GDPRLedger UK UK GDPR Guide UK GDPR for letting agents
Vertical guide · Property management

UK GDPR for letting agents

Updated April 2026UK GDPR · DPA 2018ICO aligned

A letting agent operates in two distinct data protection roles — as a controller for its own operations and as a processor for landlord clients whose tenant data it manages. Most agencies do not have Data Processing Agreements with their landlord clients despite being legally required to. This guide explains what the obligations are in practice.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

Controller and processor — both apply

A letting agent is a data controller for its own operational data — employee records, accounts, marketing lists, enquiries. It is a data processor for the personal data it handles on behalf of landlord clients — tenant applications, rent records, maintenance requests, and right-to-rent check documents processed under the landlord’s instructions. Both roles must be documented and governed separately.

A Data Processing Agreement compliant with Article 28(3) UK GDPR must be in place with each landlord client before any processing of tenant personal data begins. Most letting agency terms of business do not contain the mandatory Article 28(3) provisions. This is one of the most common data protection failures in the property sector.

Source: UK GDPR Articles 28, 4(7), 4(8)

Tenant referencing and credit checks

Tenant referencing involves processing significant personal data — employment history, financial information, credit history, and landlord references. Each processing activity requires a documented lawful basis, typically contract (information needed to assess the application) or legitimate interests. Where a third-party referencing agency is used, a DPA must be in place with that agency. The tenant must be informed of the referencing check in the privacy notice before it is conducted.

Right-to-rent checks

Right-to-rent checks under the Immigration Act 2014 require agents to process identity documents for all adult occupants. The lawful basis is legal obligation. Documents checked must be retained for the duration of the tenancy and for one year after it ends. The retention period and basis must be documented in the ROPA and reflected in the tenant privacy notice.

Marketing consent

Contact details collected from prospective tenants or landlords who do not proceed cannot be used for subsequent marketing without a valid separate consent or documented legitimate interests basis under UK GDPR and PECR. A prospect’s enquiry does not constitute consent to marketing.

Record this. Document every DPA executed with landlord clients, every referencing DPA with third-party agencies, and every tenant data processing activity in your ROPA. Keep the privacy notice served on tenants at the point of application. In any ICO investigation arising from a tenant complaint, these are the first documents requested.
Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.
Early access

GDPRLedger is coming soon

Join the early access list and be notified when the programme opens. £129 Standard · £449 Pro · One-off payment · No subscription.

No spam. Your email is used only to notify you of programme launch.