The Digital Real Estate Survey 2023 shows that the maturity of the construction and real estate industry depends not only on technical possibilities and new innovations, but also on how we handle and use data. However, this also always brings new legal challenges. Expert David Schwaninger tells us how these new innovations legally affect the industry and what the new data protection law of 1 September 2023 entails.
More and more companies are digitising their processes and want to use the resulting data. Which legal aspects need special attention?
It is important to know that data is not a thing and therefore you cannot have ownership of it. The Data Protection Act does not regulate the right to data in general, but the processing of a category of data, personal data. Processing is, for example, storing, archiving and copying. It is also important to distinguish between data relating to natural persons and data relating to legal entities, especially in view of the new Data Protection Act (nDSG). This is because data protection law will now only apply when it concerns personal data of natural persons.
The new Data Protection Act will come into force on 1 September 2023. What impact will this law have on data analytics in the construction and real estate industry?
There are some changes in the new data protection law. The most important ones are as follows:
- It is now limited to the data of natural persons.
- There is now a duty to inform. It is mandatory for the company to inform the persons concerned when it processes their data. If this duty to inform is intentionally not complied with, the companies are liable to prosecution. It is not the company that is fined, but the person responsible, with a fine of up to CHF 250,000.
- If personal data falls into the wrong hands, there is now a duty to report it. This can be a cyber attack, but also the leaving of files in public transport. Such an incident must be reported immediately to the Federal Data Protection and Information Commissioner and the persons concerned.
- If a company employs 250 or more employees, it must now create a register of processing activities. This describes what personal data is processed, how and for what purpose. However, it is also advisable for small companies to create such a directory in order to obtain a structured overview of the existing data. In particular, smaller companies may also be obliged to keep such a register, for example if they process personal data requiring special protection on a large scale.
- If the company commissions an order processor to access the company's systems, an agreement must be concluded with them. Furthermore, there is a duty of supervision, which means that the responsibility cannot be "shifted" to the order processor. Examples of such contract processors are providers of cloud storage or external IT support.
- What need for action do you see for companies in the sector?
- Companies in the construction and real estate industry have already done a lot. They have already come a long way, especially in terms of data security. In addition, some have already concluded detailed agreements with third-party providers (order processors). Nevertheless, there are only a few companies that are very well prepared for the upcoming changes in data protection law. There is still a lot to do. The new Data Protection Act will come into force on 1 September 2023 without transitional periods or grace periods.
Do you notice differences between SMEs and large companies in dealing with regulatory requirements?
Yes, there are differences between SMEs and large companies. Due to the fact that large companies often operate internationally and therefore already had to deal with this due to the European data protection law, they have already been able to build up certain structures for handling their data and that of their customers. SMEs are still a little behind and have to catch up, because it will be September very soon... Nevertheless, I recommend that large companies check whether the guidelines and regulations are really being implemented internally.
Are there other legal developments besides data protection law that are relevant for the use of data analytics with a focus on the construction and real estate industry?
Yes, various ones. There was a change in bankruptcy law that plays a role in outsourcing to cloud providers. Now, in the event of bankruptcy, you have the right to have your data handed over. Until now, you had to hope for the goodwill of the bankruptcy administration. But beware, it also takes time to separate out data. Therefore, data must always be backed up separately. There have also been changes in copyright law; all photographs are now protected by copyright. When editing building data, copyrights must be taken into account, as there is a joint copyright to a BIM model, for example. In the future, the EU's Digital Services Act (DSA), which is still being developed, will bring about changes. This will have an impact on the handling of data beyond personal data. Swiss legislation will probably converge with the DSA sooner or later.
Through the use of BIM, digital planning takes place on a common building model. How is data ownership or data use regulated in such models and what is there to consider?
As already indicated, copyright or co-authorship plays an important role in the use of this methodology. If there are no contractual regulations, changes to the model can only be made jointly. Therefore, it is advisable to regulate this contractually as owner:in already before creation, so that changes can be made to the model without the consent of all other project participants when the construction project is completed. Since the necessary data for the later utilisation phase is ordered during the planning of a construction project anyway, the definition of the legal framework conditions for a smooth handover after the completion of the project can take place at the same time. However, experience shows that little attention is paid to the legal components. Making these changes after the fact can be very costly.
More and more property owners are interested in operational data about their properties, such as consumption data. How is the issue of data ownership regulated in this regard and what do you recommend to owners and their service providers with regard to these data deliveries?
On the one hand, it is basically no problem to pass on information from the BIM databases, unless it is specific know-how, which is rarely the case. However, if the entire model is passed on to service providers or third parties, this must also be contractually regulated in advance. Often, however, it is not the legal aspects that are an obstacle in this case, but the technical ones. On the other hand, it is important to know that if tenants' data is kept on file or in the system with the new data protection law, a data protection statement must be included in the tenancy agreement or attached to it. This is often neglected by smaller companies, which can lead to legal problems. Increasing networking is also taking place at the building level - keyword smart building.
What risks from a legal perspective must be kept in mind here?
Up to now, owners and operators have been relatively free in this area, as long as the data is anonymised. However, if, for example, the consumption data can be assigned and the identity of the person concerned can be determined - for example, by assigning the flat number - data protection law now applies. In this case, it must also be ensured that the data is deleted as soon as the company no longer needs it. I therefore recommend drawing up a list of which data can be deleted and when, based on the retention and limitation periods.
More and more data is being stored and used on third-party platforms or in the cloud. Are there any special points that should be taken into account when selecting and working with the platform provider?
It is important to make sure that the third-party providers do not use the data for their own purposes and that data security is guaranteed. This can be checked by means of various certificates. Furthermore, possible confidentiality obligations in the contracts with the customers must be observed. If such obligations exist, the data may usually not be passed on to third parties or only under strict conditions. If the service provider goes bankrupt, there is a claim to the return of the data. Either this is contractually stipulated or the right to segregation, which is legally regulated in bankruptcy law, applies.
About the survey
The Digital Real Estate Survey has been surveying the status of the digital transformation of the construction and real estate industry in Switzerland annually since 2016 and for Germany since 2019. The whitepaper presents the current situation in the two countries based on the assessments of various executives and professionals from the industry and is supplemented by the expert knowledge of consultants from pom+Consulting AG.
The study can be downloaded free of charge.
Do you have any questions? Our experts are happy to help.