In a recent presentation by the Commissioner of Data Protection, Ms. Loizidou, explained to the Cyprus Property professionals how the General Data Protection Regulation – GDPR – creates obligations and liabilities. The industry is not excluded from these obligations and liabilities and attention is required.
GDPR applied to the Cyprus Property Industry
Considering that GDPR applies to every industry and segment that personal data is made available, shared, communicated and processed the construction industry is similarly affected and each Cyprus property professional should be compliant.
Role of Cyprus Property Professionals and GDPR
Cyprus property developers, property agents, valuers, architects, construction companies may be both data controllers and data processors. The facts and circumstances will determine the type of processing undertaken and the role of the property professional.
Sharing of personal data
The sharing of personal data between different Cyprus property professionals is captured by the provisions of the General Data Protection Regulation. Accordingly, express consent is required from the data subject (individual) prior to the sharing of such information. A few practical examples:
- Agent introduces the client to one or more real estate developers.
- Property Developer shares the name and telephone of a client to the architect to call directly.
In the above examples, the party holding such information must receive express consent as to the sharing of such personal information. Further to the foregoing, it might be interesting to consider entering into specific data processing agreements between these parties and as such ensure that the transmission of such data is performed in accordance with the terms of the agreement.
AML, GDPR and RE
The requirement to comply with the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007-2019 by the Cyprus property Professionals and the adoption of measures to comply with the General Data Protection Regulation appears to have created uncertainty within the market. Compliance with the one does not automatically mean compliance with the other.
A few practical steps can be taken to start complying with GDPR:
- Apply a clean desk policy. Meaning that documents, business cards and client information are not left thrown around on your work desk.
- If you share client information with others, consider whether you have express consent to share his/her information, if not start an overview
- To the extent possible review your organization and restrict access to client’s personal information to the staff that have a reason to use such personal information.
- Conduct an inventory of all personal data kept and inquire:
- How was the data obtained?
- Why does the organisation hold the data?
- Is the data still required?
- Is the data safe?
- Who do you share it with?
What Practical Measures have you taken?
I would be interested to hear more about the practical steps you have taken to comply with GDPR as a Cyprus Property Professional