A team of pro bono attorneys at Proskauer recently celebrated a significant step forward in their fight for safe and healthy housing for the more than 400,000 New Yorkers who live in apartments operated by the New York City Housing Authority (“NYCHA”), the largest public housing authority in the country.  Federal Judge William Pauley in the Southern District of New York entered an order requiring NYCHA to implement enhanced procedures to ensure the effective and timely remediation of mold and excessive moisture.  The order also creates independent oversight to ensure NYCHA’s compliance with these obligations.

The Court’s decision provides relief for a class of public housing tenants who suffer from asthma exacerbated by mold and water leaks.  As NYCHA has reported, 150,000 NYCHA residents, including 35,000 children under the age of 15, live in developments located in “asthma hotspots” that generate the highest rates of asthma-related emergency room visits in New York City.

Six months after implementation of the European Union’s General Data Protection Regulation (“GDPR”),¹ many charitable organizations are still struggling with compliance. Our pro bono clients frequently ask whether consent is now required to send solicitations or communications via email to donors or potential donors.  Before addressing that discrete question, here are some key GDPR principles that apply to non-profit organizations:

What is personal data? Personal data encompasses any information that may directly or indirectly identify an individual (for example, a name is a direct identifying element, while a date of birth, email address, phone number, home address, or photo is an indirect identifying element).²  Personal data also includes information about the characteristics of an individual (hobbies for instance), opinions of a person, and online identifiers (cookies, IP address).  Because the definition of personal data is so broad, all charitable organizations process personal data.

What is data processing?³ Processing is defined very broadly in the GDPR and includes the collection, recording, storage, adaptation, use, erasure, and mere consultation of personal data.