GDPR for Letting Agents: How to Handle Tenant and Landlord Data Compliantly

Letting agents sit at the intersection of multiple sensitive data streams. You collect detailed personal and financial information from prospective tenants, manage ongoing relationships with landlords, engage maintenance contractors, and operate increasingly integrated property management software. Every one of those touchpoints generates personal data — and every one of those touchpoints creates GDPR obligations.

This guide is written specifically for UK letting agents and property management companies operating under UK GDPR (retained from the EU regulation post-Brexit and enforced by the Information Commissioner's Office). Whether you manage five properties or five hundred, the principles are the same.

---

What Personal Data Do Letting Agents Collect?

Before you can comply with GDPR, you need to understand the full scope of data you actually hold.

Tenant Application Data

A standard tenant application collects a significant volume of personal data:

• Full name, date of birth, current and previous addresses
• Employment status, employer details, salary and payslips
• Bank statements and financial history
• References from previous landlords and employers
• National Insurance number
• Credit check results (via Experian, Equifax, or a referencing service)
• Emergency contact details

Some of this data goes beyond ordinary personal data. Financial information — particularly credit scores, debt history, and bank statements — can be considered sensitive in context. Credit check data and certain reference data relating to past behaviour may also require extra care.

Right-to-Rent Check Data

Since the Immigration Act 2014, letting agents must verify a prospective tenant's right to rent in the UK before agreeing a tenancy. This involves collecting and inspecting identity documents: passports, biometric residence permits, share codes (for the online verification service).

Right-to-rent checks generate a specific data retention obligation — more on that below.

Landlord Data

Landlord data is often underestimated. You hold:

• Full name and contact details
• Property ownership information
• Bank account details for rent payments
• National Insurance or UTR numbers for tax reporting
• Correspondence about property condition and maintenance
• In some cases, financial circumstances (for portfolio landlords)

Landlord data is personal data if your landlords are individuals rather than limited companies. Even company landlords may have personal data associated with them through directors and beneficial owners.

Ongoing Tenancy Data

During an active tenancy, you continue to accumulate data: maintenance logs, communications, complaint records, inspection reports, and payment history. If you manage the property, you may also hold keys and access codes — not personal data in themselves, but tightly bound to the personal data of the occupants.

---

Lawful Basis for Processing

Under UK GDPR, every processing activity must have a lawful basis. For letting agents, the three most commonly applicable are:

Contract (Article 6(1)(b))

Processing personal data of a tenant is necessary for the performance of a tenancy agreement — or for taking steps at the tenant's request before entering into one. This covers:

• Processing tenant applications
• Collecting payment details
• Managing the tenancy throughout its term
• Processing notice periods and deposit returns

What it doesn't cover: Marketing to past tenants, credit checks beyond what's needed for the specific tenancy, retaining data indefinitely after a tenancy ends.

Legal Obligation (Article 6(1)(c))

Some data processing is required by law. For letting agents, this includes:

• Right-to-rent checks (Immigration Act 2014)
• Anti-money laundering checks (for high-value properties under the Money Laundering Regulations 2017)
• Tax reporting obligations to HMRC
• Tenancy deposit scheme compliance

When processing is legally required, you don't need consent and you can't be stopped from doing it by a data subject exercising their rights (though transparency obligations still apply).

Legitimate Interest (Article 6(1)(f))

Legitimate interest (LI) allows you to process data when you have a genuine business reason that isn't overridden by the individual's privacy interests. For letting agents, LI can apply to:

• Fraud prevention and referencing checks
• Business record keeping after a tenancy ends
• Marketing to existing landlord clients (with opt-out)
• Following up with prospective landlords who have enquired about your services

LI requires a three-part test: identify the legitimate interest, demonstrate the processing is necessary for that interest, and conduct a balancing test showing it doesn't override individual rights. You should document this assessment.

LI cannot be used as a catch-all. If consent is clearly required (e.g., marketing emails to prospective tenants who've never been clients), you need genuine consent.

---

Tenant Referencing and Credit Checks

Tenant referencing sits at a compliance intersection. You're collecting financial history, employment data, and previous tenancy records — and sharing that data with landlords.

Who is the data controller for referencing? If you use a third-party referencing service like Homelet, Experian, or Let Alliance, that service is likely a data processor acting on your instructions (or, in some cases, an independent controller). Check the referencing service's own privacy documentation and ensure you have a Data Processing Agreement (DPA) in place.

Credit data specifics: Credit check outputs contain information about individuals' financial behaviour — County Court Judgments, defaults, credit utilisation. While UK GDPR doesn't classify financial data as "special category," credit data should be handled with extra care: minimise what you retain, limit who can access it, and don't use it for any purpose other than assessing tenancy eligibility.

Inform applicants before checking: You must tell prospective tenants before conducting a credit check that you intend to do so, why, and what referencing service you'll use. This is part of your transparency obligation under Article 13.

Failed applicants' data: If a tenant fails referencing, you should not retain their full application data indefinitely. Set a clear retention period — typically 6-12 months is defensible for legitimate business purposes — and document it in your retention policy.

---

Right-to-Rent Checks and Document Retention

Right-to-rent checks are a legal obligation under the Immigration Act 2014. GDPR still applies to how you conduct and retain those checks.

What you must keep: A copy of the document checked (passport, BRP, share code result), the date of the check, and the names of those checked.

How long you must keep it: You must retain right-to-rent check records for the duration of the tenancy plus one year. After that point, retention is not required by the Immigration Act — and retaining it longer than necessary would breach the UK GDPR data minimisation principle.

How to store it: Right-to-rent documents contain identity data — highly sensitive. Store copies securely (encrypted where possible), limit access to staff who need it, and never store document copies alongside general correspondence files where they might be accessed more broadly.

Online checks: The Home Office's online right-to-rent checking service generates a share code result. Retain the result, not the underlying document (you won't have a copy of the document in that case).

---

Sharing Tenant Data with Landlords: Joint Controller Considerations

This is an area many letting agents get wrong.

When you pass a tenant's application to a landlord — including employment details, references, and credit check summaries — you are sharing personal data with a third party. That sharing needs a legal basis. Typically it's the tenant's contractual relationship with you (you're taking steps toward a tenancy), and the landlord has a legitimate interest in assessing the application.

The joint controller question: If you and a landlord are both making decisions about how tenant data is used — for example, both accessing a shared property management portal — you may be joint controllers under Article 26. Joint controllers must have a written arrangement setting out their respective responsibilities, including how data subject rights requests will be handled.

In practice, most agency agreements between letting agents and landlords don't address this. If yours doesn't, consider adding a data processing addendum to your landlord terms of business.

What landlords can and can't do with tenant data: Landlords receive personal data for the purpose of letting their property. They cannot use that data for other purposes — for example, adding tenants to a marketing list or sharing contact details with third parties. Make this clear in your landlord terms.

---

Property Management Software as Data Processor

Most letting agents use specialist property management software. Common platforms in the UK market include:

• Reapit — enterprise-grade agency CRM
• Alto (formerly Jupix) — widely used mid-market platform
• Arthur Online — cloud-based property management
• Fixflo — maintenance and repairs management
• SME Professional — smaller agency platform

When you use any of these platforms to store tenant and landlord personal data, the software provider is acting as your data processor — processing data on your behalf, according to your instructions.

What this means for compliance:

1. You need a signed Data Processing Agreement (DPA) with each software provider before using their platform to process personal data.
2. You remain responsible (as the controller) for the data — if the software provider has a breach, you are accountable to your data subjects.
3. Check where data is hosted. Post-Brexit, UK GDPR has its own rules on international transfers. If your software stores data on US servers (common with cloud platforms), you need to understand the transfer mechanism in use.

Most major property management platforms have published DPAs and international transfer documentation. Check their compliance pages and sign the DPA rather than relying on click-through terms.

---

CCTV in Managed Properties

If you manage properties with CCTV — communal areas in HMOs, building entrances, car parks — GDPR applies to that footage.

You are likely the data controller for CCTV in managed communal areas, even if the landlord owns the equipment.

Key obligations:

• Display clear CCTV signage at all camera locations (who operates it, why, how to make a request)
• Limit retention — the ICO's guidance suggests 31 days is appropriate for most circumstances unless there's a specific reason to retain longer
• Restrict access to authorised staff only
• Have a process for responding to subject access requests — someone can request footage that shows them

Body-worn cameras: If your staff carry body-worn cameras during inspections, the same rules apply. Inform tenants before recording.

---

Maintenance Contractors and Access to Tenant Data

When a maintenance contractor needs to access a property, you will typically share:

• The tenant's name
• The property address
• Contact details (phone number to arrange access)
• Sometimes a description of the issue (which may reveal information about how the tenant lives)

This is personal data sharing. The contractor is receiving it as an independent controller (they decide how they handle it) or as a processor (if they're acting entirely on your instructions). In most cases, contractors operate as independent controllers.

Minimise what you share. Contractors need the address and a contact number. They don't need the tenant's full application file. Share only what's necessary.

Inform tenants. Your privacy notice should mention that personal data may be shared with maintenance contractors as part of property management. You don't need consent (this falls under contract/legitimate interest), but you must be transparent about it.

---

Tenancy Deposit Scheme Data Sharing

When a tenancy deposit is taken, you are legally required to protect it with an approved tenancy deposit scheme (TDS, DPS, or mydeposits). This involves:

• Sharing the tenant's personal details with the scheme
• Providing the scheme with deposit amounts and tenancy dates
• Enabling the tenant to access their deposit information directly through the scheme

This is legally required processing. However, the tenancy deposit scheme is also a data controller in its own right — it makes its own decisions about how it uses and retains data. Make sure your privacy notice discloses which deposit scheme you use and that tenant data will be shared with it.

---

Marketing to Landlords: Legitimate Interest vs. Consent

Marketing is a common compliance grey area for letting agents.

Existing landlord clients: You can market additional services (portfolio management, lettings, insurance) to existing clients using legitimate interest, provided you offer a clear opt-out mechanism in every communication and you've conducted a balancing test.

Prospective landlords who've enquired: If someone filled in a contact form or called about your services, PECR (the Privacy and Electronic Communications Regulations) and UK GDPR permit follow-up marketing via email using legitimate interest — but document the basis and always offer opt-out.

Cold email to landlords from a purchased list: This is high-risk. Purchased lists are often compiled from public sources without genuine consent. Using them for direct marketing requires careful scrutiny of the list provider's compliance documentation, and the ICO has taken action against companies relying on poor-quality lists.

SMS marketing: PECR requires opt-in consent for SMS marketing to individuals. Legitimate interest is not sufficient for unsolicited texts.

Landlord database segmentation: If you maintain a CRM of landlord contacts, ensure it records the basis on which you're marketing to each contact, the date they were added, and any opt-outs. This is evidence of compliance if the ICO ever investigates.

---

Letting Agent GDPR Compliance Checklist

Use this checklist to assess your current position:

Privacy notices and transparency

• [ ] Privacy notice published on your website covering tenant, landlord, and applicant data
• [ ] Separate or layered notice provided at point of application (paper or digital)
• [ ] CCTV signage in place at all camera locations

Data processing

• [ ] Lawful basis documented for each category of processing (contract, legal obligation, LI)
• [ ] Legitimate interest assessments completed and recorded for LI-based processing
• [ ] Right-to-rent document retention policy implemented (tenancy + 1 year)
• [ ] Credit check and referencing data retention policy in place (typically 6-12 months post-decision)

Third parties and processors

• [ ] DPAs signed with all property management software providers (Reapit, Alto, Fixflo, Arthur, etc.)
• [ ] International transfer mechanisms reviewed for cloud software
• [ ] Landlord terms of business include data sharing provisions
• [ ] Tenancy deposit scheme data sharing disclosed in privacy notice

Data subject rights

• [ ] Process in place to respond to subject access requests within one month
• [ ] Process to handle right-to-erasure requests (noting exemptions for legal obligations)
• [ ] Staff trained on recognising and escalating data subject requests

Security

• [ ] Physical files locked and access restricted
• [ ] Electronic records password-protected with access controls
• [ ] CCTV footage access restricted and retention limited
• [ ] Contractor data sharing minimised to what's necessary

Marketing

• [ ] Landlord marketing emails include clear unsubscribe mechanism
• [ ] SMS marketing only sent to those who've opted in
• [ ] Purchased list compliance documented before use

---

Take the Next Step: Scan Your Website

Your website is the first point of data collection — and often the most overlooked. Cookie trackers, embedded forms, and third-party scripts may be collecting data without adequate disclosure.

Run a free privacy scan at https://app.custodia-privacy.com/scan to see exactly what your website is collecting, which third parties it shares data with, and whether your cookie consent implementation meets UK GDPR standards. No signup required — results in 60 seconds.

---

This post provides general information about UK GDPR obligations for letting agents. It does not constitute legal advice. Your specific obligations will depend on the nature of your business, your data processing activities, and your individual circumstances. Consult a qualified data protection solicitor or registered DPO for advice specific to your situation.