Are You Running Afoul of GDPR?

A whole range of industries around the world are quite and perhaps wearily so, familiar with the EU’s General Data Protection Regulation. These companies are in financial services, the legal industry, the technology sector and the advertising space among many others. Commercial real estate however? Perhaps not so much. That is because the main points of this very complex European legislation focus on Europeans’ privacy, consumers’ rights over their data and such concepts as the right to be forgotten. It also addresses the export of personal data outside the EU. Any company dealing with a resident of these countries — such as a US company with European clients — is subject to this law, which went into effect in May of 2018. It is not, in other words, the type of legislation that would appear to have a great affect the owner of US offices or apartments.

But it does have an effect on the fund formation side, Goodwin partner Minta Kay, chair of the firm’s Real Estate Group, tells GlobeSt.com. In this area, she says, “there is a tremendous amount of spillover. Our clients are global in many respects and so they’ve got to think about global policies around the use of data. And GDPR is so unbelievably far reaching that anytime there is mention of an asset or there’s an arguable solicitation of a client for investment, we have to jump through the GDPR hoops,” she says.

“So much so that we have not been able to avoid it as much as you would have thought and as much as our clients would like to. It is becoming invasive in many aspects of what we do.”

Onerous Penalties

Indeed now is a good time for CRE firms to make sure they are not running afoul of the tenants of this law before enforcement by the EC starts to pick up. Because of the law’s complexity, there has been an unspoken grace period afforded most firms but it is largely expected that enforcement will happen and that some unfortunate companies will be find non-compliant and made an example.

And the penalties are harsh: €20 million or 4% of an organization’s annual global revenue, whichever is greater.

It has been assumed that a Google or an Apple will be the first targets of EC enforcement and likely that will be so. But Kay reports that Goodwin’s clients that are forming funds to invest in real estate are under scrutiny and are looking to the firm for “significant levels of advice at this time.”

A Test

To see if your firm might be at risk of being in violation of GDPR, Goodwin suggests asking the following:

Q: Does your CRE group have any affiliated companies doing business in the EU?

A: If so, the data processing activities of the affiliates are subject to the GDPR wherever in the world the activities take place, including in the US. This means the sharing of data across the EU and US businesses may be subject to GDPR. Examples of shared data include: data about tenants and employees in a potential CRE investment, investor data and data about ownership structures. Additionally, if IT and business service functions are centralized for the EU and non-EU businesses, GDPR could apply to US operations.

Q: If you are located outside the EU, do you process personal data in relation to the offer of CRE or CRE fund investment opportunities, asset management services, leasehold or fee interests in real estate or other goods or services to individuals in the EU?

A: If so, that processing is subject to the GDPR even though your business is based outside the EU. For example, a US based owner acquires a PRS asset in Europe. By offering leasehold interests in that asset to tenants, the application of the GDPR is triggered, so all processing of the tenant data by the US owner must be compliant. The US owner must impose equivalent contractual obligations on its vendors that process tenant data on its behalf (such as cloud providers that store the data).

Q: Does your business have access to EU personal data, for example, in connection with the due diligence of EU based investment opportunities or providing services to EU businesses?

A: If so, GDPR may impose required protections into the businesses in the data chain, even when not directly subject to the GDPR scope. For example, a US parent company wants to receive occasional information about CRE investments undertaken by its EU based affiliates in connection with its supervision of the activities of the affiliate, including reports that may identify tenants and employees. The US affiliates remains outside the scope of the GDPR but the GDPR requires the EU affiliate to have a lawful basis for providing its parent with that data, to notify the tenants and the employees of the fact the parent may receive their data and must establish a lawful mechanism to enable the data to be transferred to the US (commonly, through the EU’s approved standard contractual clauses which impose onerous obligations on the US recipient).