The Danish Data Protection Agency oversees GDPR compliance in Denmark and recently announced that housing companies, associations and administrators are on their list of focus points for 2024.
All landlords process personal data about tenants to some extent, such as name, address, phone number, account number, debt information, CPR numbers, etc.
When you process personal data as part of your rental business, you are subject to the rules of the General Data Protection Regulation ("GDPR"), which the Danish Data Protection Agency monitors your compliance with. The Danish Data Protection Agency publishes annually which areas or actors they will have a special focus on for the year and supervise on their own initiative.
One of the Danish Data Protection Agency's focus points for 2024 is housing associations, including both housing management companies and the housing associations' own administration. More specifically, the Danish Data Protection Agency will focus on whether these actors have sufficient procedures to handle requests from residents to exercise their rights under the GDPR. In addition, the Danish Data Protection Agency will also focus on the housing associations' use of CCTV surveillance.
TV surveillance
In 2024, the Danish Data Protection Agency will focus on whether housing companies and associations comply with the rules when using CCTV surveillance.
In addition to TV surveillance being in accordance with the TV Surveillance Act, surveillance must also comply with GDPR, as video recordings of individuals are personal data and the processing is therefore covered by GDPR.
The landlord must therefore make sure,
- that there is a legal basis for TV surveillance in the GDPR,
- that the CCTV is set up lawfully, fairly and transparently, and
- CCTV footage is processed legally and deleted in accordance with the law.
The starting point is that there must be a concrete and necessary need to use CCTV surveillance to combat and prevent crime before it is legal to initiate CCTV surveillance. Housing organizations and associations etc. that represent households in a residential area must also have permission from the police to conduct CCTV surveillance of the residential area in question or associated areas.
The fact that the TV surveillance must be set up legally means, among other things, that the landlord is generally not allowed to record sound on the TV surveillance, as this is in violation of the Danish Criminal Code's rules on eavesdropping.
This also means that the landlord cannot use the recordings for purposes other than crime prevention if the new purposes are too far removed from the original purpose of the surveillance. For example, if the landlord has set up CCTV to prevent burglaries in the property, it cannot be used to check whether tenants are keeping pets against the house rules.
The landlord also has a duty to assess whether less intrusive measures may be sufficient to achieve the purpose. Before installing CCTV surveillance to prevent burglary, the landlord must therefore consider whether, for example, installing locks or burglar alarms may be sufficient to prevent burglary.
When a landlord has installed CCTV surveillance, the landlord is also obliged to post signs about the CCTV surveillance and to comply with the duty of disclosure under the GDPR. The signage must be posted in such a way that it must be clear to people moving around in the monitored area that there is CCTV surveillance. The duty of disclosure under the GDPR also means that the landlord must provide the tenant with information about the processing of recordings in connection with the TV surveillance on which the tenants can appear. Typically, the information obligation is fulfilled with a privacy policy in an appendix to the lease or via a link reference to the landlord's website. For CCTV, the landlord can also supplement the privacy policy for tenants by placing a QR code alongside the CCTV signage, which people in the monitored area can scan to easily obtain information about the processing of CCTV footage.
The security around the recordings must also be appropriately arranged. Among other things, the landlord must ensure that unauthorized persons cannot access the recordings. This also means that the recordings may only be accessible to relevant employees/persons.
The CCTV Act regulates when CCTV footage can be disclosed.
The landlord may only disclose CCTV footage if:
- the people in the footage have given their explicit consent,
- the disclosure is required by law; or
- the disclosure is made to the police for crime solving purposes.
The above applies to both still images and recordings. It is also considered disclosure if the landlord allows others to review the TV surveillance.
Disclosure of written and, to some extent, oral descriptions of CCTV recordings, which include, for example, information about criminal offenses concerning tenants or other natural persons, is thus not regulated by the rules on disclosure in the CCTV Act. However, such disclosure will still be covered by the GDPR, and there must therefore be a legitimate purpose and a legal basis for such disclosure.
As a general rule, recordings from CCTV surveillance may be stored for a maximum of 30 days, unless it is necessary to process specific recordings for a longer period of time due to a dispute, report of a criminal offense or other crime prevention. In this connection, the landlord must be aware that it is only possible to store recordings about the person in question for longer than 30 days if the recordings are directly related to the specific dispute or report. Other parts of the recordings that are not involved in the dispute must therefore be censored or cut out of the recordings and deleted or anonymized after 30 days.
Finally, the landlord must be able to handle rights requests from tenants regarding the TV surveillance, as described below.
Handling rights requests
The Danish Data Protection Agency has announced that part of their supervision of housing companies and associations will concern the handling of rights requests from tenants.
When the landlord has registered personal data, the natural persons to whom the data relates have a number of rights towards the landlord.
Among other things, a tenant has the right to access and receive a copy of all personal data that the landlord processes about the tenant. This right includes, among other things, the lease, rent invoices, CCTV videos/images, any notes that the landlord has registered about the tenant, etc.
If a tenant wants access to and copies of CCTV footage, the landlord must secure the footage before it is deleted (most CCTV systems are set up for automatic deletion after 30 days in accordance with the CCTV Act). The landlord may ask the tenant to help locate the CCTV footage they want to access, for example by providing the time, place and a recognizable picture of themselves on the footage. If the tenant does not want to help, the request must still be granted to the extent possible, but if the request is manifestly unfounded, excessive or harassing, it can be refused.
In addition, other people appearing in the recordings must be censored, cut out or similar, as the tenant only has the right to access their own personal data. Therefore, the landlord is also obliged to set up their TV surveillance with measures that allow the landlord to censor or crop recordings.
A tenant also has the right to have their personal data erased if a landlord processes personal data based on consent that the tenant withdraws (e.g. social security number) or if the processing is no longer necessary to fulfill the purposes for which the data was collected (e.g. leases relating to previous tenancies that have expired).
However, a tenant's right to have their personal data deleted only applies to the extent that the landlord is not obliged to store it or the landlord does not need the information to establish, enforce or defend a legal claim.
When handling requests from data subjects, it's important for landlords to be aware of:
- that the landlord must generally comply with a request regarding data subject rights without undue delay within one month of receipt,
- that the landlord may not charge a fee for complying with the request,
- the landlord must not compromise the personal data of others in complying with the request; and
- that rights requests do not have formal requirements, and therefore landlords need to train their employees to assess whether requests from tenants constitute rights requests under GDPR.
It is also a requirement that the landlord establishes written procedures and templates for how to handle rights requests from tenants.
(We wrote the article for the magazine Danske Udlejere, April 2024)
