The Danish Data Protection Agency supervises compliance with the GDPR in Denmark, and they have recently announced that housing companies, associations, and administrators are on the list of the Danish Data Protection Agency's focus areas for 2024.
All landlords process personal data about tenants to a certain extent, e.g. in the form of name, address, telephone number, account number, information about debt, social security numbers, etc.
When processing personal data as part of a rental business, you are subject to the rules of the General Data Protection Regulation (GDPR), which the Danish Data Protection Agency supervises to ensure compliance. Each year, the Danish Data Protection Agency publishes the areas or actors on which it will focus particularly during the year and which it will supervise on its own initiative.
One of the Danish Data Protection Agency's focus areas for 2024 is housing associations, including both housing management companies and the housing associations' own administration. More specifically, the Danish Data Protection Agency will focus on whether these actors have adequate procedures in place to handle requests from residents to exercise their rights under the GDPR. In addition, the Danish Data Protection Agency will also focus on housing companies' use of CCTV surveillance.
TV surveillance
In 2024, the Danish Data Protection Agency will focus particularly on whether housing companies and associations comply with the rules when using CCTV surveillance.
In addition to complying with the CCTV Surveillance Act, CCTV surveillance must also comply with the GDPR, as video recordings of individuals constitute personal data and are therefore subject to the GDPR.
The landlord must therefore ensure that
- that there is a legal basis for CCTV surveillance in the GDPR,
- that the CCTV surveillance is organised in a lawful, reasonable and transparent manner, and
- that recordings from CCTV surveillance are processed lawfully and deleted in accordance with the law.
The basic principle is that there must be a specific and necessary need to use CCTV surveillance as a crime-fighting and crime-prevention measure before it is legal to implement CCTV surveillance. Housing organizations and associations, etc., representing households in a residential area must also obtain permission from the police to use CCTV surveillance in the residential area or associated areas.
The fact that CCTV surveillance must be set up legally means, among other things, that landlords are not allowed to record audio on CCTV surveillance, as this is in violation of the Criminal Code's rules on wiretapping.
This also means that the landlord may not use the recordings for purposes other than crime prevention if the new purposes are too far removed from the original purposes for which the CCTV surveillance was implemented. If the landlord has installed CCTV surveillance to prevent burglaries on the property, the surveillance may not be used to check whether tenants are keeping pets in violation of the house rules.
The landlord is also obliged to assess whether less intrusive measures may be sufficient to achieve the purpose. Before installing CCTV surveillance to prevent burglary, the landlord must therefore consider whether, for example, installing locks or burglar alarms would be sufficient to prevent burglary.
When a landlord has installed CCTV surveillance, the landlord is also obliged to put up signs about the CCTV surveillance and to comply with the duty of disclosure under the GDPR. The signs must be placed in such a way that it is clear to people in the monitored area that CCTV surveillance is in operation. The duty to provide information under the GDPR also means that the landlord must provide the tenant with a range of information about the processing of recordings in connection with CCTV surveillance, on which the tenants can act. Typically, the duty to provide information is complied with by means of a privacy policy in an appendix to the lease or via a link to the landlord's website. For CCTV surveillance, the landlord can also supplement the privacy policy for tenants by setting up a QR code together with the CCTV signage, which people in the monitored area can scan to easily obtain information about the processing of CCTV recordings.
Security surrounding the recordings must also be appropriately arranged. The landlord must, among other things, ensure that unauthorized persons cannot access the recordings. This also means that the recordings may only be accessible to relevant employees/persons.
The TV Surveillance Act regulates when TV surveillance recordings may be disclosed.
The landlord may therefore only disclose CCTV recordings if:
- the persons in the recordings have given their express consent,
- the disclosure is required by law, or
- the disclosure is made to the police for the purpose of investigating crime.
The above applies to both still images and recordings. It is also considered disclosure if the landlord allows others to view the CCTV footage.
The disclosure of written and, to a certain extent, oral descriptions of CCTV recordings containing, for example, information about criminal offences committed by tenants or other natural persons is therefore not regulated by the rules on disclosure in the CCTV Surveillance Act. Such disclosure will, however, continue to be covered by the GDPR, and there must therefore be a legitimate purpose and a legal basis for such disclosure.
As a general rule, CCTV recordings may be stored for a maximum of 30 days, unless it is necessary to process specific recordings for a longer period of time due to a dispute, the reporting of a criminal offense, or other crime prevention measures. In this connection, landlords should be aware that it is only possible to store recordings relating to the person in question for longer than 30 days if the recordings are directly related to the specific dispute or report. Other parts of the recordings that are not involved in the dispute must therefore be censored or cut out of the recordings and deleted or anonymized after 30 days.
Finally, the landlord must be able to handle requests from tenants regarding CCTV surveillance, as described below.
Handling of rights requests
The Danish Data Protection Agency has announced that part of its supervision of housing companies and associations will concern the handling of requests for access to personal data from tenants.
Once the landlord has registered personal data, the individuals to whom the data relates have a number of rights vis-à-vis the landlord.
A tenant has, among other things, the right to access and obtain copies of all personal data that the landlord processes about the tenant. This right includes, among other things, the lease agreement, rent invoices, CCTV videos/images, any notes that the landlord has made about the tenant, etc.
If a tenant wants to see and get a copy of CCTV recordings, the landlord has to make sure the recordings are saved before they get deleted (most CCTV systems are set up to automatically delete recordings after 30 days, in line with the CCTV Act). The landlord may ask the tenant to help locate the CCTV recordings they wish to view, e.g. by providing information about the time, place, and an image of the person for recognition on the recordings. If the tenant does not wish to assist, the request must still be complied with to the greatest extent possible, but if the request is manifestly unfounded, excessive, or vexatious, it may be rejected.
In addition, other persons appearing in the recordings must be censored, cut out, or similar, as the tenant only has the right to access his or her own personal data. The landlord is therefore also obliged to set up his or her CCTV surveillance with measures that enable the landlord to censor or crop recordings.
A tenant also has the right to have their personal data deleted if a landlord processes personal data on the basis of consent that the tenant withdraws (e.g., social security number), or if the processing is no longer necessary to fulfill the purposes for which the data was collected (e.g., rental agreements relating to previous tenancies that have expired).
However, a tenant's right to have their personal data deleted only applies to the extent that the landlord is not obliged to store it, or the landlord does not need the information in order to establish, assert, or defend a legal claim.
When landlords handle requests from data subjects, it is important to be aware of the following:
- that the landlord must, as a general rule, comply with a request concerning the rights of data subjects without undue delay, at the latest one month after receipt,
- that, as a general rule, the landlord may not charge a fee for complying with the request,
- that the landlord must not compromise the personal data of others in complying with the request, and
- that rights requests do not have any formal requirements, and landlords therefore need to train their employees to assess whether inquiries from tenants constitute rights requests under the GDPR.
It is also a requirement that the landlord establishes written procedures for how requests for rights from tenants are handled, as well as templates for this.
(We wrote this article forthe magazine Danske Udlejere, April 2024)
