When you take on a new tenant, you'll inevitably collect, store and use their personal information (data). For example, you will use their contact details to communicate with them while drafting the tenancy agreement and may have already shared them to obtain financial and other references, such as from a bank or previous landlord.
The Data Protection Act 2018 and the EU General Data Protection Regulation changes the law on how landlords should handle (process) personal information about their tenants.
Personal information is information that can identify your tenant, such as their name, address, date of birth, email address, passport number that is stored electronically on a computer, or in organised paper-based filing systems.
Processing the information is generally anything that you do to it and includes:
Only the data required for the tenancy relationship should be acquired, stored securely and regularly reviewed to ensure it remains necessary, accurate and up to date.
You must process the tenant's personal information only in the lawful manner set out in the GDPR. In the past you may have simply had a clause in the tenancy agreement where the tenant signs confirming they consent to their data being processed by you. This may now be unlawful. Although the GDPR does have getting consent as one of the ways you can lawfully process data, it's not recommended to rely on this ground in a landlord-tenant situation. This is because there may be an imbalance of power with the landlord having a position of power over a tenant. Additionally, as the tenant could withdraw their consent at any time, it wouldn't be in your interest to rely on consent anyway.
You will most likely be able to use the following (alternative) lawful ways to process a tenant's personal information:
Performance of a contract
Processing personal information will be required as you will have a tenancy agreement or licence with the tenant, and you both need to fulfil your obligations under it. This will include where it is necessary to take specific steps before entering into it.
Examples of personal information that you will rely on for this ground include:
This ground is likely to cover many of your data processing needs while managing a tenancy.
This is where you are required to use a tenant's information to comply with a legal requirement, such as from legislation, a regulatory requirement where it's supported by a statute, a court order or court decisions (case law), but not contractual obligations.
Examples of using this include complying with right to rent and data protection obligations and gas safety laws.
This can be relied on if the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the tenant's personal data which overrides your legitimate interests.
To comply with the GDPR accountability and transparency requirements, you should perform a 'legitimate interest assessment' for each interest being relied upon and mention the legitimate interests you are relying on and your reasons for using them, in theprovided to the tenant.
Examples of how you may rely on this ground and reasons for doing so include:
See the Information Commissioner's Office (ICO) guide onand how to perform a legitimate interest assessment. You can also find a for use when performing an assessment on their website.
You can only use this if it is essential to protect the life of the tenant or another person. This will be used in very rare circumstances.
Consent is harder to obtain under the new laws and can be withdrawn at any time, so may be of limited use. However, where none of the above legal grounds can be used, you can seek the tenant's consent if you need to use their information for a specific purpose.
To obtain consent it must be:
Points to remember