GDPR for letting agents in the EU
A letting agent operates in two distinct GDPR roles — as a controller for its own operations and as a processor for landlord clients whose tenant data it manages. The failure to have Article 28(3)-compliant Data Processing Agreements with landlord clients is one of the most common data protection failures in the property sector across the EU.
Controller and processor
A letting agent is a controller for its own operational data — employee records, accounts, marketing. It is a processor for personal data handled on landlord instructions — tenant applications, rent records, maintenance, tenancy management. A DPA compliant with Article 28(3) EU GDPR must be in place with each landlord client before any processing of tenant personal data begins.
Tenant data and referencing
Tenant referencing involves processing employment history, financial information, and credit history. Each processing activity requires a documented lawful basis — typically contract for application processing, legitimate interests for broader referencing. Where a third-party referencing agency is used, a DPA must be in place. Tenants must be informed of referencing in the privacy notice before it is conducted.
Marketing consent
Contact details from prospective tenants or landlords who do not proceed to a transaction cannot be used for marketing without valid separate consent or documented legitimate interests. The ePrivacy Directive (implemented nationally across the EU) applies additional requirements for electronic marketing. Each member state’s ePrivacy implementation may vary in detail.
Sensitive processing in tenancy management
Tenancy management may involve processing special category data — disability information for reasonable adjustments, immigration status for right-to-rent equivalent checks where applicable, financial health data. Each requires an Article 9(2) condition in addition to an Article 6 lawful basis, documented separately in the ROPA.
Data minimisation in tenancy applications
Article 5(1)(c) requires that only personal data adequate, relevant, and limited to what is necessary is collected. In the letting context, this means an application form should not collect data that is not needed to assess the applicant or comply with legal requirements. Date of birth, nationality, or bank account details beyond what is required for referencing purposes may not be necessary at application stage. Each field on the application form should be justified against the purpose for which it is collected.
Where rejection of an application is based on a credit or referencing check, the applicant’s rights under Article 15 (access to the data used in the decision) and, where the decision was solely automated, Article 22 (rights in automated decision-making) may be engaged. A procedure for handling these situations should exist before they arise.
Retention of tenancy records post-tenancy
Personal data collected during a tenancy — rent payment history, correspondence, maintenance records — must not be retained indefinitely after the tenancy ends. A documented retention schedule should specify how long each category of data is retained and why. The limitation period for claims arising from the tenancy is typically relevant to the retention period for dispute-related records. Unsuccessful application data from those who did not proceed to a tenancy should be deleted promptly once the legitimate purpose for retaining it has been satisfied.
Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.