GDPR compliance for landlords

Ireland’s rented housing market is somewhat unusual as, despite an increase in “professional” landlords over the past number of years, most private rented accommodation is owned by single-property landlords.

These landlords are not engaged in property letting as part of their “day job”, but have either bought a property to provide a rental income with a longer-term hope that the property increases in value and is a valuable asset. Alternatively, some have found themselves becoming landlords through circumstance, such as moving on from a home and deciding to rent it out instead of selling it.

It is sometimes not appreciated that the landlord in that situation, though they may have a different day job, is still in the business of letting a property and is subject to applicable laws, including data protection and the GDPR (General Data Protection Regulation). A landlord, for the purposes of those laws, is a data controller in respect of the personal data of tenants and prospective tenants who might view a property but not end up renting it. That status imposes a range of regulations and obligations on the landlord.

A flashpoint in recent years, particularly in urban areas where residential properties are in high demand, has been complaints that prospective tenants have been expected to provide landlords or their agents with extensive personal and financial information before even viewing a property. The Data Protection Commission has now published a guidance note on requesting personal data from prospective tenants which warns against this type of practice. It also helpfully outlines some of the relevant data protection principles and the way in which they apply to a landlord/tenant relationship.

In summary:

    • Information obtained from tenants and prospective tenants is personal data within the meaning of data protection law and can only be obtained and used (processed) lawfully and fairly.
    • In order to obtain the information lawfully there must be a justification (legal basis) for doing so which complies with the GDPR.
    • Different justifications are likely to apply to different types of data and a landlord should be able to identify the relevant justification which applies for each category of information. For example, personal data can be processed where it is necessary to perform or enter into a contract and this legal basis will apply to some personal data obtained from tenants, such as name and address. However, a PPS number is required by the landlord to register the tenancy with the Residential Tenancies Board and so the legal basis for processing the tenant’s PPSN is compliance with a legal obligation.
    • Other legal justifications for obtaining and processing personal data of tenants may arise but landlords should be cautious about relying on the legitimate interests basis and “should be wary of seeking to rely on consent as a legal basis … as the imbalance of power in the landlord-tenant relationship will likely mean that the consent is not ‘freely given’ by the tenant”.
    • Landlords should be mindful of the obligations of a data controller under the GDPR, including that personal data stored should not be kept for longer than necessary and should be kept secure and confidential.

A key issue arises under the data minimisation principle. Article 5(1)(c) of the GDPR provides that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which processed. In its guidance, the DPC has sounded a warning bell for landlords and agents seeking vast quantities of personal information from people wishing to view a property:

It will be difficult for a controller to justify, by reference to the principle of data minimisation, the extensive collection of personal data such as financial statements, utility bills, references, PPSNs, etc., from numerous, or all, interested parties at the initial stages of advertising or hosting viewings of a property. This is because such information will generally not be necessary at the early stages of the leasing process, where interested persons may simply be looking to view a property or make enquiries in relation to it. In most cases such information will not be necessary until such time as a landlord decides upon a preferred tenant and makes an offer to a prospective tenant (which will usually be conditional on references, confirmation of ability to pay rent, etc.).

The guidance is a useful reminder for landlords, even of single properties, that the general principles and specific obligations of data protection law apply to personal data of tenants and of prospective tenants.

In light of the increased data protection enforcement regime which has been introduced by the GDPR and the duty of care owed by data controllers to data subjects, it is crucial that landlords are aware of their obligations and that, in particular, if a landlord engages an agent to let a property on their behalf that both the landlord and agent comply with data protection law.

, , , , , ,