My Charlesons
Book your FREE property valuation online CLICK HERE
Charlesons

Charlesons.

GDPR Applies to Landlords Too – Even When You Take A Name or Email!.

May 18, 2018
GDPR for Landlords

The General Data Protection Regulation (GDPR replaces the current data protection rules on 25 May 2018. It’s likely that there are still many private landlords involved in property rentals who are yet to full understand how the new legislation directly applies and not assume the rules will not affect them and their situation. The GDPR is primarily aimed at giving control to UK citizens over their personal data. It means a change to how an individual’s information is handled by businesses and organisations  – including landlords and agents involved in lettings.

Under the GDPR, a landlord will be required to audit the information they collect and hold on their tenants. They will also need to decide under what lawful basis the information is being processed. The audit will need to be properly documented and privacy notices made available for persons to view, normally at the time of collecting the personal information.

 

Any personal data which can identify a person

The information collected is broadly defined as any personal data, which can identify a person, even a name and address. Under the GDPR, individuals, organisations and companies are either ‘controllers’ or ‘processors’ of personal data. It means that a landlord or letting agent will often be both the controller and the processor of data they hold. A typical example is when a landlord or agent receives an email enquiry from a prospective tenant. The landlord or agent is described as “being in control of the data”, which requires a decision over how the information will be processed and stored, e.g. on a database or spreadsheet.

 

Under Article 5 of the GDPR, it is required that personal data shall be processed in a manner that ensures appropriate security of the personal data and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. In addition, the information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that consent will be needed for using any personal information, e.g. for sales or marketing.

 

The ‘contract’ basis for processing personal information

Landlords may think that all of the above will have minimal affect on their everyday rental activities. After all, landlords or agents do not have to rely upon ‘consent’ to obtain the usual personal information from their tenants as it is processed under ‘contract’ or ‘legitimate interests’. The ‘contract’ basis for processing personal information is usually considered to be the most appropriate basis for landlords and agents especially when dealing with tenants – as opposed to ‘prospective’ tenants.

So for example, a landlord or agent does not need to ask the consent of a prospective tenant to obtain a credit check before a tenancy is  agreed because it’s not a matter of ‘choice’. However, they must be informed that a credit check is to be made.

 

Data documentation for lettings

Th requirement for data documentation will, however, apply to almost all of the information obtained by landlords for the purpose of lettings. Categories of individuals may include:

 

  • Prospective viewers (general enquiries on mailing list for new properties)
  • Prospective tenants (after viewing and wish to apply for a tenancy)
  • Tenants
  • Ex-tenants
  • Contractors

 

Registration with the ICO

If you’re a landlord with a maximum annual turnover of £632,000 and more than 10 members of staff you should already be registered with the ICO – Information Commissioner’s Office – set up to uphold information rights in the public interest and data privacy for individuals.

 

Under GDPR, you will need to register with the ICO if all of the following conditions apply:

 

  • You collect, record, store or delete personal information (such as names, addresses, telephone numbers and email addresses)
  • Information is processed (including collected or stored) by automated means (such as a mobile phone, computer, tablet etc.)
  • Processing is for the purpose of “Property management, including the selling and/or letting of property”.

 

Registration with ICO will not be necessary if your collecting or storing of information is carried out entirely on paper but you will be still be legally required to comply with GDPR regulations. Even if you simply text a tenant with a reminder about the next rent payment, it means that you are ‘storing information by automated means’ and require to register with the ICO.