The Bavarian State Office for Data Protection Supervision (BayLDA) is currently conducting audits of real estate agents to ensure compliance with the Data protection regulations to check. This Data protection check for prospective tenants aims to ensure that brokers comply with the provisions of the Bavarian Data Protection Act and the GDPR comply with.
The authority sends out questionnaires to randomly selected brokers and requests information on various topics such as the scope of electronic Data collection via websites, the collection of Applicant datathe storage duration personal datathe Retention periods and Obligation to delete and the safety measures. A Privacy Impact Assessment and the collection of Declarations of consent are also on the test plan.
Key findings
- The BayLDA conducts audits of real estate agents for compliance with data protection.
- Brokers must provide information about their data collection at Rental applications issue.
- Central topics are data storage, Obligation to delete and safety measures.
- Violations may result in Fines of up to 300,000 euros.
- Consent and data protection impact assessments are checked.
Introduction to the data protection check for prospective tenants
The Bavarian State Office for Data Protection Supervision (BayLDA) has published a Data protection check with real estate agents in Bavaria in order to ensure compliance with the Data protection regulations to be checked. These random checks are intended to ensure that the Broker the requirements of the Bavarian Data Protection Act and the General Data Protection Regulation (GDPR) when processing data. Applicant data for prospective tenants comply with.
The Data protection check is important because real estate agents handle a large number of sensitive data in the course of their work. Data from prospective tenants and buyers must collect and process. This includes, for example, personal information, creditworthiness data and financial data. The BayLDA data protection audit should ensure that the Broker when collecting and processing this data, the Data protection real estate industry relevant provisions.
The authority sends out questionnaires to randomly selected brokerage companies and asks them to provide information on the handling of personal data.
By answering these questionnaires, the brokers must explain how they have Data protection broker-specifications in practice. The Prospective tenants Review is intended to uncover possible deficits and sensitize brokers to the responsible handling of customer data.
Legal basis of the data protection audit
The BayLDA's data protection audit of real estate agents in Bavaria is based on two central legal principles: the Bavarian Data Protection Act as a country-specific regulation and the superordinate General Data Protection Regulation (GDPR) of the European Union. These laws and regulations stipulate how companies such as brokers must deal with personal data have to deal with and which Data protection rights affected persons such as Prospective tenants and buyers have.
Bavarian Data Protection Act and GDPR
When collecting and processing data, brokers in Bavaria must comply with the requirements of the Bavarian Data Protection Act as well as the provisions of the Europe-wide DS-GVO Broker comply with. A breach of this Privacy policy can be of great benefit to the Real estate industry sensitive Fines result.
Information obligations and consent requirements
A central aspect of the Data protection law are the Duty to inform towards the persons concerned. Accordingly, brokers must Prospective tenants for example, about the purposes of data processing, the legal basis and the storage period. In addition, in certain cases they must Consent the Prospective tenants for data processing. This Conditions for consent for brokers stipulate that consent must be voluntary, informed and unambiguous.
As part of the audit, the BayLDA checks whether real estate brokers are using these Data protection information correctly Prospective tenants and the specifications for the Conditions for consent comply with.
Scope of electronic data collection
The BayLDA audit places a particular focus on the scope of the electronic data collection with Real estate agents. In particular, the collection of personal data about Websites and Contact forms under the microscope.
Website and contact forms
The authority wants to check which and how many personal information that estate agents collect from prospective tenants and buyers via their websites and online contact forms. It is important that the data collected is lawful and limited to what is necessary. Disproportionately extensive data collection may violate Privacy policy violated.
Data security measures
In addition to the scope of data collection, the BayLDA also reviews the Data security measuresthat brokers take to protect the personal data they collect. These include, for example
- Encrypted communication About websites
- The Encryption from e-mails
- The backup of mobile data carriers
- Digital security measures against unauthorized access
Brokers must take appropriate technical and organizational precautions to ensure adequate data protection. Otherwise there is a risk of Fines for violations of the GDPR.
| Measure | Description | Relevance |
|---|---|---|
| Encryption | Encoding data for secure transmission | Protects against unauthorized access |
| Firewall | Protection system to defend against cyber attacks | Increases network security |
| Access control | Restriction of data access to authorized persons | Prevents data manipulation |
Collection of data on prospective tenants and buyers
In the course of the data protection audit, the BayLDA will focus in particular on the Data acquisition Surveys and the collection of personal information from Prospective tenant data as well as Prospective buyer data lay. A distinction is made between two stages:
Extent of data collection during inspections
If interested parties only wish to view the property, comprehensive Data acquisition Surveys inadmissible in advance. Such detailed data collection is not necessary at this early stage. The authority will therefore examine whether brokers have violated data protection regulations in such cases.
Data collection for specific interest
The situation is different when people express a concrete interest in a rental or purchase property. In this case, estate agents may more Concrete prospective tenant data or Prospective buyer data that are relevant to creditworthiness and the conclusion of a contract. However, this is also subject to Data acquisition Limits that are checked by the data protection supervisory authority.
For example, information on the previous tenancy situation or questions about plans to start a pet or family are not permitted. The amount of information collected Contract data for real estate must always be limited to what is necessary.
To ensure compliance with the Prospective buyers Data protection the BayLDA will take a close look at the data collection practices of brokers as part of its review. This is the only way to ensure that consumers' rights are protected and violations of the law are prevented.
Data collection from tenants and buyers
Another important review of data protection supervision concerns the Contract data of tenants and buyers. If estate agents have already concluded contracts with tenants or buyers, they are entitled to use the Contract execution to collect and process the necessary data. However, they must observe the principles of data minimization and purpose limitation.
The supervisory authority will closely examine whether brokers are no longer Contract data than is necessary to fulfill the purpose of the contract. A breach of this requirement for data minimization can lead to severe fines. The purpose limitation must also be maintained - brokers may not use the Purchase contract data for other purposes such as marketing or disclosure to third parties.
To avoid violations, brokers should have clear guidelines for dealing with Tenant contract data and Purchase contract data implement. This is the only way to Data protection real estate sales at a high level and avert fines. Consideration of these aspects will be a focus of the audit by the Bavarian State Office for Data Protection Supervision.
BayLDA data protection check of prospective tenants
The Bavarian State Office for Data Protection Supervision (BayLDA) is currently conducting a Data protection control real estate industry by BayLDA audit of brokers with regard to compliance with data protection regulations by real estate agents. With this Data protection review of rental applications the authority is pursuing several objectives:
- Ensure that brokers comply with the legal requirements of the Bavarian Data Protection Act and the GDPR comply
- Identifying possible deficits and problems in practice
- Creating a deterrent effect and sensitizing brokers to data protection
As part of the audit, the BayLDA also reserves the right to carry out on-site inspections of individual brokers in order to verify the actual implementation of the data protection provisions.
| Key audit areas | Explanation |
|---|---|
| Electronic data collection | Review of data collection via websites and contact forms as well as data security measures |
| Collection of data from interested parties | Control of data collection during visits and specific interest as well as the scope of data collection |
| Use of IT service providers | Review of the contracts for commissioned data processing and the security measures of the service providers |
"Data protection is not an annoying obligation, but an important asset that we must take seriously in the real estate industry," explains the authority.
Storage period of personal data
The Retention periods for prospective tenants are an important part of the data protection audit conducted by the Bavarian State Office for Data Protection Supervision (BayLDA). Real estate agents must delete the data of prospective tenants and buyers as soon as it is no longer required for the fulfillment of the purpose. However Duty to delete real estate for certain documents also legal Storage period of applicant data before.
As part of the audit, the authority will check whether brokers comply with these requirements and do not store data indefinitely. Violations may result in severe fines.
Brokers must therefore make a precise distinction between different types of personal data and identify the respective Retention periods know. While Applicant data of unsuccessful prospective tenants have to be deleted relatively quickly, there is no need for contract documents Duty to delete real estate often over several years.
"Compliance with the statutory retention periods is a central component of data protection. Brokers should be well positioned here to avoid risking fines." - Felix Brinkmann, lawyer for data protection law
The BayLDA will pay particular attention to this aspect as part of its audit of real estate agents in Bavaria. Retention periods for prospective tenants must be implemented correctly and documents must be deleted on time in order to avoid violations.
Use of IT service providers and commissioned data processing
Many real estate agents rely on the support of IT service providers such as cloud providers or data centers. As these service providers often have access to personal data it is particularly important for brokers as responsible parties to Job processing in a legally compliant manner.
Contractual requirements
As part of the Order data processing brokers have to work with their IT service providers conclude special contracts that meet certain requirements of the General Data Protection Regulation (GDPR) fulfill. These Contracts must contain clear instructions to the contractor and regulate how the Data protection controls are to be implemented. The Bavarian State Office for Data Protection Supervision (BayLDA) will check whether such contracts exist and whether they meet the legal requirements as part of its review.
Security measures of the service providers
In addition to the contractual requirements it is equally important for brokers to understand the actual technical and organizational Security measures their IT service provider to check. The brokers must satisfy themselves in advance of the Protective measures to ensure data security and document this. As part of the audit, the BayLDA will also take a look at whether the brokers have complied with this obligation. Otherwise, there is a risk of severe fines due to a lack of data security in the Order data processing for real estate.
Especially when working with external IT service providers, it is essential for real estate agents to comply with data protection regulations. This is the only way they can guarantee the protection of their customers' personal data and avoid high fines.
Copies of ID cards and legal regulations
In the course of the data protection audit, the BayLDA will closely examine whether Real estate agents wrongly make copies of their clients' identity cards or other identification documents. According to the Identity Card Act, such Copies of identity cards only permitted in clearly defined cases. The activity of Brokers for lettings however, is not included.
If brokers nevertheless make copies of ID cards, this is a violation of the Privacy policy and can lead to severe fines.
The BayLDA wants to provide clarity on this issue with the audit and ensure that the legal regulations to copies of identity documents must be observed by brokers.
The Copying of identity cards by brokers is only permitted in exceptional cases and must always be carefully examined. The supervisory authority will be particularly vigilant in this area.
| Permitted copies | Illegal copies |
|---|---|
| In case of legal obligation | Routine copying |
| Consent of the ID card holder | Without consent |
| Overriding legitimate interests | Disproportionate data collection |
Brokers are required to make copies of ID cards only in absolutely necessary cases and to observe the strict data protection regulations.
Possible consequences of data protection violations
Real estate agents who violate data protection regulations can face severe penalties. The Bavarian State Office for Data Protection Supervision (BayLDA) can impose fines of up to 20 million euros or 4 percent of the company's global annual turnover for violations of the General Data Protection Regulation (GDPR). Warnings from competitors or consumer protection associations are also possible and can result in high legal costs.
Fines and warnings
The most common sanctions for data protection violations by real estate agents are fines and warnings. The BayLDA can Fines for data protection violations Brokers if they violate the GDPR or the Bavarian Data Protection Act. This could include, for example, unlawful data collection, inadequate security measures or non-compliance with Obligation to delete. Data protection warnings for real estate can also be issued by competitors or consumer protection organizations if these Sanctions under data protection law recognize.
English 
Deutsch 
Español 
Français 
Polski