GDPR starter kit for Dutch HOAs (Vereniging van Eigenaren)

A VvE is a legal entity and controller for resident data. Specific challenges: (1) Resident data: name + address + phone + email. Owner data via Land Registry allowed, contact details via resident request. (2) Cameras in common areas: only under strict conditions + clear signs + max 4 weeks retention + AGM decision. Not automatically allowed "for safety" — must be substantiated. (3) AGM minutes: names + voting behaviour = personal data. Share only with VvE members, not public online. Reducing detail is possible ("decision: majority in favour"). (4) Property manager (Atria, MakelaarLand, smaller local parties): usually processor — DPA required. Check that manager doesn't share data for own marketing. (5) Maintenance suppliers: share only contact data, no resident data. (6) WhatsApp resident group: informal use OK, but no official VvE communication. Residents not in group must get info another way. (7) Apartment sale: new owner gets VvE data + old owner must be removed from member list. Risks: small VvEs often miss basics — breach procedure, RoPA. AP investigation 2024 on VvE camera systems. WBTR: VvE directors liable.