Efficient - Current - Personalized

Get a quick and up-to-date overview of the developments in the field of intelligent building technology. The content is customizable to your interests, presented in a neutral manner, and created by experts for experts.

Stay informed

About us

Server rack with network cables in data centre

Risks Assessment

13 Apr 2026

Data protection and security in smart buildings must confront challenges posed by complex structures and inadequate safeguards, including a lack of information. Dr Thomas Rütten, a lawyer specialising in construction and architectural law at Kapellmann und Partner Rechtsanwälte mbB, explains the most important issues.

Reading time: 5 minutes

Data Protection in Planning Data Types and Sensitivity Liability and Responsibilities Cybersecurity and Standards

Anna Moldenhauer: Which data-protection regulations currently apply in the EU and should be taken into account when planning a smart building?

Dr Thomas Rütten: Data protection begins in the planning phase and revolves around the key concept of ‘data protection by design’. At present, the General Data Protection Regulation (GDPR) lies at the heart of data protection legislation in the European Union. Article 5(1) of the GDPR lays down a series of principles governing personal-data processing. They are lawfulness, the use of data in good faith, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.

The responsible party must uphold these principles and be held accountable for their implementation. It is hardly feasible to ensure adequate compliance with these obligations solely by means of software solutions. Consequently, it is essential that a data protection strategy be developed in the planning phase, which means the sensors used to collect data within the building should be designed to comply with data protection regulations from the outset. For example, it might be useful to know whether and how many people are in a room for the purposes of intelligent climate control. This information could be obtained using a camera, but a motion detector would suffice. It makes sense to consider, right from the planning stage, which alternative – taking account of data-protection considerations – is the preferable one. We have systematised this and refer to the whole process as ‘legal data-flow management’. This ‘legal data-flow management’ begins during the initial project phase and continues, in particular, during the planning phase, right through to the operation of the completed building. This means a comprehensive technical and legal analysis is required during the project and planning stages to avoid making planning decisions that may later prove not only to be incorrect or problematic but also impossible to change from a technical perspective.

When it comes to determining the specific technical and organisational measures required to implement the data protection principles (Article 25 of the GDPR), a balance must be struck between, on the one hand, the latest technology, implementation costs and the nature and purpose of the data processing and, on the other hand, the risks associated with the data processing. Thus, the responsibility begins not when the personal data is actually processed but rather at the point when the technical means and methods for processing the data are specified. Furthermore, the GDPR sets out a whole range of obligations that include, in particular, documentation and information obligations. In view of this, careful consideration should be given during the planning phase as to whether the future occupant of the building will actually need the personal data in question.

The data categories collected in smart buildings with regard to building usage have different protection demands. Does it make sense to separate the data generated within the buildings from user-specific data?

Dr Thomas Rütten: Yes, because data-protection law distinguishes between different types of data and assigns them different levels of protection. For certain highly sensitive data, protective measures are necessary that would constitute an unnecessary burden for other, less sensitive data. The most important distinction lies in whether data is personal or not. Only personal data is subject to the rules of the GDPR. This refers to data relating to an identified or identifiable natural person. The range of information covered is very broad. Examples include name, appearance, opinions, financial circumstances and, according to case law, "all other relationships of the data subject with third parties and their environment".

Furthermore, there are a number of special personal-data categories, the processing of which is generally prohibited (Art. 9 GDPR). They include data relating to ethnic origin, political opinions, religious beliefs, genetic data, biometric data for the purpose of unambiguously identifying a natural person, health data, or data concerning a person’s sex life or sexual orientation. Such data may only be processed if an exception applies (Art. 9(2) GDPR). The data collected in a smart building is extremely varied, which means it is necessary to categorise the data according to its sensitivity under data-protection law and treat it accordingly. A sensor that measures sunlight, for example, to control roller shutters, can be treated very differently from a fingerprint scanner that controls access to the building. This distinction should also be taken into account as early as possible in the planning stage via the ‘legal data flow management’ mentioned at the outset.

Distinguishing between these categories can sometimes be tricky. In the case of a presence sensor in a staff kitchen, it could be argued that the data processed cannot be linked to any specific individual. However, this would not be the case for the same sensor in a sole-occupancy office.

Building automation typically involves a complex system landscape comprising numerous users and IoT devices. What should building operators do to ensure that liability in the event of damage is clearly contractually regulated in advance?

Dr Thomas Rütten: The parties involved and their legal relationships with one another are so multifaceted that it is difficult to provide a general answer to this question. It is not unusual for planners, contractors, programmers, project developers, buyers, operators, tenants and users all to be involved in the project in some way, either sequentially or concurrently. This leads, on the one hand, to interface issues and, on the other, to potential liability risks and recourse options vis-à-vis a multitude of parties.

Nevertheless, the first step should generally be to clearly define responsibilities. This involves establishing who is responsible for the maintenance and servicing of hardware and software, and what legal consequences arise from any malfunction. For example, certain systems must always be operational and ready for use and include fire safety and access control. For less critical systems, a comparatively less stringent level of liability could be agreed. Furthermore, it may be advisable for the building operator to agree with the tenant on certain security standards, e.g., ISO/IEC 27001, insofar as these exist. This would make it easier for the operator to commission a service provider to carry out the work. It would also make it easier to determine whether or not the operator has fulfilled their contractual obligations towards the tenant.

Overall, it makes sense to assess likely security risks and the associated potential for damage before the system goes live. This enables the parties involved to agree on cyber risk insurance if necessary. In addition, an assessment should always be made as to whether an exemption from liability or a limitation of liability in terms of the amount involved is feasible and can be agreed upon.

Why is it currently so difficult to standardise cybersecurity for smart buildings on the basis of common criteria and certifications?

Dr Thomas Rütten: Cybersecurity is a key challenge when it comes to constructing and operating smart buildings. And there are many reasons why it is difficult to standardise security concepts. Firstly, there is no single definition of a smart building. On the contrary, different buildings have different automation solutions and, therefore, different levels of potential risk. A building equipped with only an intelligent heating control system naturally requires a fundamentally different security strategy to that of a highly automated smart building with its own data centre, where thousands of measuring points and data inputs converge.

In many cases, buildings have not been designed and constructed as smart buildings, but have been gradually fitted with a variety of digital systems. In such cases, there is frequently no comprehensive cyber security strategy at all. Strictly speaking, however, all hardware and software should be subjected to a penetration test before the building is commissioned. This technical heterogeneity makes it difficult to define uniform security standards. In many cases, older devices will be unable to meet modern security protocols. At the same time, users should not be forced to radically change their systems too frequently. Indeed, the rapid pace of innovation typical of smart building technologies would likely outstrip the certification process in many instances.

The legal landscape regarding cybersecurity is also ambiguous. There is no “Smart Building Act” specifying a certain level of protection. Instead, there is a variety of national and European regulations that must be observed in accordance with the configuration of the smart building. Examples include the Cyber Resilience Regulation, which governs the security of products containing digital elements, and the NIS 2 Directive, which aims to protect critical infrastructure from cyberattacks.