Digital smart lock alternatives have emerged alongside conventional mechanical locks and keys, and the new systems also collect the users’ personal data. When thinking about making the switch to smart or digital locks, housing companies must also consider the issue from a data protection perspective, because the processing of personal data is strictly regulated.
Smart or digital locks do make things easier in many respects, but a housing company, as a controller, is responsible for compliance with the Personal Data Act or the General Data Protection Regulation that takes effect in May 2018. When, e.g., an access right that is linked to an individual or some other information related to the individual, such as what time an individual has accessed a specific space, is recorded into the system, it’s considered personal data.
The building manager, building maintenance company or other party that handles personal data for the housing company’s locks is also responsible for compliance with the legislation. As the controller, the housing company must keep a filing system record that is compliant with the Personal Data Act, and it must take care of also other reporting obligations. In conjunction with a locking system upgrade, at the very least it is recommended to review the filing system record, because digital and smart locks collect personal data.
The General Data Protection Regulation imposes new requirements
With the new General Data Protection Regulation (GDPR) applicable next year, the filing system record and other data submitted to the data subject must be re-verified. With the new regulation, the controller is obligated to disclose, among other things, the period of time for which the personal information will be stored, or, if that is not possible, the criteria used to determine this period. In fact, the requirements of the new GDPR must be taken into consideration when acquiring a new lock system. It is advisable to verify from the service provider already during the purchasing phase that data can be erased from the system.
The housing company must find out from the service provider the following questions essential in terms of data protection:
- whose personal data is recorded in the system
- what personal data is recorded in the system
- where the data is recorded
- how long the data remains in the system
- is it possible to change the storage period
- is it possible to change the storage period criteria
- how personal data is erased
- who has access to the data in the system
Collected data must not be used for just any purpose
The processing of personal data must be planned in advance. Before collecting data, the purpose of the processing and the sources of the personal data acquisition, among other things, must be determined. The collected data must not be used or processed for anything other than the predetermined purpose.
A person’s movement in the housing company must not be monitored without grounds that are consistent with the purpose. For example, if the building’s access control is to be used to verify information about who has visited the housing company’s premises during a specific time period, this purpose must be taken into consideration in advance. The housing company determines who processes personal data in line with the purpose. An individual who has processed personal data has an obligation of professional secrecy with respect to the data related to the data subject.
Data is collected on residents as well as on other individuals at the premises, like maintenance and janitorial personnel. A consideration in terms of service providers’ employees is that, in addition to the Personal Data Act, the issue is regulated also by the Act on the Protection of Privacy in Working Life. According to it, matters related to the organizing of access control must be processed through the cooperative or consultative procedure. The housing company must verify from the service providers that they have taken the required measures.
The housing company should also verify that, in addition to data protection, the lock service provider will take care of data security. The new General Data Protection Regulation imposes the obligation to report data breaches, so they must be prepared for. In fact, something to keep in mind is that data protection issues also affect housing companies.