If you collect names, phone numbers, references, bank details, CCTV footage, or ID documents from tenants or applicants, GDPR usually applies to you. In practice, a private landlord will usually be the data controller because the landlord decides what tenant data is collected, why it is collected, and how long it is kept.
For most landlords, the biggest GDPR risk is not failing to collect enough information. It is collecting too much data too early, keeping it for too long, or storing it in an insecure way. The Irish Data Protection Commission (DPC) has been especially clear on this point in its guidance for landlords and letting agents dealing with prospective tenants.
This guide is written for landlords in Ireland and uses Irish sources first. The same core GDPR principles also apply across the EU, and UK landlords will recognise most of the same rules under the UK GDPR and Data Protection Act 2018. This is a practical compliance guide, not legal advice.
If you are also tightening up your tenancy records more broadly, RTB compliance checklist for Irish landlords may help.
Quick answer
If you want a simple rule of thumb, do the following:
- collect only the personal data you genuinely need for the stage you are at
- choose a clear lawful basis for each use of the data
- give applicants and tenants a short privacy notice in plain English
- keep digital and paper records secure
- delete data when you no longer need it
- respond properly if a tenant asks for a copy of their data
- have a simple breach process so you can assess whether the DPC or the tenant must be told
For most landlords, the lawful bases that matter are:
- contract for setting up and managing the tenancy
- legal obligation for records you are required to keep by law
- legitimate interests for limited checks or security measures that can be justified
Consent is usually the wrong basis for core tenancy administration. The DPC warns that the landlord-tenant relationship often involves an imbalance of power, so consent may not be freely given in the way GDPR requires.
Are landlords data controllers?
Usually, yes.
The DPC's guidance on prospective tenants says the landlord will usually be the data controller for personal data collected during the letting process. That matters because controllers are responsible for following the GDPR principles, choosing a lawful basis, keeping data secure, and being able to explain what they are doing.
You do not need to own a large portfolio for GDPR to apply. A landlord with one rental property can still be a controller if they are deciding how tenant data is handled.
What data can you collect, and when?
The safest approach is to collect data in stages rather than asking every applicant for everything at once.
The DPC says it is difficult to justify collecting extensive data such as financial statements, utility bills, references, PPS numbers, and similar documents from numerous applicants at the initial viewing or enquiry stage. In most cases, that material is only needed later, once you have chosen a preferred tenant and are moving toward an actual tenancy agreement.
| Stage | Usually justified | Usually too early or excessive |
|---|---|---|
| Initial enquiry or viewing | Basic contact details and information needed to assess the enquiry | PPSN, bank statements, utility bills, full references, ID copies from every interested applicant |
| Preferred applicant / offer stage | Information genuinely needed to verify identity, affordability, and references before signing | Broad "just in case" requests unrelated to the tenancy |
| Live tenancy | Contact details, rent records, maintenance history, and legally required registration or tax records | Extra personal information that does not help manage the tenancy |
Ask yourself one question for each field on a form: "Would I still need this if the applicant never becomes my tenant?" If the answer is no, it probably should not be collected at the first stage.
There is an important Irish example here. Current RTB registration guidance says landlords need their own PPS number and tenancy details when registering a tenancy, but it describes the tenant's PPSN or date of birth as optional information rather than mandatory. That means landlords should be careful not to treat tenant PPSNs as something that can automatically be demanded from every applicant.
Choosing the right lawful basis
Before collecting or using personal data, decide which Article 6 GDPR basis actually applies.
| Purpose | Likely basis | Example |
|---|---|---|
| Setting up and managing the tenancy | Contract | Contact details, rent ledger, payment administration, maintenance communication |
| Complying with a legal requirement | Legal obligation | Records you must keep for RTB, tax, or other legal compliance reasons |
| Limited checks or property security | Legitimate interests | Reference checks for a preferred tenant, proportionate CCTV in justified cases |
| Optional extras unrelated to the tenancy | Consent | A genuinely optional mailing list or newsletter |
The DPC's guidance for landlords says contract will often be the best basis for data needed to enter into or perform the tenancy. Legal obligation applies where a law genuinely requires the record. Legitimate interests can sometimes work, but only where the processing is proportionate and not overridden by the tenant's rights.
For consent, the practical point is simple: do not rely on it for core tenancy administration. If the tenant cannot realistically say no without affecting the tenancy relationship, consent is a weak basis.
Privacy notices: what tenants should be told
GDPR requires landlords to be transparent. In practice, that means giving applicants and tenants a short privacy notice at the point you collect their data.
The DPC's transparency guidance says the notice should explain:
- who you are and how to contact you
- what personal data you collect
- why you collect it
- the lawful basis you rely on
- who you share it with
- whether data is transferred outside the EEA and, if so, what safeguards apply
- how long you keep the data
- the tenant's rights, including access and correction
- the right to complain to the DPC
For landlords, the easiest places to provide this are:
- on the application form
- in an email when requesting supporting documents
- in the tenancy agreement pack
- in a short website privacy notice if you collect enquiries online
Keep the notice short, specific, and readable. It should describe what you actually do, not generic boilerplate copied from another business.
Security and retention: two areas landlords often overlook
The GDPR principles do not just restrict what you collect. They also require you to store data securely and not keep it longer than necessary.
The DPC's security guidance says controllers should use technical and organisational measures that are appropriate to the risk. For a landlord, that usually means practical basics rather than a complex compliance programme:
- strong passwords on email, cloud storage, and property software
- limited access so only the people who need the data can see it
- password protection or encryption for sensitive files and devices
- locked storage for paper files
- secure deletion or shredding when records are no longer needed
- extra care with laptops, USB drives, and personal email accounts
GDPR does not set one fixed retention period for landlord records. Instead, you should keep a short written retention policy and delete data when its purpose has ended.
A practical retention approach looks like this:
| Record type | Practical retention approach |
|---|---|
| Unsuccessful applicant records | Delete promptly after the letting decision, unless you need a short retention period to deal with follow-up queries or complaints |
| Tenancy agreement, rent ledger, dispute and maintenance history | Keep during the tenancy and for a documented post-tenancy period tied to legal, tax, or dispute needs |
| Reference documents and ID copies | Delete once their verification purpose has ended, unless you have a clear ongoing legal reason to keep them |
| CCTV footage | Use a short rolling retention period unless footage is needed for a specific incident |
If you cannot explain why you still have a record, you probably should not still have it.
Rights requests: what if a tenant asks for their data?
Tenants and applicants have data protection rights, including the right of access.
The DPC says that when you receive an access request, you generally need to:
- confirm whether you process the person's personal data
- provide a copy of that data
- provide the related information about the processing
The usual deadline is within one month.
That does not mean every request leads to deletion. A tenant may ask for erasure, but you can still keep data where you need it for a legal obligation, an ongoing dispute, or another valid basis. The important point is to assess the request properly and reply on time.
For a small landlord, the simplest process is:
- verify the identity of the requester if needed
- search your email, files, tenancy software, and paper records
- gather only that person's personal data
- remove or redact information that would unfairly disclose another person's data
- send the response securely
Breach response: what to do if something goes wrong
A personal data breach is not limited to hacking. It can include emailing documents to the wrong person, losing a laptop, leaving files where others can access them, or exposing CCTV footage improperly.
The DPC says you must notify the supervisory authority if the breach is likely to result in a risk to people's rights and freedoms, and this must be done within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk, the affected individuals must also be told without undue delay.
Even if you decide a breach is not reportable, the DPC says you should still keep an internal record showing:
- what happened
- what data was involved
- how you assessed the risk
- what action you took
For landlords, a simple breach workflow is usually enough:
- contain the problem immediately
- check what personal data was exposed
- assess the likely risk to the tenant or applicant
- decide whether the DPC must be told within 72 hours
- tell the tenant if the risk is high
- document the incident and fix the weakness that caused it
Letting agents, accountants, cloud drives, and other processors
If another service handles tenant data on your behalf, that service may be acting as your processor.
Common examples include:
- a letting agent
- a property management platform
- an accountant or bookkeeper
- a cloud document storage provider
- a contractor who is given access to tenant information to perform a defined task
The DPC's controller-processor guidance says you should have a binding contract in place with processors. That contract should make clear that the processor only acts on your instructions and applies appropriate security measures.
Do not assume that paying for software makes the GDPR issue disappear. You still need to check where data is stored, who can access it, and whether the provider gives the right contractual protections.
International transfers and overseas software
If tenant data is transferred outside the EEA, GDPR's transfer rules apply.
The EDPB explains that this is easiest where the destination country benefits from an adequacy decision. If not, landlords and service providers usually need another safeguard, most commonly Standard Contractual Clauses.
For most landlords, the practical question is not whether they personally emailed a file abroad. It is whether the software they use stores or supports data outside the EEA. If you use overseas platforms for e-signing, payments, storage, maintenance tickets, or CRM, check the provider's transfer terms rather than assuming everything is already covered.
CCTV and monitoring
Some landlords use CCTV or smart doorbells around rental property. That can be lawful, but it is not a free pass.
The DPC's CCTV guidance says you should be able to explain:
- the purpose of the CCTV
- the lawful basis
- why it is necessary and proportionate
- how footage is stored securely
- how long footage is kept
- how people are told they are being recorded
If your camera captures communal areas, neighbouring property, or public space, the privacy impact increases. In higher-risk situations, a Data Protection Impact Assessment may be needed before you install or expand the system.
Practical checklist for landlords
- List every category of tenant and applicant data you hold.
- Remove fields from application forms that are not clearly necessary.
- Set a lawful basis for each main processing activity.
- Give a privacy notice when you collect data.
- Restrict access to files and secure both paper and digital records.
- Write a simple retention policy and delete records you no longer need.
- Put a basic subject access request process in place.
- Keep a breach log and a 72-hour reporting plan.
- Check contracts and transfer terms for any agent, accountant, cloud service, or software provider you use.
- Review the process at least once a year and whenever your forms or tools change.
Short FAQ
Can I ask every applicant for PPSN, bank statements, and references at the viewing stage?
Usually no. The DPC's landlord guidance says it is difficult to justify collecting extensive material from all interested applicants at the initial stage. The safer approach is to collect only basic information first and request more sensitive documents only from the preferred applicant if they are genuinely needed.
Do I need tenant consent to hold tenancy data?
Usually no. Core tenancy processing is normally better grounded in contract, legal obligation, or legitimate interests, depending on the purpose. Consent should be reserved for genuinely optional uses where the tenant can freely say no.
What should I do if a tenant asks for a copy of their data?
Treat it as a subject access request, verify identity if needed, search the records you hold, and respond securely within one month. If some documents also contain another person's data, you may need to redact that part rather than refusing the request outright.
What if I use a letting agent or cloud software?
You still remain responsible for choosing compliant providers and checking the contract terms. If the provider is processing tenant data on your behalf, you should have a data processing contract and you should understand whether any data leaves the EEA.
Does anything differ for UK landlords?
The core GDPR-style duties are very similar under the UK GDPR and Data Protection Act 2018. One extra UK issue is the ICO data protection fee, which some controllers must pay unless an exemption applies, so UK landlords should check the ICO's self-assessment guidance separately.
Primary sources
- Data Protection Commission: Requesting Personal Data from Prospective Tenants
- Data Protection Commission: Guidance on the Principles of Data Protection
- Data Protection Commission: Transparency
- Data Protection Commission: Access and Portability
- Data Protection Commission: Breach Notification
- Data Protection Commission: A Practical Guide to Controller-Processor Contracts
- Data Protection Commission: Guidance on the use of CCTV
- EDPB SME Guide: International data transfers
- EUR-Lex: Regulation (EU) 2016/679 (GDPR)
- RTB: How to register a tenancy
- ICO: Guide to the data protection fee