This case relates to an individual who alleged their personal data, in the form of their name, address and email address had been unlawfully retained and processed by a property management company.

The individual received an unsolicited email containing a newsletter from the company, despite not having a business relationship with the company for a number of years. The individual contacted the company requesting an explanation as to why the company had retained the individual’s personal data. The company stated that it was previously the managing agent for a

particular residential development that the individual had a business interest in. It advised that it had sent the email in error. The company informed the individual that it had now deleted their personal data from its database.

The individual was not satisfied with this response from the company and submitted a complaint to the DPC. Following engagement with the DPC the company explained it had been the managing agent for an owner

management company and following the termination of its contract with the owner management company, it had failed to delete the individual’s personal data from its database.

As part of the examination of this complaint, the DPC sought to establish if the company had a lawful basis for processing the individual’s personal data by retaining it following the end of the respective contract. The company informed the DPC that it was relying on Article 6(1)(a) of the GDPR which states that processing shall be lawful where a data subject has given their consent. The company further stated that under the Property Services (Regulation) Act 2011 it was required to retain data for a period of no less than six years. The company further indicated that it was an oversight on its part that it had retained the individual’s personal data beyond the six-year retention period. It also established that an administrative error had resulted in the individual receiving the unsolicited email.

The company acknowledged that it no longer had a lawful basis to process the individual’s personal data by retaining it post the six-year period and confirmed that it had deleted all personal data relating to the individual. The company also confirmed what steps it had taken to improve the procedures for managing its database of contacts to ensure unlawful processing of this type did not recur.

Accordingly, the company did not adhere to the principles relating to processing of personal data in accordance with Article 5(1)(b) of the GDPR (‘purpose limitation’) when it used the individual’s contact details to send them a newsletter when it should not have retained the individuals’ contact details for this period of time. It also did not adhere to Article 5(1)(e) of the GDPR (‘storage limitation’) when it retained the individual’s personal data which permitted the identification of the individual for longer than was necessary for the purpose for which the personal data was original obtained.

The DPC issued recommendations to the controller around its obligations to ensure that all processing is lawful, fair and transparent, as required under Article 5 of the GDPR and that appropriate technical and organisational measures are implemented to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.