GDPR Compliance for Letting Agents Managing Multiple Properties

Controller, joint controller, or processor: getting the status right

The distinction matters because every other GDPR obligation flows from it. A data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of a controller, acting only on the controller's documented instructions and having no purposes of its own. Where two or more parties jointly determine the purposes and means, they are joint controllers under Article 26.

Status is decided by the substance of the arrangement, not by what the agency agreement happens to label the parties. The ICO is explicit on this: if an organisation makes the decisions that characterise a controller, it is a controller regardless of contract wording.

In residential lettings the practical reality is that letting agents are almost always controllers in their own right, and often joint controllers with the landlord, for most of the tenant-facing processing they do. The controller signals are everywhere in the workflow:

• The agent decides what information goes on the application form, which referencing provider is used, what credit-check threshold applies, and which third parties data is shared with.
• The agent decides how long to keep unsuccessful applications, whether to remarket to former applicants, and how the firm's CRM is structured.
• The agent has its own commercial purposes in the processing: lead generation, marketing, building a tenant and landlord database, cross-selling services.

Those are all controller decisions. A pure processor, by contrast, would simply execute the landlord's documented instructions on a specific task and have no discretion over purposes or means.

Genuine processor activity does still arise within a wider agency relationship, but it is narrower than the industry shorthand suggests. Examples include holding a specific landlord-supplied document at the landlord's request, sending a one-off communication to a named tenant exactly as the landlord has drafted it, or operating a payment account strictly on the landlord's standing instructions. In each of these the agent has no purpose of its own and no discretion over the data. Most of the wider agency workflow falls outside that narrow band.

The consequence is that the typical agent-landlord relationship is best analysed as a joint controllership for tenant data, sometimes with discrete processor activities sitting alongside it, rather than as an agent-as-processor arrangement. That analysis should be reflected in the contract, in the privacy notices given to tenants and landlords, and in the records the agent keeps.

Joint controller arrangements and Data Processing Agreements

The right written instrument depends on the status analysis above. Two different legal mechanisms apply, and an agency that has only one of them in place is exposed on the other.

Where you and the landlord are joint controllers

Article 26 UK GDPR requires joint controllers to put in place a transparent arrangement setting out their respective responsibilities, in particular for the exercise of data subject rights and the provision of transparency information. The essence of that arrangement, and the agent and landlord's respective roles, must also be made available to the data subjects. In practical terms the agreement should record:

• The scope of joint processing: which categories of tenant and applicant data are jointly determined.
• Which party is the primary contact point for data subject rights requests (DSARs, erasure, objection) and how the other party is to be notified and to assist.
• Which party is responsible for issuing the privacy notice to tenants and applicants, and what each privacy notice will say about the joint arrangement.
• How a personal data breach is notified between the parties, and which party leads on ICO notification.
• Allocation of responsibility for retention and erasure once a tenancy or application ends.

Where you act as a processor for a discrete activity

Where an activity is genuinely a processor task (the agent has no purposes of its own and acts strictly on the landlord's documented instructions), Article 28 UK GDPR requires a written Data Processing Agreement covering at minimum:

• The subject matter, duration, nature, and purpose of the processing.
• The type of personal data and categories of data subjects.
• The obligations and rights of the landlord as controller.
• That the agent processes only on the landlord's documented instructions.
• Confidentiality obligations for staff who access the data.
• Security measures the agent has in place.
• Restrictions and rules on engaging sub-processors.
• The agent's obligation to assist the landlord in responding to data subject rights requests.
• Deletion or return of the data at the end of the service.
• The agent's obligation to make information available to demonstrate compliance and to allow audits.

Many agency-landlord agreements treat every activity as if it were a single processor relationship and rely on a generic "DPA" clause to cover everything. Where the substance of the relationship is joint controllership, an Article 28 DPA on its own does not discharge the Article 26 obligations and may itself mischaracterise the parties. A defensible position is to identify the joint controller activities and put an Article 26 arrangement in place, then identify any narrow processor activities and put an Article 28 DPA in place for those.

What data letting agents hold

Categories of personal data agents typically hold

A letting agent managing multiple properties typically holds substantial volumes of personal data across multiple categories:

• Landlord data: name, contact details, financial information, bank account details for rent remittance, property ownership details
• Prospective tenant data: application details, employment history, references, credit check results, right-to-rent identity documents
• Current tenant data: name, contact details, tenancy agreement, rent payment history, maintenance requests, correspondence, deposit records
• Former tenant data: post-tenancy records retained for legal and accounting purposes
• Third-party data: guarantor information, tradespeople details

Right-to-rent documents — copies of passports, visas, and immigration status documents — are particularly sensitive. These must be stored securely, retained only for the statutory period (duration of tenancy plus two years), and protected against unauthorised access.

Lawful basis for agent processing

Where the agent is a controller (whether sole or joint), it is the controller that must identify and document a lawful basis under Article 6 for each processing activity. The lawful basis question does not arise on the processor side: a processor acts on the controller's documented instructions and does not pick its own Article 6 ground for that processing.

For letting agents, the bases that typically apply to the controller side of the workflow are:

• Contract, for processing necessary to perform the tenancy agreement or the agency agreement with the landlord, or to take steps at the data subject's request before entering into a contract (for example, processing an application).
• Legal obligation, for right-to-rent checks, deposit protection, anti-money laundering checks where applicable, and statutory reporting requirements.
• Legitimate interests, for activities such as managing the agency relationship beyond the strict terms of the contract, certain post-tenancy record retention, and limited direct marketing to existing clients, in each case supported by a documented legitimate interests assessment.
• Consent, for activities that fall outside the other bases, most often electronic marketing to prospective tenants where the soft opt-in does not apply.

Special category data (for example, health information disclosed in an accessibility request, or biometric data) requires an Article 9 condition in addition to the Article 6 basis. Criminal conviction data requires an Article 10 condition. The fact that a basis exists in principle does not remove the need to record which basis applies to which processing activity and why.

Records of Processing Activities (ROPA)

Article 30 UK GDPR requires controllers and processors to maintain a record of processing activities. The Article 30(5) exemption is widely misunderstood. It does not say that organisations with fewer than 250 staff are simply outside the ROPA duty. It says that the ROPA obligations in Article 30(1) and (2) do not apply to an enterprise of fewer than 250 employees unless any one of the following is true:

1. The processing is likely to result in a risk to the rights and freedoms of data subjects.
2. The processing is not occasional.
3. The processing includes special categories of data under Article 9(1).
4. The processing includes personal data relating to criminal convictions and offences under Article 10.

The exemption only applies if none of those four conditions is met. For a letting agent the analysis is short. The processing of tenant and landlord data is the agent's core business activity and is not "occasional" in any sense Article 30(5) recognises. The processing routinely creates risks to rights and freedoms (housing access, financial standing, immigration status). Right-to-rent documents, accessibility-related information, and guarantor financial data make special category and high-risk processing common rather than exceptional. On any reasonable reading, letting agents fall outside the Article 30(5) exemption and the full ROPA obligation applies regardless of headcount.

The ROPA should record, for each processing activity, the purposes, the categories of data subjects and personal data, the categories of recipients, any international transfers, the retention period, and a description of the security measures in place. Where the agent is a joint controller for an activity, the ROPA should record that and identify the other controller. Where the agent is acting as a processor for an activity, the separate Article 30(2) processor record applies.

Privacy notices for tenants and landlords

Privacy notices must be given to both tenants and landlords at the point of first engagement: to landlords when they instruct the agent, to applicants when they enquire or apply, and to tenants at or before tenancy sign-up. Each notice must comply with Article 13 (data collected from the data subject) or Article 14 (data obtained from another source) as the case may be.

The notice must identify the controller (and any joint controller), the data processed, the purposes, the lawful basis (and Article 9 condition where special category data is processed), the recipients (referencing agencies, deposit schemes, contractors, sub-processors), retention periods, international transfers if any, and the data subject's rights and how to exercise them. Where the agent and landlord are joint controllers, Article 26(2) requires that the essence of the joint controller arrangement is made available to the data subject; the tenant privacy notice is the usual place to do that. Notices should be specific to the agent's operating model rather than generic template text.

Retention policies for agent records

Agents must have a documented retention policy covering all categories of data they hold. Key retention periods:

• Tenancy agreements: 6 years from tenancy end
• Right-to-rent documents: duration of tenancy plus 2 years
• Financial records: 6 years (HMRC requirement)
• Deposit records: 6 years from return of deposit
• Marketing consent records: until consent withdrawn plus a reasonable period
• Unsuccessful tenancy applications: typically delete within 6 months

Retention policies must be implemented — see the landlord data retention guide for statutory periods — not just written. Systems should be in place to delete or anonymise data when retention periods expire.

Data security for agents

Letting agents hold significant volumes of sensitive personal data — financial information, identity documents, and tenancy histories. Appropriate security measures are essential:

• Access controls: staff should only access data relevant to their role
• Secure storage: physical documents locked, digital files password-protected and encrypted
• Secure transmission: encrypted email or secure portals for sharing sensitive documents
• Breach response plan: a documented procedure for identifying, containing, and reporting data breaches to the ICO within 72 hours where required
• Sub-processor due diligence: referencing companies, deposit schemes, and other third parties who receive personal data should be assessed for their security measures

ICO registration

Letting agents are required to register with the ICO and pay the data protection fee. The fee structure has three tiers based on staff numbers and annual turnover. Tier 1 (micro organisations: maximum turnover £632,000 or no more than 10 staff) is £52 per year. Tier 2 (small and medium organisations: maximum turnover £36 million or no more than 250 staff) is £78 per year. Tier 3 (large organisations above those thresholds) is £3,763 per year. The fees were last increased in February 2025; confirm the current figures against the ICO calculator before renewing. Most independent agencies fall into Tier 1 or Tier 2, but larger multi-branch agencies and corporate operators can sit in Tier 3 and should not assume the lower fee applies. Registration is at ico.org.uk/registration.

Operating without ICO registration when you are required to register is itself an offence. The ICO can issue a fixed penalty for failure to pay the data protection fee; the maximum on the ICO's published penalty schedule is £4,350.

Staff and data protection

Staff who handle personal data must understand their obligations. At minimum, all staff who access tenant or landlord personal data should receive basic data protection training covering: what personal data is, what the main rights of data subjects are, how to handle a DSAR, and how to identify and report a data breach. Training should be documented.