AEPD Resolution: EXP202517310

The Incident (The Homeowners' Association Silence): A property owner submitted a formal data access request to their Homeowners' Association (Comunidad de Propietarios) on 10 September 2025, exercising their right under Article 15 GDPR to obtain personal data held by the community. In Spain, homeowners' associations are legal entities that manage communal properties, collect maintenance fees, and maintain records about residents including payment histories, correspondence, voting records at community meetings, and complaints or disputes. Despite the clear legal obligation to respond within 30 days under Article 12.3 GDPR, the Homeowners' Association completely ignored the resident's request.

The Complaint: After receiving no acknowledgment or response whatsoever from the community's administrator or governing board, the frustrated homeowner filed a formal complaint with the AEPD. The complainant provided documentation proving they had properly submitted the access request through appropriate channels and had received absolutely no communication from the Homeowners' Association within the mandatory one-month response period.

The AEPD Investigation: Following standard procedure under Article 65.4 LOPDGDD, the AEPD transferred the complaint to the Homeowners' Association, giving them an opportunity to explain the non-response and provide the requested information. When the association's initial response failed to satisfy the complainant's legitimate rights, the AEPD formally admitted the case for full investigation on 10 December 2025, opening an official rights procedure against the community.

The Belated Compliance: Only after the AEPD initiated formal proceedings did the Homeowners' Association finally respond to the resident's access request. The association belatedly provided the requested personal data—but this response came months after the original 30-day legal deadline had expired. The pattern is clear: the community ignored the resident's direct request entirely and only complied when facing regulatory enforcement action.

The Core Ruling (Formal Estimation Without Further Action): The AEPD ruled in favour of the complainant, formally confirming that the Homeowners' Association violated Article 15 GDPR and Article 12.3 GDPR by failing to respond within the mandatory timeframe. However, because the association had eventually provided the requested data during the AEPD investigation (though significantly late), the regulator determined that no additional remedial action was required. This is a "formal estimation"—the AEPD officially recognises the violation occurred and validates the resident's complaint, creating a permanent regulatory record against the Homeowners' Association, but does not order the community to issue a new response since the substantive right has now been satisfied (albeit tardily and only under regulatory pressure).

Based on Resolution EXP202517310, here is the compliance protocol for homeowners' associations, community organisations, and small-scale data controllers:

1. Homeowners' Associations Are Full GDPR Data Controllers

Many community boards mistakenly believe GDPR only applies to large companies or government agencies. This is false.

Legal Reality: If your Homeowners' Association collects and stores residents' names, addresses, phone numbers, email addresses, payment records, or any other personal information, you are a data controller under GDPR with the same legal obligations as any business or public authority.

Action: Homeowners' associations must designate a person responsible for GDPR compliance (this could be the community president, administrator, or secretary). This person must understand basic data protection obligations including responding to access requests within 30 days.

2. What Personal Data Do Homeowners' Associations Typically Hold?

Residents may request access to any of the following data categories:

Financial Records:

• Payment history for community fees
• Outstanding debt balances
• Banking details for direct debit arrangements
• Records of late payment penalties or legal proceedings

Administrative Records:

• Correspondence between the resident and the community board
• Minutes of community meetings showing the resident's votes or comments
• Complaints filed by or about the resident
• Requests for maintenance, repairs, or improvements

Property Information:

• Ownership records
• Contact details (phone, email, postal address)
• Vehicle registration details (for parking permits)
• Access control records (key fob usage logs, visitor logs)

Action: When a resident requests access, compile all of these records into a single organised response document.

3. The 30-Day Deadline Applies Even to Volunteer-Run Communities

Many homeowners' associations are managed by unpaid volunteer residents or small property management companies with limited staff. This does not exempt them from GDPR deadlines.

No Excuses for:

• "We're all volunteers with day jobs"
• "The administrator is on holiday"
• "We only meet once a quarter"
• "We don't have the technical resources"

Action: If your community is entirely volunteer-run, establish a simple email monitoring system where at least one board member checks the community's email address weekly and forwards any GDPR requests to the designated compliance person immediately.

4. How Small Communities Should Respond to Access Requests

You don't need expensive legal counsel or compliance software. A simple, organised response is sufficient.

Step-by-Step Protocol:

1. Acknowledge Receipt (Within 3 Days): "Dear [Resident], we received your data access request on [date]. We will provide a full response by [date 30 days later]."
2. Gather Records (Within 20 Days): Ask the treasurer for payment records, the secretary for meeting minutes and correspondence, and the administrator for any other files.
3. Compile Response (Within 28 Days): Create a PDF document with clear section headings:
   • "Your Contact Details on File"
   • "Payment History (Last 5 Years)"
   • "Correspondence Records"
   • "Meeting Attendance and Votes"
4. Send Response (By Day 30): Email the compiled PDF to the resident with a cover letter: "Enclosed please find the personal data we hold concerning you. If you believe any information is inaccurate, you have the right to request correction."

5. When Residents Request "Everything"

Some residents may submit very broad requests like "send me all information you have about me."

Proportionate Response: You are not required to spend weeks manually searching through decades of paper archives. Article 12.5 GDPR allows you to request clarification if a request is "manifestly unfounded or excessive."

Action: If a request seems overly broad, respond within 7 days asking: "To help us locate the specific information you need, could you please clarify whether you are primarily interested in: (a) financial records, (b) meeting minutes, (c) correspondence, or (d) all of the above? Additionally, what time period should we cover?"

6. Data Retention Limits for Homeowners' Associations

GDPR's data minimisation principle (Article 5.1(e)) requires that personal data should not be kept longer than necessary.

Recommended Retention Periods:

• Financial records: 6 years (tax and accounting requirements)
• Meeting minutes: Permanent (legal requirement under horizontal property law)
• General correspondence: 2-3 years
• Payment records for departed residents: Delete after 6 years unless there are outstanding legal proceedings

Action: Implement an annual data review process where old records are securely deleted, reducing the volume of data you need to search when responding to access requests.

7. Appointing a Property Manager Does Not Transfer GDPR Responsibility

Many communities hire professional property management companies to handle administration. However, the Homeowners' Association remains the data controller.

Joint Responsibility: If you use a property manager, the management company is a "data processor" acting on your behalf. You must have a written contract (Article 28 GDPR) specifying:

• The manager will respond to residents' GDPR requests within 30 days
• The manager will only use resident data for community management purposes
• The manager will implement appropriate security measures
• The manager will return or delete data if the contract ends

Action: Review your property management contract to ensure GDPR obligations are clearly defined. If the manager receives an access request, they must forward it to the community board immediately.

8. Common Mistakes That Trigger AEPD Complaints

Homeowners' associations often violate GDPR due to misunderstandings rather than malice. Avoid these common errors:

Mistake 1: "We don't have to respond because the resident owes community fees"

• Reality: Data rights are independent of financial obligations. You must respond even if the resident is in arrears.

Mistake 2: "The request is vague, so we'll ignore it"

• Reality: Ask for clarification, but still send a response within 30 days explaining what additional information you need.

Mistake 3: "We'll discuss this at the next community meeting in 3 months"

• Reality: The 30-day deadline is absolute. You cannot wait for the next scheduled meeting.

Mistake 4: "Only the administrator has access to the files, and they're unavailable"

• Reality: Ensure at least two people have access to community records to prevent delays.

9. Transparency in Community Governance Reduces GDPR Complaints

Many access requests stem from residents' distrust or suspicion about how their data is being used.

Proactive Measures:

• Publish a simple privacy notice on the community noticeboard or website explaining: "We collect your contact details, payment records, and meeting attendance for community management purposes. You have the right to access this information at any time."
• At the annual general meeting, remind residents: "If anyone wants to review their personal data held by the community, please contact [administrator email]"
• Provide annual transparency reports: "This year we processed [X] maintenance requests, collected [X]€ in fees, and held [X] meetings"

Result: Residents who feel informed and respected are less likely to file GDPR complaints.

10. What to Do If You Receive an AEPD Investigation Notice

If your Homeowners' Association receives a formal communication from the AEPD about a resident's complaint:

Immediate Actions (Within 48 Hours):

1. Do not ignore it—AEPD notices are legally binding
2. Respond to the resident's original access request immediately, even if the deadline has passed
3. Contact a GDPR consultant or lawyer if you're unsure how to proceed
4. Prepare a formal response to the AEPD explaining what happened and what you've done to remedy the situation

Medium-Term Actions (Within 30 Days):

• Implement proper GDPR procedures to prevent future complaints
• Train all board members on basic data protection obligations
• Consider purchasing GDPR liability insurance if your community manages a large residential complex

Summary of Business Risk

This case confirms that homeowners' associations, despite often being small, volunteer-run organisations, are subject to exactly the same GDPR obligations as commercial businesses and public authorities. Ignoring residents' access requests triggers formal AEPD investigations, creates permanent regulatory records against the community, and can result in enforcement orders or sanctions. The AEPD's ruling sends a clear message: community organisations must designate responsible individuals, implement basic compliance procedures, and respond to residents' data rights requests within 30 days—there are no exemptions for small-scale or volunteer-managed entities.