Just when you thought it was safe to move on from GDPR and get back to your day jobs, anyone involved in managing works and services in occupied properties should still be thinking about how GDPR still impacts upon the delivery of works and services in occupied properties and update the contracts to reflect the new requirements.
Many of the asset management services delivered by your external contractors will include requirements to process data about your residents. As a starting point contractors will be given contact details so that they can make arrangements to gain access to undertake repairs, major works or service checks. Many housing providers outsource their call centres to their maintenance contractor and therefore the contractor maybe processing personal data on their behalf. Even contractors engaged in building new homes for a client may be provided with personal data when the home is complete and they are required to return and gain access to rectify defects during the defects liability period.
Do your existing contracts contain provisions which comply with the requirements of GDPR?
Pre-GDPR, it was common practice for data protection obligations to state that each party would observe their respective obligations under the Data Protection Act 1998. Long term contracts were future proofed by making sure that each party observed the legislation in its current form and as amended or re-enacted.
Usually provisions of this type are generally robust enough to withstand amendment or re-enactment of the particular legislation and, for the most part, it is uncommon for that process to disturb existing contracts in such a way as to require the parties to proactively vary their contracts to ensure that they remain compliant with the law.
However, the GDPR regulates the way in which parties deal with personal data at a contractual level and prescribes specific provisions that should be dealt expressly in contracts under which personal data is being processed.
Article 28 of the GDPR requires that all data processing by a Data Processor shall be governed by a contract (or other legal act under Union or Member State law). Amongst other things, Article 28 requires contracts to expressly:
- Stipulate that the processing of personal data is carried out only on documented instructions;
- commit the Data Processor to obligations of confidentiality in relation to the personal data being processed;
- require the Data Processor to take appropriate technical and organisational measures in order to assist the Data Controller with its obligations to respond to requests pursuant to Data Subject's rights set out in the GDPR;
- oblige the Data Processer to delete the personal data after the provision of the services if requested by the Data Controller;
- oblige the Data Processor to make available to the Data Controller all information necessary to demonstrate compliance with its obligations under Article 28; and
- oblige the Data Processor to allow for and contribute to audits and inspections conducted by the Data Controller or its appointed auditors.
The upshot is that, where a contract is entered into pre-GDPR and where personal data continues to be processed under that contract post-GDPR, the contract will need to be varied to include the prescribed Article 28 provisions.
It is most likely that your existing contracts for delivery of services such as repairs and maintenance, gas servicing, electrical testing and other compliance services will require variation to bring them in line with GDPR. This is because personal data in the form of names, addresses and contact details of individual residents is provided by the Employer (as Data Controller) to the Contractor (as Data Processer) to enable those services to be delivered.
Under your building contracts, if it is likely that a contractor will be processing personal data in order to gain access to rectify defects to residents' properties after completion then amendments are also required to bring them into line with GDPR.
This article is taken from Building Interest - Summer 2018.