Letting agents process extensive personal data about tenants, landlords and applicants. UK GDPR applies at every stage from initial enquiry through to end of tenancy.
What Letting Agents Process
Tenant data: name, DOB, address history, employment and salary details, credit check results, references, Right to Rent documents, NI numbers, bank details, rent records, maintenance logs.
Landlord data: contact details, bank account for rent transfers, property ownership records, tax information.
Lawful Bases
- Contract: Tenancy administration, rent collection, maintenance coordination
- Legal obligation: Right to Rent checks, AML checks, HMRC landlord reporting, deposit registration
- Legitimate interests: Pre-tenancy referencing and credit checks (LIA required)
- Consent/soft opt-in: Marketing to applicants and former tenants
Tenant Referencing
- Inform applicants at application stage that data will be processed for referencing
- Name any third-party referencing companies used
- Retain failed applicant data no longer than 6–12 months
- If credit scoring produces automatic rejection, Article 22 rights apply (right to human review)
Right to Rent
- Lawful basis: legal obligation
- Retain records for duration of tenancy plus 1 year (Home Office requirement)
- Do not use Right to Rent data for any other purpose
Retention Schedule
- Tenancy records: 6 years from end of tenancy
- Right to Rent records: tenancy duration plus 1 year
- Failed applicant data: 6–12 months
- Landlord financial records: 6 years
This guide was produced by Custodia — AI-powered GDPR compliance for small businesses. Scan your letting agency website free.
Top comments (0)