Is the syndic or the ACO liable in the event of a data breach?

When a syndic shares personal data of co-owners, the question often arises as to who bears ultimate responsibility under the General Data Protection Regulation (GDPR). The answer is surprisingly unambiguous: in most cases, the syndic acts purely as a processor, while the association of co-owners (ACO) acts as the data controller. This means that complaints about violations of data protection law in the implementation of decisions of the general assembly should be directed primarily against the ACO, and not against the syndic personally.

The facts

In a recent case before the Data Protection Authority (DPA), a syndic had sent an email to all residents of a residence. Attached to this email was a draft amendment to the building's basic deed.

However, this document contained very detailed personal data of one of the co-owners, including the full name, date of birth, place of birth, national register number, address, marital status and the date, location and system of marriage. The owner subsequently filed a complaint against the syndic for violations of various provisions of the GDPR, including the principles of minimum data processing, integrity and confidentiality.

The decision and the law

In a decision dated 4 March 2026 (No. 43/2026) the DPA Litigation Chamber had to rule on whether the syndic was the "controller" within the meaning of Article 4.7 of the GDPR in this context.

The DPA ruled otherwise and decided to dismiss the complaint under Article 100, § 1, 1° of the Law establishing the Data Protection Authority. According to the regulator, the syndic does not determine the purpose and means of processing the data, but is only an executive body of the association of co-owners. Since the general assembly had decided that the new draft of the basic deed should be submitted to the owners for approval, the decision-making power lay entirely with the ACO. The obligations under the GDPR invoked by the complainant (including Articles 5, 6, 24, 25, 33 and 34) apply only to the data controller and are therefore not opposable to the trustee.

Legal analysis and interpretation

This decision confirms an interface between property law and data protection law. Pursuant to article 3.89, § 5, 1° of the Civil Code it is part of the mandatory legal mandate of the syndic to execute and enforce the decisions of the general assembly. This legal mandate ensures that the syndic has de facto only an executive power with respect to the general assembly, which reduces him to a processor in the terminology of the GDPR.

To this end, the Litigation Chamber explicitly relies on the guidelines of the European Data Protection Board (EDPB) and on a historical opinion (No. 22/2008) of the former Privacy Commission. As long as a processor does not act outside or contrary to the legitimate instructions of the controller, it cannot be sued for breaches of general GDPR obligations specifically and exclusively addressed to the controller. The ruling exempts the syndic from objective liability for data processing operations whose finality is established at the ACO level.

What this specifically means

• For the association of co-owners (ACO): The ACO bears the decision-making authority over the purposes and means of processing and is thus the ultimate responsibility for the protection of personal data within the management of the building. It must ensure that decisions (such as the circulation of a basic act) comply with data protection legislation, including the obligation to data minimization.
• For the syndic: As a syndic, you enjoy protection from direct GDPR complaints about general obligations, as long as you act in accordance with the agreement with the ACO and only carry out the instructions of the general assembly. You are acting as a processor, which means that setting up a proper processor agreement and providing proactive advice to the ACO is highly recommended.
• For the co-owner: As a rule, anyone who believes that he or she has been the victim of unlawful processing of personal data at the hands of the association must file a complaint against the ACO, not the syndic. A complaint against the syndic can only succeed if it is shown that he acted outside his mandate or in violation of legitimate instructions.

Frequently asked questions (FAQ)

Who is the data controller in an apartment building?
In the management of an apartment building, the association of co-owners (ACO) is considered the processing controller because it has the authority to determine the purpose and means of processing personal data.

As an owner, can I sue the syndic for violation of data protection law?
You usually cannot sue the syndic directly for violations of the general GDPR obligations. The syndic is usually an executive (a processor). Certain GDPR provisions (such as data minimization and data breach notification obligations) apply to the controller and are not opposable to the processor.

When does a syndic become personally liable under the GDPR?
A syndic is only liable for damages from processing when it fails to comply with the obligations specifically imposed on processors by the GDPR, or when it acts outside or contrary to the ACO's lawful instructions.

Conclusion

The strict dividing line between the responsibilities of the syndic as executor and the ACO as decision-making body is fundamental to the correct application of the GDPR within apartment law. Incorrect identification of the controller leads to the dismissal of the complaint.