Homeowners' associations constituted under the horizontal property regime governed by Act 49/1960 (LPH, Spain's Horizontal Property Act) are controllers of the personal data of their members when they process such data in the context of their community relationships, pursuant to the general definition set out in article 4(7) of the GDPR — a position confirmed by the AEPD in its guidance on data protection in homeowners' associations. This means that the board of owners and the president — the legal representative of the association — take on all the obligations of any data controller: transparently informing data subjects (arts. 13 and 14 GDPR), maintaining a Record of Processing Activities (art. 30 GDPR), applying security measures appropriate to the risk, and responding to requests to exercise the rights of access, rectification, erasure, restriction and objection by owners and tenants. The size of the association — whether a ten-storey building or a multi-phase development — does not alter these obligations.
The property manager (administrador de fincas) occupies a central position in data protection for homeowners' associations. When managing the register of owners, issuing fee receipts, convening general meetings or handling correspondence with suppliers on the association's behalf and under its instructions, the property manager acts as a data processor within the meaning of article 4(8) of the GDPR. This relationship requires formalising a data processing agreement in accordance with article 28 of the GDPR, setting out the subject matter and duration of the processing, the nature and purpose of the processing, the categories of personal data, the controller's instructions, the required security measures and the procedure for handling data breaches. The absence of this agreement is, in practice, the most common deficiency we find when auditing homeowners' associations, and exposes both the association and the property manager to real regulatory risk.
The installation of cameras in the building's common areas — entrance hall, car park, stairwells, swimming pool or gardens — constitutes a processing of personal data regulated by article 22 of the LOPDGDD with specific requirements, supplemented by the AEPD's CCTV Guidelines. Three minimum conditions apply: first, the devices may only capture the association's own common areas, without covering public roads or private spaces beyond the minimum strip of access strictly necessary; second, footage must be deleted within a maximum period of one month from capture in accordance with article 22(3) of the LOPDGDD, unless it is related to an ongoing police or judicial investigation; and third, visible informational signage must be placed in the surveilled areas, before the entrance to the recorded space, displaying the data controller's details. The resolution passed by the board of owners approving the installation is a requirement under the LPH, but does not substitute compliance with the documentary requirements of the GDPR.
One of the most sensitive points in data management for homeowners' associations is the publication of information about owners with unpaid fees. The Horizontal Property Act (Act 49/1960) itself provides the legal basis for this processing from two angles: article 16(2) LPH requires that the notice convening a board meeting must include the list of owners not up to date with their payments — thereby enabling the processing of such data in the context of community management — while article 21 LPH governs the specific procedure for recovering community debts, which underpins the processing associated with collection actions. However, publishing that information on the notice board — accessible to all residents and visitors — requires observing the data minimisation principle of article 5(1)(c) of the GDPR: only the data strictly necessary for the purpose pursued may be displayed, for the minimum time necessary and on the basis of a board resolution that expressly authorises it. The information must be removed as soon as the debt is settled. Publishing excessive data — such as bank details, information about ongoing legal proceedings or the owner's personal circumstances — may constitute an infringement subject to the penalties set out in article 83 of the GDPR.
At Summum Consultoría we guide homeowners' associations in Castilla y León and the Canary Islands through comprehensive GDPR compliance, from the initial assessment to the implementation of all required documents and procedures: Record of Processing Activities, processing agreements with the property manager and other suppliers accessing the association's personal data, information clauses for owners and tenants, a CCTV protocol compliant with article 22 of the LOPDGDD, and a procedure for handling the exercise of rights. We also advise the board on the legal limits on processing debtors' data and the admissible manner of making that information public. Our work is one of guidance and compliance: we do not replace the AEPD or guarantee the outcome of any enforcement proceedings, but we do equip the association with the tools to demonstrate genuine and verifiable compliance in the event of any inspection.