Data Protection (GDPR) Course for Landlords


What is GDPR, and does it apply to landlords?

Landlords need to be aware of the data protection legislation and familiarise themselves with the GDPR legal requirements.

Some private landlords who may have just one property wrongly think they do not need to comply with the privacy protection law. They should visit the ICO website for guidance.

Privacy protection laws in the UK apply to landlords’ commercial and residential landlords.

Landlords should issue all their prospective tenants a privacy notice before granting a tenancy agreement.

The privacy notice should set out the landlord’s privacy policy.

They should retain a signed copy of the privacy policy notice on file.

Landlords are known as “Controllers” for the purpose of GDPR legislation and have legal obligations under the GDPR legislation.

Also, unlike the old legislation processors, they now have statutory duties in their own right under the GDPR.

Individuals (including tenants) and supervisory authorities like the ICO can hold both controllers and processors responsible if they fail to comply with their responsibility under GDPR.

Any landlord not complying with the GDPR legislation could face a hefty fine.

The GDPR legislation also includes some specific requirements which are directed at joint controllers. The complete list is accessible on the ICO website (link below) should you wish to read it.

What should a landlord Privacy Notice contain?

It should contain the landlord’s name and address with contact details. It would be a good idea to provide an email address and maybe a telephone number.

It should set out what data may be required, why it will be used, stored, and how long the data will be held. It should clearly set out what the legal basis is to request and hold and process the data.

It should state the name of the data controller and the contact details of the controller. It should set out the tenant rights under GDPR.

The Privacy Notice (Privacy Policy) should set out how long after the tenant has vacated the let premises the (previous tenants) can expect the data to be deleted.

Not a requirement, but a privacy policy should contain a paragraph on how the prospect renter can obtain free legal advice before taking the tenancy and their rights under GDPR.

Landlords & Personal Data

The ‘GDPR data controller is the organisation (like a landlord) that decides how and why tenants’ personal data is processed.

Under GDPR, Data Controllers are legally obliged to: Protect personal data against compromise or loss. They need to implement adequate technical and organisational measures to secure data.

To let property, a landlord needs the tenant’s consent to carry out credit checks etc. The landlord (processor) needs to ensure they comply with GDPR during the letting process.

GDPR & Lawful Basis

Review the GDPR provisions; if you choose a lawful basis for processing, then you will need to document your rationale for your actions or inactions.

Note: If you choose “consent” as your lawful basis, there are extra obligations that you must adhere to.

These include giving data subjects (tenants) the ongoing opportunity to revoke consent.

To process personal information, landlords must have a “lawful basis” to process the data.

Personal Information

Landlords who store, use, or delete tenants’ personal information (such as name, email, telephone, etc.) using an electronic device (mobile phone, computer, etc.) should be registered with the ICO.

Documenting Processing Activities

One of the essential first steps to complying with GDPR is to document processing activities. By doing this, you will establish what personal information you hold, who it is shared with and how long it is retained.

Landlord privacy policy

Landlords will need information from a prospective tenant for the purpose of pre-tenancy consideration, during and after the tenancy has ended.

It is vital landlords obtain tenants’ written consent, enabling them to receive relevant information from 3rd party sources before granting a tenancy.

This information can be obtained via a tenancy application form. The tenancy application should contain relevant text to deal with:

Pre-tenancy credit & reference checks.

Managing the tenancy, consent to enable the landlord to speak to the council, utility companies etc.

Post tenancy – to disclose information to the utility companies, the council, and tracing companies (if the tenant has left a debt and has not given a forwarding address).

You should provide concise information about your data processing and legal justification in your privacy policy.

This information should be included in your privacy policy and provided to tenants when you collect their data, as stated above, ideally in the tenancy application.

The tenancy application is the pre-tenancy stage and almost the first actual contact with the prospective tenant. So, it is best to obtain consent to deal with privacy and put them on notice of how the data will be used.

All residential tenancy agreements should ensure it contains relevant clauses to enable the landlord to deal with various common issues. The tenancy agreement should include consent text that would allow the landlord to deal with the tenants’ housing benefits.

This will allow you to freely speak to the housing benefit or universal credit about paying rent to the tenant or you directly.

The British Landlord Association 2020 tenancy includes clauses for GDPR.

Our top read blogs:

Landlord Foundation course

HMO course