The term PropTech (a contraction of "Property" and "Technology") refers to the use of technology and digital tools in the real estate sector at all stages of the value chain, from construction to asset management and property management, including transactions conducted on the market for selling or renting properties (or even potential financing rounds).
As in other sectors (health, law, insurance, etc.), established players in property management or asset management, as well as many startups, have recognized the benefits of leveraging constantly evolving technologies to automate existing processes or offer new services to all stakeholders, particularly end users.
Examples include 3D printing and virtual (or augmented) reality in the construction phase; the valuation of buildings using artificial intelligence (AI) tools; online platforms for property sale or rental listings; the electronic signing of loan contracts at the transaction stage; and "smart" property management based on the Internet of Things (IoT) or collaborative tools that maximize the use of coworking spaces or parking lots.
Lime offers an analysis of the main legal challenges in PropTech, with the first part dedicated to the GDPR.
In the growing PropTech sector, technologies in general, and digital tools in particular, are utilized by companies in the real estate sector or startups to improve certain processes or offer new value-added services to users. The provisions of the General Data Protection Regulation (GDPR) must be strictly complied with when processing personal data.
Firstly, the situation at stake must be accurately analyzed to determine the specific role played by each actor and to classify them according to the categories of the GDPR (data controller, processor, data subject, etc.).
Next, it must be ensured that all the rules prescribed by the regulation have been complied with (lawfulness of processing, purpose limitation, transparency, contractual relationships with potential processors, etc.), under the risk of financial penalties or reputational risks.
1. PropTech and the processing of personal data
Data processing carried out within the framework of PropTech must strictly comply with the regulatory framework, especially when it involves personal data.
Here are some questions to be attentive to when processing personal data in the field of PropTech: identification of the roles of the parties (point 2); complying with the principles of the GDPR (point 3); and risks incurred in case of non-compliance (point 4).
2. What is the role of the parties under the GDPR?
Multiple stakeholders
According to the GDPR, the data controller – i.e., the one who determines the means and purposes of the processing –primarily bears the responsibility of complying with the requirements prescribed by the regulation.
If necessary, the data controller may engage processors (in the sense of the GDPR) who will process the data on their behalf and according to their instructions (for example, an IT service provider offering a technical solution or providing cloud storage).
A sometimes complex identification
The role played by the parties must also be precisely identified, for each proposed processing activity : sole data controller, joint controllers, processor, third party or data subject.
This analysis is of importance not only to assess the liability incurred by each of the actors but also to determine who holds the rights to the data and who can, if necessary, share or exploit it for economic purposes.
- In certain cases, the exercise should be quite simple. When a property owner publishes an advertisement on an online sales or rental platform, it is considered as the data subject, and the platform manager is the data controller.
- In other scenarios, particularly in property management, many actors could be involved. For example, if the owner or tenant of an office building engages a specialized company to manage their property, as well as a technology provider offering a solution to optimize parking space allocation for employees occupying the offices or third parties. The data subject is the driver of the vehicle seeking a parking space; the other participants - the technology provider, the building owner, the building manager, and the company occupying the building - will share the roles of data controller (potentially as joint controllers) and processors. Depending on the risks each actor is ready to assume, a distribution of roles compliant with the GDPR must be established and properly documented, particularly in privacy policies or agreements to govern the subcontracting of data processing or joint liability.
3. Focus on certain principles of the GDPR
List of principles
Article 5 of the GDPR lists the principles relating to the processing of personal data and elaborates on them in other parts of the text (such as transparency and security obligations), alongside the duties imposed on data controllers and processors: lawfulness, purpose limitation, data minimization, storage limitation, accountability, etc.
These principles must clearly be complied with in the PropTech environment, which can raise questions – sometimes challenging – in certain cases. Without claiming to be exhaustive, here are some illustrations drawn from practical experiences.
A few examples
- First, let's consider the example of an individual whose home is equipped with a smart meter for electricity supply. With this device, it is possible to measure energy consumption in real-time and adjust habits to limit consumption or schedule it for times when the rates are more favorable. If this individual wishes for the data to be shared with a third party (offering value-added services), a lawful basis must be identified, and typically, their consent will be necessary. Additionally, the network operator must implement various security measures to ensure the integrity and confidentiality of the data: analyzing energy consumption can reveal the habits of the data subject (such as when they are home, what time they wake up, how many people are in the household, etc.). A data breach could therefore have very damaging consequences for the data subject.
- Let’s imagine again that the manager of a significant number of apartments or studios decides to equip them with sensors to facilitate maintenance and intervene promptly to extend the lifespan of the infrastructure. The data collected could be considered personal data revealing various useful information about the occupants. The legitimate interest of the data controller or the performance of the contract could provide sufficient lawful bases
for maintenance purposes. However, it is difficult to imagine that, for other purposes, and with a view to monetization, this data could be aggregated on a large scale and shared with the company's partners without prior anonymization and/or the identification of another lawful basis, combined with the provision of specific information. Otherwise, it could be considered that the principles of purpose limitation and data minimization have been violated. - In the aforementioned example of managing parking spaces in an office building, if the solution was presented as a flexible space optimization tool, the principle of purpose limitation should, in turn, prohibit an employer from analyzing parking usage data (entry and exit times) to calculate the working hours of staff members and draw consequences in terms of labor law.
Transparency obligations
The implementation of transparency obligations to respect the rights of the data subject must result in the drafting of privacy policies (or privacy charters) that comply with the provisions of the GDPR. It will also be necessary to ensure their binding nature with respect to the data subjects, which can be complicated when many actors are involved in various capacities (see previous examples).
This multiplication of actors can also create complexity when identifying the controller to whom the data subject can exercise their rights (access, rectification, objection, etc.).
4. What are the risks of non-compliance with GDPR principles?
Non-compliance with the requirements prescribed by the GDPR can be severely penalized, notably by fines calculated as a percentage of the company's turnover (up to 4%).
Beyond the costs associated with legal proceedings before the Data Protection Authority, the potential negative reputational impact should not be underestimated.
Therefore, it is crucial to pay close attention to compliance with the GDPR while addressing any complaints seriously and promptly.
For more information, please feel free to contact Hervé Jacquemin.
Keep up to date with our news on LinkdIn