What issues housing associations face under the GDPR

Housing corporations have a special position under the law. For example, the housing corporation’s task is to allocate rental housing appropriately and provide a certain level of living enjoyment to residents. In performing its duties, a housing corporation obtains and processes various personal data from its (potential) tenants. In many cases, there is a need to share personal data back and forth with third parties. However, this is not always permitted under the General Data Protection Regulation (“GDPR”). What about this?


In practice, there are several issues where housing associations (want to) share personal data with third parties. Think of collaborations with health and welfare organizations, with police in the context of housing nuisance or when engaging parties who maintain the residential property. We mention some aspects that we encounter in practice.

For example, the question of whether the sharing of personal data is permitted. This listens closely, as evidenced, for example, by the Supreme Court’s 2022 ruling. Prior to 2016, there was no (sufficiently specific) breach of confidentiality for the tax authorities to provide income data to a landlord if requested. However, there was a legal basis for the housing corporation to receive the income data. Thus, the tax authority was not allowed to provide the income data to the housing corporation, but the housing corporation was allowed to receive it. On April 1, 2016, the specific authority for the tax authority to be able to provide the income data was included in the law. From this date, therefore, the tax authorities could lawfully share income data upon request from the housing corporation (1).

Thus, when there is a desire to share (or receive) personal data, it must always be assessed whether this is permissible under the law.

What should a housing corporation look out for?

That starts with the question of what kind of data is being shared. Is it ‘normal’ personal data or is it special or criminal data? The latter two categories may only be processed, and thus shared, in very limited circumstances. The Arnhem-Leeuwarden Court of Appeal ruled in 2020 that a code indicating that the rental agreement with a tenant had been (civilly) terminated due to the presence of hemp in the dwelling is not criminal personal data.

Once the category of personal data has been determined, it is relevant to determine the purpose of the processing and what basis, if any, may apply. In the aforementioned judgment of the Arnhem-Leeuwarden Court of Appeal, this question was tested against the ‘regular’ bases in Article 6 GDPR and not against Article 10 GDPR which applies to criminal-law personal data (2). According to the court of appeal, the code may be shared with other housing corporations on the basis of a legitimate interest (Article 6(1)(f) GDPR), namely the public interest of an efficient housing distribution.

May housing corporations share personal data if a covenant has been concluded with the parties involved? In short, no. A covenant is merely a means to ensure that if parties have a basis for processing personal data, they also comply with the other requirements of the GDPR and can hold each other accountable for this. Among other things, it lays down agreements about which personal data may be exchanged with which parties, how data subjects’ rights may be exercised (including the provision of the correct information to the data subject) and how the exchange takes place.

  1. ECLI:NL:HR:2022:1866
  2. ECLI:NL:GHARL:2020:3374