Where applicable, the transfer of personal data to a third country or to an international organization, including the identification of said third country or international organization and, in some cases , the documentation of adequate guarantees;
f) Where possible, the deadlines set for the deletion of the different categories of data;
g) Whenever possible, a general description of the technical and organizational security measures
7. Should the Communities of Owners have the figure of the Delegate of Data Protection (DPO)?
They should not
8. Who is responsible of Data Protection according to current regulations?
The Community of Owners is responsible for the treatment of personal data, while the administrator acts as the manager, but the AEPD ( Spanish agency for Data Protection) establishes a series of conditions for the relationship Community-Administrator-Protection regarding community data is correct.
- The Administrator must only access the data for the exclusive purpose of providing a service to the Community
- . If the use of the data is for purposes not included in the Horizontal Property Law (LPH), the consent of all owners will be necessary, with the novelty of the GDPR that requires that the consent be express and unambiguous.
- The relationship between the Community of Owners and the Property Administrator, in accordance with the GDPR , must be in writing .
Please contact us if your Community of Owners is in need of advise for Data Protection compliance