101 guide on GDPR for coworking spaces (I)

The EU General Data Protection Regulation (GDPR), a major European data protection law has been running for two months now, but we still get regular queries about it.

We teamed up with Leco (legalcoworking) to create another one of our 101 guides to help you understand how the GDPR applies to your coworking space.

The GDPR is a new set of data laws fit for the digital age, and its purpose is to harmonise data privacy laws across Europe and to give more protection, rights and control to individuals regarding their personal data.

In the coworking industry we are always dealing with data, including members, visitors and website users’ data. This guide aims to help coworking spaces plan how they are going to deal with all of this personal data in a clear, fair and transparent manner and what security measures they should take. It also establishes the affected party’s rights regarding their personal data. The guide is rather long though, so there will be 3 parts - fasten your seatbelts!

 Here’s an outline of what will be covered in the GDPR guide for coworking spaces:

(Part I)


1.1. What is meant by personal data?

1.2. What personal data can a coworking space process?

1.3 Why must coworking spaces adapt their procedures to the GDPR?

  1. The GDPR

2.1. What are the main points of the GDPR?

2.1.1 A proactive approach

2.1.2 A lawful basis for the processing personal data

2.1.3 Principles relating to the processing of personal data

2.1.4 Transparency and information for interested parties

2.1.5 Provision of rights to those affected


(Part II)


3.1 Decide whether you need to designate a DPO (Data Protection Officer).

3.2 Conduct a risk assessment.

3.2.1 Tools to identify threats and risks. Evaluating and dealing with such threats.

3.3 Review the coworking spaces’ existing protection / security measures


(Part III)

3.4 Establish a procedure for reporting security breaches.

3.5 Information for interested parties regarding the processing of their data

3.6 Consent

3.7 Establishing procedures through which interested parties can exercise their rights

3.8 Selection and contracting of those responsible for processing

3.9 Deciding whether you engage in international data transfers




Following the introduction of the new European Data Protection Regulation, we have put together a GDPR Guide for Coworking Spaces, which aims to outline in a clear, detailed manner, with the use of examples, the steps you need to follow to be GDPR compliant. Our objective is for you to understand the key points and designate an individual to help your coworking space adapt to the GDPR regulations.

We recommend you read this guide carefully. It is rather long, but it contains only what is necessary to tell you everything that you need to know about GDPR and the steps you need to take to comply with it.



Coworking spaces allow independent professionals from different sectors to share the same workspace and they facilitate the emergence of joint projects, as well as the growth and consolidation of individual professional projects.

In the exercise of their professional activity, coworking spaces handle personal data, which means they must conform to the General Data Protection Regulation (GDPR).

1.1. What is meant by personal data?

All information about natural persons, (NOT legal persons) that identifies them or makes them identifiable. Therefore, this includes data of a personal nature: names, surnames, addresses, email addresses, ID numbers, etc... Obviously, it also includes a person's image, since it allows them to be identified.

* This guide will refer to the owner of such personal data as the affected or interested party, or coworker as applicable.

*The guide will refer to the holder of the coworking space as the owner.

*To companies or professionals who provide services to the owner of the space, and as such have access to personal data in their files, we will refer to them as the person in charge of processing. They will only process data on the owner’s instructions.

1.2. What personal data can a coworking space process?

When we talk about "processing" personal data, we refer to any operation such as: collection, recording, storing, adaptation or alteration, retrieval...

Usually, the personal data that a coworking space will request from coworkers or its contacts will concern basic identification data such as names, surnames, emails, addresses, ID numbers, telephone numbers and the bank account or credit card numbers of those who pay for the service.

In addition, it may also process personal data of professionals who provide them with a service.

1.3 Why should coworking spaces adapt their activities to the GDPR?

Because in the exercise of their activities (providing coworking services) they deal with personal data and in addition the coworking services are conducted in an establishment with a person in charge (the owner of the coworking space, whether it be a natural person, or a company, etc...) within the European Union.

2. The GDPR

The GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016, concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 EC. In other words, the General Data Protection Regulation (GDPR).

The GDPR is a directly applicable standard, which means it will be mandatory in all EU member states. Nevertheless, the GDPR allows each member European Union state to add or modify certain provisions of the GDPR in accordance with their own local laws, which means:

VERY IMPORTANT! Every coworking space must ensure that it also complies with the regulations that may be passed by its own country.

2.1. What are the main points of the GDPR?


The GDPR is committed to a more proactive approach, which means that coworking spaces must analyse the kind of personal data they will deal with in carrying out their professional activities, and what dangers this data processing may entail, and on this basis, adopt the security measures that it deems most appropriate and proportional, to prevent unauthorized third parties from having access to personal data, whether modified or erased.

In this way, the coworking space will plan beforehand how it will deal with personal data, the most appropriate and the least invasive security measures to implement (privacy by design), for the data it deals with. In other words, it will only deal with the data essential to provide its coworking services (privacy by default). Therefore, requesting names, surnames, identification numbers, addresses... is sufficient in order to provide a coworking service. Other data such as: health data, ideology, religion, etc. will not be requested.

The ultimate aim of the GDPR is to reduce to a minimum the risks that all data processing entails, rather than the elimination of all risks. Such risks always exist whenever personal data is processed.


The GDPR also states that any processing of personal data, in order to be legal, must be supported on a basis that legitimizes it. What does this mean exactly? That there must be a reason for processing the data, which the GDPR expressly stipulates.

In the case of coworking spaces, data processing usually occurs due to the existence of a contractual relationship, that is, the coworker enters into a contractual relationship with the space which provides them with its coworking services.

However... what about an individual who asks for information about the coworking space, whose personal data we collect to send them information, who subsequently does not end up being a client of the space? In this instance, consent would form the basis of dealing with this person’s personal data, which means they must specifically give their consent to the processing of their personal data, as we will explain below.


- Lawfully, fairly and transparently. In relation to the interested party, the data must be processed by the coworking space in a lawful, fair and transparent manner.

- Purpose limitation. Data collected for a specific purpose, may not be used later for a different purpose. For example, if the coworking space collects data from a coworker to provide them with coworking services, it will not be able to subsequently use this data to send them advertising related to other brands or products.

- Data minimization. Personal data must be adequate, relevant and limited, that is, only the data that is strictly necessary in relation to the purposes for which it is collected. Therefore, if a name and surname is enough to provide the service contracted, no other information, such as hobbies, health data, etc., will be requested.

- Accuracy. Personal data must be accurate, and where necessary, kept up to date.

- Storage limitation. The personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; therefore, the data will only be stored for the time necessary for the aim of the processing. This means that when the contractual relationship between the coworking space and the coworker ends, the space must not continue to store their personal data.

- Integrity and confidentiality. Personal data must be processed in such a way that adequate security is guaranteed through the application of appropriate control measures. Data must be processed in a way that guarantees its security, and that it remains confidential.


The information that should be provided to the holders of the personal data that is being processed and also any communication provided must be done so in clear and plain language, in a transparent manner and  in a concise and easily accessible form, as we shall see in section 3.5,


Those affected will have the right of access, rectification, erasure (‘the right to be forgotten’), the right to object, restrict processing and the right to data portability of their personal data. We will address these later.


There you have it! In the first part of the guide we have covered what personal data coworking spaces can process, why spaces should adapt their procedures to the GDPR, as well as the main points of the GDPR.

Next week, Part (II) will cover some of the steps a coworking space needs to follow to be GDPR compliant... Not long to go now till you are a GDPR expert for coworking spaces, hang in there!

Related posts