What is GDPR, and does it apply to landlords?
GDPR stands for “General Data Protection Regulation”. Landlords must know the data protection legislation and familiarise themselves with the GDPR legal requirements.
Some private landlords who may have just one property wrongly think they do not need to comply with the privacy protection law.
They should read this blog or visit the ICO website for guidance on their legal obligation as a private landlord.
Privacy protection laws in the UK under the Data Protection Act apply to commercial and residential landlords.
Landlords should issue all prospective tenants a privacy notice before granting a tenancy agreement; it is a legal requirement. The privacy notice should set out the landlord’s privacy policy.
They should retain a signed copy of the privacy policy notice on file.
Landlords are known as “Controllers” for GDPR legislation and have legal obligations under the GDPR legislation.
Also, unlike the old legislation processors, they now have statutory duties in their own right under the GDPR.
Individuals (including tenants) and supervisory authorities like the ICO can hold controllers and processors responsible if they do not comply with their responsibility under GDPR.
Any landlord not complying with the GDPR legislation could face a hefty fine. The GDPR legislation also includes specific requirements directed at joint controllers.
The complete list is accessible on the ICO website (link below) should you wish to read it.
What should a landlord Privacy Notice contain?
It should contain the landlord’s name and address with contact details. Providing an email address and a telephone number would be a good idea.
It should set out what data may be required, why it will be used, stored, and how long it will be held. It should set out the legal basis to request, hold, and process the data.
It should state the data controller’s name and the controller’s contact details. It should set out the tenant rights under GDPR.
The Privacy Notice (Privacy Policy) should set out how long after the tenant has vacated the let premises the (previous tenants) can expect the data to be deleted.
Not a requirement, but a privacy policy should contain a paragraph on how the prospective renter can obtain free legal advice before taking the tenancy and their rights under GDPR.
Landlords & Personal Data
The GDPR data controller (like a landlord) decides how and why tenants’ personal data is processed.
Under GDPR, Data Controllers are legally obliged to: Protect personal data against compromise or loss. They need to implement adequate technical and organisational measures to secure data.
To let property, a landlord needs the tenant’s consent to carry out credit checks. The landlord (processor) must comply with GDPR during the letting process.
GDPR & Lawful Basis
Review the GDPR provisions; if you choose a lawful basis for processing, you must document your rationale for your actions or inactions.
Note: If you choose “consent” as your lawful basis, there are extra obligations that you must adhere to.
These include giving data subjects (tenants) the ongoing opportunity to revoke consent.
To process personal information, landlords must have a “lawful basis” to process the data.
Personal Information
Landlords who store, use, or delete tenants’ personal information (such as name, email, telephone, etc.) using an electronic device (mobile phone, computer, etc.) should be registered with the ICO.
Documenting Processing Activities
One of the essential first steps to complying with GDPR is to document processing activities. Doing this will establish what personal information you hold, who it is shared with, and how long it is retained.
Landlord privacy policy
Landlords will need information from a prospective tenant for pre-tenancy consideration during and after the tenancy has ended.
Landlords must obtain tenants’ written consent, enabling them to receive relevant information from 3rd party sources before granting a tenancy.
This information can be obtained via a tenancy application form. The tenancy application should contain relevant text to deal with the following:
- Pre-tenancy credit & reference checks.
- Managing the tenancy, consent to enable the landlord to speak to the council, utility companies etc.
- Post tenancy – to disclose information to the utility companies, the council, and tracing companies (if the tenant has left a debt and is not given a forwarding address).
You should provide concise information about your data processing and legal justification in your privacy policy.
As stated above, this information should be included in your privacy policy and provided to tenants when you collect their data, ideally in the tenancy application.
The tenancy application is the pre-tenancy stage and the first actual contact with the prospective tenant.
So, it is best to obtain consent to deal with privacy and put them on notice of how the data will be used.
All residential tenancy agreements should contain relevant clauses to enable the landlord to deal with various common issues.
The tenancy agreement should include consent text to allow the landlord to deal with the tenant’s housing benefit.
This will allow you to freely speak to the housing benefit or universal credit about paying rent directly to the tenant or you.
Landlord GDPR Privacy Law FAQ
What happens if a landlord doesn’t comply with GDPR?
You are likely to face a fine for breaching the privacy legislation.
Does a landlord need to review their GDPR compliance in the future?
The privacy law in the UK is likely to evolve as the way we do business changes and new technology comes into play. You should check any updates to the privacy laws to ensure you are fully compliant with your legal requirement under GDPR.
What does a landlord need to do about a privacy notice?
Landlords and letting agents must ensure they have an up-to-date privacy policy notice in place. If not, you can download a free tenant privacy notice from our website.
If a landlord complies with the Data Protection Act, are they required to comply with GDPR?
No. The two regulations are very different, and compliance with one doesn’t necessarily mean compliance with the other.
For example, under DPA, an organisation must comply with certain principles, but not every principle applies equally across both acts. This means there may be situations where organisations could breach GDPR without breaching DPA.
How do I prepare for GDPR?
Understanding how your business processes work now is essential so you’re prepared when GDPR occurs.
What do landlords need to do about a privacy notice?
Once you’ve established the steps above, you need to ensure you have a privacy policy notice in place.
I’m a landlord but have a letting agent to manage my property – do I need to pay?
No. Your letting agents collect tenant data as part of fully managing your properties. If you do not hold any information regarding the tenant’s details, you may be exempt.
If you hold information in the process of letting agents manage your property at any time in the future. You should check if then you are required to be registered with the ICO.
Is a landlord a data controller or processor?
When a landlord is processing the personal data relating to its tenants, contractors, and staff for its own legitimate business purposes.
Then a landlord will be acting as a data controller and is legally obliged to comply with the provisions of the DPA.
How many landlords comply with the GDPR?
The British Landlord Association survey in April 2020 found that 93% of landlords fully complied with their legal obligations.
Accidental landlords and those using letting agents with partial management arrangements were not aware of their GDPR responsibilities.
These minority landlords held some or all the following information: bank details, credit check reports and personal details gleaned from the tenancy application notice.
The British Landlord Association 2020 tenancy includes clauses for GDPR.
Source: British Landlords Association
Author: Amanda Goldsmith [email protected]
Date: 1st of March 2023
Is our housing market about to crash?
The tax advantage of buying a property using an offshore company in 2020