Skip to main content Skip to main content
Compliance guide · Data protection · England

GDPR for Landlords: What You're Legally Required to Do with Tenant Data

Updated April 2026 9 min read England

Private landlords in England are data controllers under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You process personal data about your tenants — their names, contact details, financial information, right-to-rent documents, and more. This creates legal obligations that apply regardless of the size of your portfolio. This guide sets out the key requirements. It is derived from the UK GDPR, the Data Protection Act 2018, and guidance from the Information Commissioner's Office (ICO). It is not legal advice.

Data protection process
GDPR obligations Data retention DSAR response ICO enforcement

Landlords as data controllers

A data controller is any person or organisation that determines the purposes and means of processing personal data. As a private landlord, you decide what information to collect from tenants, how to store it, and how long to keep it. That makes you a data controller, regardless of whether you use a letting agent.

Where you use a letting agent, the agent is typically a data processor acting on your instructions — they process tenant data on your behalf. You remain responsible as the data controller. You should have a written data processing agreement with any agent who handles tenant data for you.

UK GDPR, Art. 4 · Data Protection Act 2018 · ICO: Data controllers and processors

Lawful basis for processing

You must have a lawful basis for processing personal data. Under UK GDPR, the most relevant lawful bases for landlords are:

  • Contract. Processing necessary for the performance of a tenancy agreement — for example, using a tenant's name and bank details to manage rent payments and address maintenance requests.
  • Legal obligation. Processing required to comply with a legal duty — for example, conducting and recording right-to-rent checks, or retaining deposit protection records.
  • Legitimate interests. Processing necessary for your legitimate interests as a landlord, where those interests are not overridden by the tenant's rights — for example, maintaining contact details for maintenance purposes after a tenancy ends for a limited period.

Consent is rarely the appropriate basis for landlord-tenant data processing. Tenants are not in a position to freely give consent given the power imbalance in the relationship.

You must identify and document your lawful basis before you start processing. If challenged, you must be able to demonstrate the basis you relied on.

UK GDPR, Art. 6 · ICO: Lawful basis for processing

What data landlords typically process

  • Prospective tenant: name, contact details, employment details, references, credit check results
  • Right to rent: identity documents (passport, visa), copies retained on file
  • Tenancy: name, address, rent amounts, bank details, tenancy agreement
  • Deposit: name, deposit amount, scheme reference
  • Maintenance: repair logs, access arrangements, correspondence
  • Post-tenancy: forwarding address, deposit deduction records

If you process any special category data — health information, for example — you need an additional lawful basis under Article 9 UK GDPR. Seek specialist advice if this applies to you.

Privacy notice obligations

You must provide tenants with a privacy notice — sometimes called a fair processing notice — explaining what data you collect, why, how long you keep it, and their rights. This must be provided at the point of collection, typically at the start of a tenancy.

A landlord privacy notice should cover:

  • Who you are (your name and contact details as data controller)
  • What data you collect and for what purpose
  • The lawful basis for each type of processing
  • How long you retain data
  • Whether you share data with third parties (agents, tradespeople, deposit schemes)
  • Tenants' rights: access, rectification, erasure, restriction, portability, objection
  • The right to complain to the ICO

The ICO provides template privacy notices and guidance for small organisations. You do not need a solicitor to draft a basic landlord privacy notice, but it must accurately reflect your actual processing.

Data retention

You must not keep personal data for longer than necessary — see our data retention guide for specific periods. You should have a retention policy — even a simple one — that sets out how long you keep different categories of data and why.

Practical retention periods for landlords:

  • Tenancy agreement and correspondence: 6 years from tenancy end (limitation period for contract claims)
  • Right to rent documents: duration of tenancy plus 2 years (statutory requirement)
  • Deposit records: 6 years from return of deposit
  • Financial records (rent receipts, invoices): 6 years (HMRC requirement)
  • Unsuccessful tenancy applications: no longer than necessary — typically delete within 6 months if no tenancy commenced
UK GDPR, Art. 5(1)(e) · ICO: How long should we keep personal data

Data security

You must implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or disclosure. For most private landlords, this means:

  • Storing paper documents securely and disposing of them by shredding
  • Password-protecting any digital files or spreadsheets containing tenant data
  • Using secure email when sending sensitive documents
  • Not sharing tenant data with third parties without a lawful basis
  • Promptly reporting significant data breaches to the ICO (within 72 hours where the breach is likely to result in risk to individuals)

Data subject access requests

Tenants have the right to request a copy of all personal data you hold about them — this is called a Data Subject Access Request (DSAR). You must respond within 30 days. You must provide the data free of charge in most circumstances. You can extend the deadline by a further two months in complex cases, but you must inform the tenant within the first 30 days that you are doing so.

You cannot refuse a DSAR simply because it is inconvenient or because you are in dispute with the tenant. A DSAR from a tenant is a legal right, not a matter for negotiation. See our guide to handling DSARs for a step-by-step process.

UK GDPR, Art. 15 · ICO: Right of access

The ICO and enforcement

The Information Commissioner's Office (ICO) enforces UK data protection law. Landlords can be fined for serious data protection breaches — fines can reach up to £17.5 million or 4% of global annual turnover, whichever is higher, for the most serious breaches. For small landlords, the ICO tends to take a proportionate approach, but persistent non-compliance or serious failures (such as failing to respond to DSARs, or data breaches involving sensitive documents) can result in formal action.

You should register with the ICO as a data controller if you have not already done so. Most landlords who process personal data are required to pay the ICO's data protection fee unless an exemption applies. The fee is tiered by turnover and is currently £40 per year for micro-organisations and small businesses.

Data Protection Act 2018, s.137 · ICO: Data protection fee · ICO: Guide to the UK GDPR
Record this. Document your lawful basis for processing, maintain your privacy notice, and keep a dated record of how long you retain each category of data and why. This is your evidence of compliance if the ICO investigates.

Keep your tenant data obligations structured

LettingsLedger includes a GDPR task that maps your obligations as a data controller, tracks your privacy notice service, and records your data retention decisions. Every action timestamped in your evidence pack.

Get early access →
Not legal advice. This guide is derived from the UK GDPR, the Data Protection Act 2018, and ICO guidance as at April 2026. Data protection law is complex and fact-specific. Always consult a qualified solicitor or data protection adviser for advice specific to your situation.