Data protection in the real estate sector in Andorra
The DPA focuses on the property sector. Future Guide and first “sanction” for a real estate agency.
The first “sanction” for an estate agency in Andorra has been announced. The property sector is one of the most important in the Andorran business network, having grown significantly, and it processes a large amount of personal data. This leads to the need for greater precaution regarding the collection, management and storage of personal data by controller and processors.
The data processing involving this sector usually entails the processing of a significant amount of personal data, some of which is particularly sensitive, such as data on minors, health or that related to administrative or criminal offences.
The Data Protection Agency (DPA) has therefore produced a preliminary guide – offering guidelines and recommendations to companies and professionals from the property sector in the Principality of Andorra in order to guarantee adequate compliance or to strengthen the programmes for compliance with current data protection regulations. This Guide is essential, given the first “sanction” issued to an estate agency in Andorra.
As is generally known, the legal framework governing data protection in the Andorran property sector comprises the Qualified Data Protection Law (LQPD) 29/2021 of 28 October and its implementing Regulation, Decree 391/20211 of 18 September (RLQPD), as well as the specific sector-focused provisions involving the property sector. This regulation governs the collection, processing, use, distribution, storage and safekeeping of data.
The preliminary guide lists the principles in data processing for property sector professionals:
- Lawfulness, loyalty and transparency: The professional must inform the data subject of the way in which their personal data is processed, the purpose of processing, and their rights.
- Restriction of purpose: The data must be collected for a certain, explicit and lawful purpose, and may not be processed for other purposes.
- Minimisation of data: The data collected must be adequate, appropriate and limited to what is required for the purpose, and access to other unnecessary information would be contrary to this principle. This is the reason for the first “sanction” imposed on an estate agency in Andorra.
- Accuracy: The data collected must be accurate and must be updated and corrected whenever necessary. A quarterly review of the database by the controller is therefore recommended.
- Restriction of storage time: The data must be stored for a period no greater than necessary for the purposes of processing, and must be erased or blocked -during the statute of limitations of legal action- once it is no longer necessary.
- Integrity and confidentiality: The data must be processed in such a manner that guarantees adequate security, applying the appropriate technical and organisational measures.
- Proactive responsibility: The controller must comply with and be able to prove that the principles of processing are fulfilled.
The lawful basis for data processing is a legal requirement placed on the controller so that certain personal data may be processed. Lawful basis will basically depend on the purpose of processing and on the category of data processed. The controller may not change the lawful basis as required, but instead must maintain the original choice of lawful basis.
List of cases of lawful basis for the processing of personal data within the property sector:
- Consent: voluntary declaration by the data subject for the processing of their data for a specific purpose.
- Need for the execution of a contract: processing within the contractual context with the data subject, where processing is required for the execution of the contract to which the data subject is a party. The data processed must be adequate, appropriate and not excessive.
- Compliance with a legal obligation: the controller may process the personal data of the data subject by legal mandate, such as to fulfil the obligations of Law 14/2017 on the prevention and fight against money or security laundering and terrorist financing.
- Legitimate interest: provided the interests or rights and fundamental freedoms of the data subject do not take priority over this.
It is essential to be correctly informed and familiar with the purpose for which the data is to be processed before any processing begins. Any change or modification to the purpose of processing could mean that the lawful basis is no longer suitable for legitimising certain processing activities.
It is therefore important for the controller to regularly review the processing activities conducted, updating the corresponding Register of Processing Activities (RPA), and determining whether any changes have been made to the purpose for which the data is processed. The RPA has proven to offer an effective control of data processing and is able to accredit due diligence in protecting the data processed. An updated RPA provides traceability of the processing activities and transparency for the controlling body.
It is important to note that the processing activities that may be conducted in the property sector may vary depending on the services provided.
The processor is the physical or legal person providing a service for the controller that involves processing personal data on the latter’s behalf.
Data subjects have a series of rights that they may exercise at any time:
- Right of access: the right to obtain information and details on their data.
- Right of rectification: the rectification of inaccurate, incomplete or imprecise data without undue delay.
- Right of erasure: the erasure of their data if it is no longer necessary, except where there is a legal obligation to preserve it.
- Right of restricted processing.
- Right of data portability: the right to obtain the data in a structural format and transfer it to another controller.
- Right of objection: the right to object to the processing of their personal data in certain circumstances, except for any overriding reasons that may prevail.
The data subject may exercise their right by requesting as such from the controller.
The data protection regulation requires that controllers and processors apply technical and organisational measures that must be adopted, depending on the risk inherent to each type of processing activity performed.
First “sanction” for an estate agency in Andorra
The first “sanction” on an Andorran estate was recently made public due to its excessive request for data in order to visit an apartment: requesting a residency permit, a bank certificate with references, data on the direct debiting and name of the manager of the account and work-related information, all of which is considered excessive data. The DPA has reprimanded the estate agency, although with no financial consequences to date. The first “sanction” was a warning with no financial consequences.
Professionals in the property sector process data of a certain degree of sensitivity, including not only identifying data but also economic-financial data or sometimes user profiling. A strengthening of the precautions regarding the management of this data is therefore required, with the compulsory appointing of a Data Protection Officer (DPO) who, among other duties, establishes clear guidelines regarding the processing of data and acts as liaison with the DPA. An Impact Assessment may also sometimes be required.
Author: Katia Carneiro (Andorra La Vella).
If you need more information about any aspect of personal data in Andorra, contact us!
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.