Netherlands: The Integral Role Of Privacy And Data Protection In ESG: An In-Depth Exploration

In earlier blogs in this series, we discussed the ESG reporting obligations that real estate stakeholders may encounter following the implementation of the SFDR and the CSRD. While ESG reporting traditionally focuses on environmental, social and governance aspects, it does not specifically address personal data. This is a deceptive oversight though, because in reality, personal data plays a significant role in this landscape.

ESG Data

The performance and utilisation of smart buildings are increasingly becoming, if not already, reliant on data. While these metrics may not at first glance appear to have that much relation to personal data, it can be easily overlooked that they stem from the usage of the properties and their related services by their users. Although this data may initially seem (pseudo) anonymised when consolidated into ESG reports, it individually represents personal information that requires robust data protection measures. Even if the primary focus of ESG reporting is on overall sustainability and governance, overlooking the personal data within this framework can potentially lead to regulatory challenges.

Another consideration is the growing significance of ESG for professional tenants. For instance, properties designated for offices, data warehousing, logistics or the like, may face further requirements and conditions set by tenants seeking to meet their own ESG goals. Employers may need to monitor the use of electric vehicles by their employees, potentially making use of charging stations available at a property. Tenants may also want or require insights into their individual energy and utility consumption, or they may be open to (co)investing in energy-saving initiatives for the property, necessitating eventual reporting on the return on investment. While such action would typically generate ample data, which obviously serves as a valuable resource for ESG insights, it should also be viewed against the backdrop from which it originates. ESG data may be sourced through various channels, often derived from individuals throughout the chain, which introduces considerations under General Data Protection Regulation (GDPR).

Take for example, the implementation of smart lightning in an office building aimed at reducing energy consumption. If properly monitored, this could be compared with usage data from an office without such technology, offering a clear picture of its effectiveness. However, when examining the data collection in an office with assigned desks, a more intricate perspective emerges. The overall data not only provides an overall insight into how effective the measure is, but also looks into the specifics directly generated by human behavior. It could determine which room has been occupied by whom and for how long, just from the light activation when occupied. If we consider that the concept of personal data under the GDPR encompasses any information, even indirectly, is linked to an identified or identifiable individual, data privacy is inevitably linked with such technological advancements.

Companies may also rely on third-party data sources for various ESG metrics. These sources may collect and process all information and data included within systems related to the property or its tenants to analyze behaviors, patterns and trends, potentially resulting in reporting data. For instance, the calculation of CRREM pathways or sustainability labels, may be derivative of utility data from tenants, which could by their very nature be traceable to those individuals. Despite underlying ESG reporting data often being aggregated or non-personal, it can still be derived from personal data. Consequently, the necessity for proper data protection measures and compliance should be considered even if data privacy may not yet be on your radar.

Regardless of whether we are dealing with a single-tenant, multi-tenant or residential property, the simple fact remains that the performance of any property ultimately depends on the individuals using it.

Responsibility for ESG data?

Understanding when personal data is involved is crucial, primarily revolving around the determination of an organisation's status as a (joint) controller or processor under the GDPR. This distinction significantly impacts the party's responsibilities and necessitates the establishment of contractual arrangements. Specifics may vary per situation, but a factual assessment of decision-making powers and influence in data processing is consistently required. The party initiating and making decisions about the data processing, often a manager or a tenant, assumes the role of a data controller, undertaking the majority of GDPR responsibilities. They may, under certain circumstances, qualify as joint controllers if they jointly initiate data processing, necessitating specific contractual arrangements. Suppliers that process personal data on a controller's behalf qualify as data processors, requiring the need for data processing agreements. Whenever third parties are involved, a thorough vetting process is recommended to ensure that they are capable of securely handling such data.

Where properties are concerned, a real estate owner may be dependent on exclusive or specific suppliers for ensuring compliance with ESG criteria. Consequently, committing to a certain supplier can have broader implications. For instance, if a supplier is engaged for a multi-tenant property, all tenants may automatically become tied to that supplier. Consider the possibility where an owner decides to install solar panels on the roof or equip individual units with smart thermostats. To use such equipment, tenants must rely on the vendors engaged to operate the equipment, such as providing relevant SaaS-solutions for their use. Another consideration is that stakeholders may be dependent on a specific supplier, simply because such supplier may be the only suitable one for the required service. In light of this, the potential impact of a particular supplier should not be underestimated. On the other hand, the degree of reliance on such supplier should also not be a reason to accept them without scrutiny. In any case, supplier vetting is a necessary exercise, be it driven by compliance or commercial reasons.

Beyond the relevance of safeguarding data, one must also consider the potential for significant disruption that may result from inadequate security measures. If a security breach were to result in network downtime, this could render it impossible to operate the property, deliver services or keep proper oversight. Getting security right, both contractually and practically, will proactively ease the pain of any potential incidents.

Final remarks

In summary, the symbiotic relationship between data privacy and ESG is clearly evident. As ESG continues to evolve, real estate stakeholders prioritising data privacy will not only enhance their long-term sustainability and success, but also contribute positively to the broader societal goals of responsible digital citizenship. The ongoing journey towards integrating privacy into ESG represents a commitment to building a future where data is treated with the respect and protection it deserves.

Other blogs in this series

1. ESG - How does the EU Taxonomy Regulation impact the real estate sector?
2. ESG - How does the SFDR impact the real estate sector?
3. ESG - How does the CSRD impact the real estate sector?
4. ESG - Green and sustainability-linked loans in the real estate sector
5. ESG - Key criteria impacting taxonomy-alignment of real estate
6. ESG – Stay classified, real estate fund managers

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.