A data subject issued a complaint to the Data Protection Commission (DPC) against their owner management company (data controller) regarding the disclosure of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that an email containing their personal data was circulated by a property management company on behalf of an owner management company (OMC) and contained information regarding the payment of annual services charges.

Before contacting the DPC the data subject contacted the OMC to address their concerns of the disclosure of their personal data. The OMC responded that its policy was to include such personal data in emails to all clients. The data subject confirmed that it had not seen, nor signed this policy.

Following the engagement of the DPC the data controller cited a clause in its OMC Memorandum of Association, which allowed for the disclosure of payment or non-payment of service charges to other unit owners.

The DPC provided both parties with guidance from this office for consideration, “Data Protection Consider- ations Relating to Multi-Unit Developments and Owners’ Management Companies”. The guidance indicated that the disclosure must be justified as both necessary and proportionate to achieve a specific, explicit and legitimate purpose, in accordance with data protection law.

The data controller informed the DPC that a balancing test was conducted and highlighted that the processing of the personal data was necessary to achieve the legitimate interest of the management company to obtain payment of service charges.

Under section 109(5)(c) of the 2018 Act the DPC advised that the data controller had not been able to provide an adequate lawful basis for the processing of personal data as outlined in the complaint.

The outcome reminded the data controller of their obligations as a data controller under Articles 5, 6 and 24 of the GDPR and under section 109(5)(f) of the 2018 Act, the DPC recommended that the data controller review their Memorandum of Association to ensure compliance with the DPC guidance; consider alternative methods to resolve the non-payment of service charges and consider and balance any legal obligation or legitimate interest against the rights and interests of the data subject.