FM newsroom – smart building, security. Smart buildings are rapidly transforming the commercial real estate landscape. They’re popping up in modern office complexes, industrial facilities, and logistics hubs, utilising technology to reduce energy consumption, lower costs, and meet environmental targets. But with all this innovation comes a need for clearer rules – especially when it comes to personal data and cybersecurity.
Smart buildings run on advanced digital systems: sensors, AI, the Internet of Things (IoT), and data platforms all working together. They adjust lighting, heating, and security in real-time based on how people use the space. This can lead to big savings – studies suggest up to 30% less electricity use and more than a 20% cut in CO₂ emissions in large buildings.
For businesses striving to achieve environmental goals, smart buildings are a crucial component of their strategy. But collecting and using all that data brings legal responsibilities, especially when the data can identify individual people, Reality Trend points out.
Smart Tech, Personal Data
Smart systems don’t just track building performance – they also monitor people. Whether it’s footage from security cameras, data from access cards, or movement tracked by location sensors, much of this information qualifies as personal data under the GDPR.
That means it must be handled with care. In Slovakia, the law requires that any processing of personal data must meet specific legal criteria, such as obtaining user consent, fulfilling a contract, complying with legal obligations, or pursuing legitimate interests (such as ensuring safety).
Playing by the Rules
Anyone managing a smart building – whether it’s an owner, facility manager, or tech provider – must follow strict rules around data collection and use. People must be clearly informed about what data is being collected, why it is being collected, and for how long.
Camera zones, for example, need to be marked not just with symbols but with complete details about who’s recording, why, and for how long the footage will be stored.
There are also firm limits: surveillance can’t happen in private spaces like bathrooms or changing rooms, and unless something unusual happens, recordings should be deleted within 72 hours.
Larger operations require a designated data protection officer to oversee all aspects and ensure compliance with the GDPR.
Who’s Responsible?
Legal responsibility depends on the role each party plays. The data controller decides what data is collected and why, while a processor acts on their behalf. These roles should be clearly outlined in contracts to avoid confusion.
Good communication is essential. When people understand how their data is used and protected, trust grows – and so does support for smart technologies.
Don’t Forget Cybersecurity
With smart systems come new threats. Cyberattacks can disrupt operations and leak sensitive data. Under GDPR, building operators must take preventive steps and report any data breach to authorities within 72 hours – and to affected individuals if the risk is serious.
The responsibility lies with the operator, not the attacker. If they didn’t do enough to protect the data, they face consequences – potentially fines of up to €20 million or 4% of annual turnover. While actual fines in Slovakia have mostly been modest so far, the law allows for serious action in severe cases.
“The risk of cyberattacks can never be completely ruled out, but the law demands proactive steps. Controllers and processors must show they’ve done all they can to keep data secure,” as attorney Marek Beľujský from FAIRSQUARE law firm puts it.