All Docs
FeaturesBlockManOSUpdated March 11, 2026

GDPR & Data Subject Rights — Platform Compliance Gap (v1.0.19)

GDPR & Data Subject Rights — Platform Compliance Gap

Severity: High
Identified in: v1.0.19
Applies to: All platform tenants processing personal data of EU/Irish residents

Overview

As of v1.0.19, a formal compliance audit has identified that the platform lacks the tooling required to fulfil obligations under GDPR and the Irish Data Protection Acts in relation to Data Subject Requests (DSRs) and associated privacy governance.

This page documents the gap, the regulatory context, and what property management agents and OMC administrators should know in the interim.

Why This Matters

The platform processes a broad range of personal data on behalf of Owners' Management Companies (OMCs), including:

  • Owners and tenants — names, addresses, contact details, payment history
  • Company directors and officers — personal details, roles, term records
  • PPSN data — used in AML and identity verification workflows
  • AML records — collected as part of regulatory due diligence
  • Service charge billing records — financial data linked to named individuals
  • Communications — emails, notices, meeting minutes referencing individuals

Under GDPR (Articles 15–22) and the Data Protection Act 2018, individuals whose data is stored have enforceable rights. Controllers (the OMC) and processors (the platform) must be able to respond to these rights within defined timeframes.

Current Gaps

1. Right to Access (Article 15)

Data subjects can request a copy of all personal data held about them. The platform currently provides no automated export or subject access request (SAR) workflow. Agents must compile responses manually.

2. Right to Erasure (Article 17)

Data subjects may request deletion or anonymisation of their personal data where no legitimate retention ground applies. There is currently no erasure or anonymisation workflow in the platform.

3. Consent Management

Where processing relies on consent as a lawful basis, that consent must be recorded, timestamped, and withdrawable. The platform currently has no consent capture or consent log.

4. Data Retention Policy Enforcement

Personal data must not be retained beyond the period necessary for its original purpose. The platform currently has no automated retention schedules or expiry enforcement.

5. Privacy Audit Log

Controllers must be able to demonstrate compliance (accountability principle, Article 5(2)). The platform currently has no dedicated privacy audit log recording access to, modification of, or deletion of personal data.

Interim Guidance for Agents and Administrators

Until the platform provides self-service DSR tooling, property management agents should follow these interim practices:

  1. Log incoming DSRs manually — record the date received, data subject identity, and request type. The statutory response window is 30 calendar days.
  2. Compile access responses manually — identify all records (billing, communications, AML, director records) held for the data subject across the platform.
  3. Escalate erasure requests to your Data Protection Officer (DPO) before actioning — some records (e.g. financial and AML data) may have mandatory retention obligations that override the right to erasure.
  4. Do not store PPSN or sensitive AML data beyond the minimum necessary period — review stored records periodically.
  5. Maintain your own Records of Processing Activities (RoPA) — as the data controller, the OMC is responsible for documenting its processing activities under Article 30.

Regulatory References

RegulationRelevant Articles / Sections
GDPR (EU) 2016/679Arts. 5, 6, 7, 13–22, 30, 32, 77–79
Data Protection Act 2018 (Ireland)Parts 2, 5, 6
Data Protection Commission (Ireland)www.dataprotection.ie

Roadmap

The following capabilities are planned to address this gap in upcoming releases:

  • Self-service Subject Access Request (SAR) export — generate a structured data package for any individual on demand
  • Right-to-erasure workflow — guided deletion/anonymisation with retention hold checking
  • Consent management module — capture, store, and withdraw consent per processing purpose
  • Automated data retention schedules — configurable per data category with expiry notifications
  • Privacy audit log — immutable log of personal data access, edits, exports, and deletions

This page will be updated as each capability ships.

Contact

If you receive a Data Subject Request from an owner, tenant, or director and need guidance on your obligations, contact your appointed Data Protection Officer or refer to the Data Protection Commission's guidance for organisations.