Personal data protection in a HOA

Apply for SearchInform DLP TRY NOW

To manage an apartment building, HOAs are now often created - homeowners' associations. They represent the interests of residents in relations with resource-supplying organizations, provide overhaul of the house and support the health of the housing and communal services infrastructure. In the course of this activity, they often gain access to the personal data of citizens and do not always use it in accordance with the requirements of the law.

The procedure for using personal data in the HOA

According to Art. 135 of the Housing Code of the Russian Federation, the HOA is a legal entity, and this imposes on it the obligation to notify Roskomnadzor of the start of activities related to the processing of personal data of citizens, and also creates obligations for the implementation of a certain set of legal, organizational and technical measures. Personal data is divided into three groups:

  • are common;
  • biometric, describing the individual characteristics of the human body;
  • special concerning health, religion or political views.

Homeowners' associations in their work operate only with a general category of data, if for some reason they do not need to request photographs from residents, which are sometimes referred to by courts as biometric information. Refers to biometric data and sample signature made with your own hand.

The HOA is entitled to receive data only directly from citizens, residents. In this case, it becomes necessary to obtain consent to the processing of personal data. In accordance with the requirements of the Federal Law "On Personal Data" No. 152-FZ, when signing a consent, a citizen must be notified of:

  • the purpose of the data collection;
  • ways and methods of their processing;
  • an exhaustive list of persons to whom this data may be transferred for one reason or another.

A citizen can revoke his consent to data processing at any time. At one time, there was a norm providing for the possibility of HOAs to collect and process information about citizens, if necessary for organizing management in an apartment building, but it was quickly canceled. The HOA is now entitled to continue processing personal data in cases expressly established by law, without deleting them within 30 days, but obtaining initial consent will be mandatory. The transfer of data without formalized consent is only permitted:

  • state information center (GIS);
  • resource supplying organizations;
  • settlement centers and payment agents.

This is provided for by Art. 155 of the RF LC, but if the owner sold the apartment and his personal data are no longer necessary for the organization, after a certain period of time they must be destroyed. The HOA must be ready at any time to inform the owner what his personal data it has and how they are used, and also to eliminate errors in them.

Homeowners association practice

Personal data of citizens is received, processed and transferred to third parties, including:

  • resource supplying organizations (regional Vodokanal, Gorgaz, Energosbyt);
  • computing centers engaged in billing payments and printing receipts;
  • legal companies preparing claims for non-payment;
  • bailiffs;
  • collectors.

In most cases, if consent for the transfer of data to other organizations, except for resource providers and bailiffs, which is carried out in accordance with the requirements of the law, is not received, such transfer will be illegal, not consistent with the purposes of processing personal data.

When determining the goals for the achievement of which the processing is carried out, the following should be indicated:

  • conclusion of contracts with resource supplying organizations;
  • receiving utilities;
  • maintenance and overhaul of the premises of an apartment building;
  • provision of services and performance of work necessary for the management of an apartment building.

The consent signed with his own hand must contain not only the signature, but also the full name, handwritten. This is necessary for further identification of the authenticity of the signature in case of disputes considered in court. Such a signature is information of a biometric nature; access to it by third parties must be excluded. In practice, this task is solved by organizing the storage of material carriers of personal data in a safe.

Besides consent? The HOA should develop an internal regulation on the processing of personal data, which, in addition to the purpose and methods of processing, should describe the rights of citizens in relation to their personal data and the responsibilities of the organization.

Cases of violation by homeowners of the rights of citizens to protect personal data

The practice of homeowners' associations related to the unlawful use and processing of personal data of citizens often attracts the attention of the prosecutor's office and inspection bodies.

A typical case is the placement of information about non-payers in the entrances of houses. These ads contain the data of the name and number of the apartment, therefore, they can be used as a base for further obtaining information about the citizen. Such use of personal data by HOA employees is illegal and leads to the imposition of administrative fines.

So, receipts for payment of services must be sealed in envelopes, since they also contain information related to the category of personal data. The organization that delivers receipts can be involved in this work only subject to compliance with the legislation on the protection of personal data. The same requirement applies to persons installing and checking electricity, gas and water meters. These norms are established by Government Decree No. 354.

If citizens need photographs to use them, for example, in electronic passes or organizing a board of honor for the best payers, consent is also required for the use of biometric information. Any information that does not correspond to the stated purposes of its processing, for example, information about other real estate objects, cannot be requested. This would be a violation of the law.

When creating a HOA and choosing its leaders, tenants should not forget that, in addition to the norms of housing legislation, there are still many regulatory legal acts that the partnership must comply with. The legislation on the protection of personal data is one of those norms, the observance of which is necessary, since it is associated with the implementation of the constitutional right of citizens to privacy. This encourages HOAs to pay increased attention to compliance with the requirements of the law on the protection of personal rights.