Comunidades de vecinos

Data protection in homeowners' associations

Homeowners' associations are data controllers for the personal data of their residents and must comply with Regulation (EU) 2016/679 — the GDPR — and Spain's LOPDGDD (Organic Law 3/2018). The most common risk areas are CCTV surveillance of common areas, the display of debtors' information on notice boards, and the legal relationship with the property manager as a data processor. At Summum Consultoría we guide homeowners' associations in Castilla y León and the Canary Islands through full GDPR compliance, without imposing software solutions or unnecessary bureaucracy.

Applicable lawGDPR (EU) 2016/679 · LOPDGDD Organic Law 3/2018 · LPH Act 49/1960
Data processedOwners, tenants, visitors and CCTV footage
Supervisory authorityAEPD — Spanish Data Protection Agency (Agencia Española de Protección de Datos)

Homeowners' associations constituted under the horizontal property regime governed by Act 49/1960 (LPH, Spain's Horizontal Property Act) are controllers of the personal data of their members when they process such data in the context of their community relationships, pursuant to the general definition set out in article 4(7) of the GDPR — a position confirmed by the AEPD in its guidance on data protection in homeowners' associations. This means that the board of owners and the president — the legal representative of the association — take on all the obligations of any data controller: transparently informing data subjects (arts. 13 and 14 GDPR), maintaining a Record of Processing Activities (art. 30 GDPR), applying security measures appropriate to the risk, and responding to requests to exercise the rights of access, rectification, erasure, restriction and objection by owners and tenants. The size of the association — whether a ten-storey building or a multi-phase development — does not alter these obligations.

The property manager (administrador de fincas) occupies a central position in data protection for homeowners' associations. When managing the register of owners, issuing fee receipts, convening general meetings or handling correspondence with suppliers on the association's behalf and under its instructions, the property manager acts as a data processor within the meaning of article 4(8) of the GDPR. This relationship requires formalising a data processing agreement in accordance with article 28 of the GDPR, setting out the subject matter and duration of the processing, the nature and purpose of the processing, the categories of personal data, the controller's instructions, the required security measures and the procedure for handling data breaches. The absence of this agreement is, in practice, the most common deficiency we find when auditing homeowners' associations, and exposes both the association and the property manager to real regulatory risk.

The installation of cameras in the building's common areas — entrance hall, car park, stairwells, swimming pool or gardens — constitutes a processing of personal data regulated by article 22 of the LOPDGDD with specific requirements, supplemented by the AEPD's CCTV Guidelines. Three minimum conditions apply: first, the devices may only capture the association's own common areas, without covering public roads or private spaces beyond the minimum strip of access strictly necessary; second, footage must be deleted within a maximum period of one month from capture in accordance with article 22(3) of the LOPDGDD, unless it is related to an ongoing police or judicial investigation; and third, visible informational signage must be placed in the surveilled areas, before the entrance to the recorded space, displaying the data controller's details. The resolution passed by the board of owners approving the installation is a requirement under the LPH, but does not substitute compliance with the documentary requirements of the GDPR.

One of the most sensitive points in data management for homeowners' associations is the publication of information about owners with unpaid fees. The Horizontal Property Act (Act 49/1960) itself provides the legal basis for this processing from two angles: article 16(2) LPH requires that the notice convening a board meeting must include the list of owners not up to date with their payments — thereby enabling the processing of such data in the context of community management — while article 21 LPH governs the specific procedure for recovering community debts, which underpins the processing associated with collection actions. However, publishing that information on the notice board — accessible to all residents and visitors — requires observing the data minimisation principle of article 5(1)(c) of the GDPR: only the data strictly necessary for the purpose pursued may be displayed, for the minimum time necessary and on the basis of a board resolution that expressly authorises it. The information must be removed as soon as the debt is settled. Publishing excessive data — such as bank details, information about ongoing legal proceedings or the owner's personal circumstances — may constitute an infringement subject to the penalties set out in article 83 of the GDPR.

At Summum Consultoría we guide homeowners' associations in Castilla y León and the Canary Islands through comprehensive GDPR compliance, from the initial assessment to the implementation of all required documents and procedures: Record of Processing Activities, processing agreements with the property manager and other suppliers accessing the association's personal data, information clauses for owners and tenants, a CCTV protocol compliant with article 22 of the LOPDGDD, and a procedure for handling the exercise of rights. We also advise the board on the legal limits on processing debtors' data and the admissible manner of making that information public. Our work is one of guidance and compliance: we do not replace the AEPD or guarantee the outcome of any enforcement proceedings, but we do equip the association with the tools to demonstrate genuine and verifiable compliance in the event of any inspection.

The Data protection in homeowners' associations process.

The process · four stages
01

Assessment and record of processing activities

We identify all data flows within the association: register of owners and tenants, board meeting minutes, fee and debtor management, CCTV, video intercom, contracts with suppliers and community management platforms. We determine the applicable legal basis for each processing activity and draw up the Record of Processing Activities required by article 30 of the GDPR.

02

Processing agreements and privacy documentation

We draft the data processing agreement with the property manager (art. 28 GDPR) and with other suppliers accessing the association's data: security company, outsourced concierge service and management software providers. We also prepare the information clauses for owners and tenants (arts. 13 and 14 GDPR) and the legal notice if there is a residents' portal or website.

03

CCTV protocol and debtors' notice board

We review the CCTV system's compliance with article 22 of the LOPDGDD and the AEPD's Guidelines: capture angle, one-month retention period, informational signage and enabling board resolution. We advise the board on the minimum admissible content for the debtors' notice board, the applicable legal basis and the protocol for prompt removal of the information once the debt is settled.

04

Rights procedure, training and annual review

We establish the channel and procedure for handling requests to exercise the rights of access, rectification, erasure, restriction and objection by owners and tenants within one month (art. 12 GDPR). We train the association's president and the property manager in their practical obligations, and include an annual review of documentation to reflect regulatory changes or changes in the association's processing activities.

What is included

What Data protection in homeowners' associations includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Record of Processing Activities

    Preparation of the Record of Processing Activities (RPA) required by article 30 of the GDPR, with entries for each of the association's processing activities: owners' register, board minutes, fee management, CCTV, contracts with suppliers and community communications.

  • Processing agreement with the property manager

    Drafting of the data processing agreement (art. 28 GDPR) between the association — as controller — and the property manager — as processor — including all required clauses: subject matter, instructions, security measures, sub-processing arrangements and return of data at the end of the engagement.

  • CCTV in common areas (art. 22 LOPDGDD)

    Review of the CCTV system's compliance in entrance hall, car park, swimming pool and stairwells: capture angle limited to the association's own areas, maximum one-month retention, standardised informational signage and enabling board resolution in accordance with the AEPD's Guidelines.

  • Information clauses and signage

    Drafting of the information to be provided to owners, tenants and visitors regarding the processing of their data (arts. 13 and 14 GDPR), including the standardised sign for CCTV-monitored areas and the privacy clause on owners' registration forms.

  • Debtor notice board management and limits

    Advice on the applicable legal basis for publishing data on owners in arrears, minimum admissible content in accordance with the data minimisation principle (art. 5(1)(c) GDPR), conditions of the board resolution, and protocol for removal once the debt is settled.

  • Handling of data subject rights requests

    Design of the internal procedure for handling requests to exercise the rights of access, rectification, erasure, objection, restriction and portability (arts. 15–22 GDPR) by owners and tenants, with documented responses within the maximum one-month period set out in article 12 of the GDPR and a log of each action taken.

Frequently asked questions about Data protection in homeowners' associations.

Does a homeowners' association have to comply with the GDPR?

Yes. Homeowners' associations under the horizontal property regime are controllers of the personal data of their members pursuant to the general definition set out in article 4(7) of the GDPR — a position confirmed by the AEPD in its guidance on homeowners' associations. This obliges them to meet all the requirements of Regulation (EU) 2016/679: informing data subjects, maintaining the Record of Processing Activities, applying appropriate security measures and responding to rights requests within one month. The fact that the association is a non-profit entity and delegates day-to-day management to a property manager does not exempt it from these obligations.

What requirements must CCTV in a building's common areas meet?

Article 22 of the LOPDGDD and the AEPD's CCTV Guidelines establish that cameras installed in common areas must meet three fundamental requirements: first, they may only capture the association's own common areas, without covering public roads or private spaces beyond the minimum necessary access strip; second, footage must be deleted within a maximum of one month from capture in accordance with article 22(3) of the LOPDGDD, unless it is linked to a police or judicial investigation; and third, visible informational signage must be placed before the entrance to the recorded space, displaying the data controller's details. The board resolution approving the installation is required under the LPH but is not sufficient to satisfy the GDPR.

Can the names of owners with unpaid fees be posted on the notice board?

The Horizontal Property Act provides the express legal basis: article 16(2) LPH requires that the notice convening a board meeting must include the list of owners not up to date with their payments, and article 21 LPH governs the procedure for recovering community debts. However, posting that information on the notice board requires observing the data minimisation principle of article 5(1)(c) of the GDPR: only the data strictly necessary for the purpose pursued may be displayed — in practice, the owner's name and the amount owed — for the minimum time necessary and on the basis of a board resolution that expressly provides for it. The information must be removed as soon as the debt is settled. Publishing excessive data — such as bank details, information about ongoing legal proceedings or personal circumstances — may constitute a breach of data protection law subject to penalties imposed by the AEPD.

Does the property manager need to sign a data protection agreement with the association?

Yes. When the property manager processes the owners' personal data on behalf of and under the instructions of the association, they act as a data processor within the meaning of article 4(8) of the GDPR. Article 28 of the GDPR requires this relationship to be formalised through a written data processing agreement covering the subject matter, duration and purpose of the processing, the categories of personal data processed, the controller's instructions and the processor's confidentiality and security obligations. The absence of this agreement may lead to penalties imposed by the AEPD regardless of whether the management has been materially correct.

What legal basis covers the processing of owners' data?

The primary legal basis for processing owners' data in the context of the ordinary management of the association is compliance with the legal obligations arising from Act 49/1960 on Horizontal Property (art. 6(1)(c) GDPR) — meeting notices, minutes, fee management, relations with suppliers — and the legitimate interests of the association in managing the property (art. 6(1)(f) GDPR). The processing of CCTV footage is also covered by the legitimate interest of building security, provided that the requirements of article 22 of the LOPDGDD are met. It is not necessary to obtain the owners' consent for processing activities directly linked to obligations under the LPH.

What penalties can the AEPD impose on a homeowners' association?

Infringements of the GDPR in the context of homeowners' associations are subject to the penalty regime of article 83 of Regulation (EU) 2016/679 and the LOPDGDD. Serious infringements — such as the absence of a legal basis for processing, the lack of a processing agreement with the property manager or non-compliance with the CCTV regime — may result in fines of up to €10 million or 2% of total annual worldwide turnover. Very serious infringements — such as violations of the basic principles of processing — may reach €20 million or 4% of turnover. The AEPD takes into account as mitigating factors: good faith, diligence in cooperating with the regulator and the measures taken to limit the effects of the infringement.