Skip to main content Skip to main content
Compliance guide · Data protection · England

How Long Must Landlords Keep Tenant Data? GDPR Retention Periods Explained

Updated April 2026 7 min read England

UK GDPR requires landlords to keep personal data only for as long as necessary — and no longer. Keeping data for too long is a breach of the storage limitation principle. Deleting it too soon may mean losing records you are legally required to keep under other obligations. This guide sets out how long landlords should retain the main categories of personal data about tenants and former tenants, derived from UK GDPR, the Data Protection Act 2018, HMRC requirements, and the statutory retention periods that apply to specific landlord obligations. It is not legal advice.

Data protection process
GDPR obligations Data retention DSAR response ICO enforcement

The storage limitation principle

Article 5(1)(e) of the UK GDPR requires that personal data must not be kept in a form that identifies individuals for longer than is necessary for the purposes for which it was collected. This is known as the storage limitation principle. As a landlord and data controller, you must be able to justify how long you keep every category of personal data you hold.

There is no single universal retention period. The appropriate period depends on the purpose for which the data was collected, any statutory obligation to retain it, and the legitimate interests of the landlord in keeping it (for example, to defend potential legal claims). Balancing these factors is the practical challenge of data retention for landlords.

UK GDPR, Art. 5(1)(e) · ICO: How long should we keep personal data

Retention periods by document category

Tenancy agreement

Recommended retention: 6 years from the end of the tenancy.

The Limitation Act 1980 sets a 6-year limitation period for most contract claims. Keeping the tenancy agreement for 6 years from the tenancy end date allows you to defend or bring a claim within that period. This is the primary justification for the retention period.

Right to rent documents

Statutory requirement: duration of the tenancy plus 2 years.

The Immigration Act 2014 and the Right to Rent scheme require landlords to retain copies of right to rent documents for the duration of the tenancy and for 2 years after it ends. This is a statutory minimum, not a recommendation. Retaining for longer is not required and increases your data protection exposure.

Immigration Act 2014, s.21 · Home Office: Right to Rent guidance

Deposit records

Recommended retention: 6 years from the date the deposit was returned.

Deposit disputes and claims can arise after the tenancy ends. The 6-year limitation period for contract claims is the basis for this period. Records should include the deposit protection confirmation, Prescribed Information served, and any correspondence about deductions.

Financial records (rent receipts, invoices, bank records)

HMRC requirement: at least 5 years from 31 January following the relevant tax year.

HMRC requires landlords to retain financial records supporting their tax return for at least 5 years from the 31 January after the end of the relevant tax year. For landlords subject to Making Tax Digital, records must be digital. This is an HMRC requirement independent of GDPR — failure to comply can result in tax penalties.

Taxes Management Act 1970, s.12B · HMRC: Self Assessment record-keeping

Compliance certificates (gas, EICR, EPC)

Recommended retention: 6 years from the date served on the tenant.

Certificates should be retained for the 6-year limitation period in case they need to be produced in possession proceedings or to defend a claim. keep a dated record of the date each certificate was served on the tenant — not just the certificate itself.

Maintenance and repair correspondence

Recommended retention: 6 years from the tenancy end date.

Records of repair requests, responses, inspections, and completion of works are relevant to potential disrepair claims. The 6-year limitation period applies to most such claims.

Unsuccessful tenancy applications

Recommended retention: delete within 6 months where no tenancy commenced.

Where an application did not result in a tenancy, the personal data collected — application forms, reference information, credit check results — should be deleted once it is clear no tenancy will proceed. There is no legal basis for retaining this data beyond a reasonable period. Six months is a common standard, but shorter periods are defensible.

DSAR response records

Recommended retention: 3 years from the date of response.

keep a dated record of every DSAR received, the date of receipt, and the date and content of your response. This enables you to demonstrate compliance if an ICO complaint is later made. Three years is a reasonable period, aligned with potential ICO investigation timescales.

Former tenants

Data protection obligations do not end when a tenancy ends. Former tenants retain all their rights under UK GDPR, including the right to make a DSAR requesting copies of data you hold about them. You must continue to apply the same standards of security and access control to former tenant data as to current tenant data.

Data that has passed its retention period should be securely deleted. Retaining data about a former tenant beyond the justified retention period without a lawful basis is a breach of the storage limitation principle.

Having a written retention policy

You are not legally required to have a formal written data retention policy as an individual landlord, but the ICO strongly recommends it and it is best practice. A simple document setting out what data you hold, why, and how long you keep it serves as evidence of your compliance approach and makes it easier to respond to DSARs and ICO enquiries.

Your retention policy should align with your privacy notice — if your privacy notice says you keep financial records for 6 years, your actual practice must reflect that.

Deleting data correctly

Deleting personal data means ensuring it cannot be recovered. For paper records, secure shredding is required — placing sensitive documents in a recycling bin is not adequate. For digital records, secure deletion means using software that overwrites the data rather than simply moving it to a Recycle Bin. Emails containing personal data should be permanently deleted from both inbox and deleted items folders.

If you use a letting agent, check what data they retain on your behalf and for how long — as the data controller, you remain responsible for their data handling practices under your Data Processing Agreement.

ICO and enforcement

The ICO enforces the storage limitation principle. Keeping data for longer than necessary, or failing to delete it when it is no longer needed, can result in enforcement action. For landlords, the most likely trigger is a complaint from a former tenant who discovers their data is still being held years after a tenancy ended. The ICO's approach to landlords is generally proportionate — informal resolution is common — but persistent or serious failures can result in formal reprimands or financial penalties.

UK GDPR, Art. 5(1)(e), Art. 17 · ICO: Right to erasure · ICO: Storage limitation

Record your data retention decisions automatically

LettingsLedger tracks your data retention obligations alongside all your other landlord compliance tasks. Every decision is logged, timestamped, and stored in your evidence pack permanently.

Get early access →
Not legal advice. This guide is derived from the UK GDPR, the Data Protection Act 2018, HMRC guidance, and the Immigration Act 2014 as at April 2026. Retention periods depend on your specific circumstances and may be affected by ongoing claims or proceedings. Consult a qualified solicitor or data protection adviser for advice specific to your situation.