GDPR for Property Management Companies: Leaseholder Data, Service Charge Records, and Block Management
Property management companies sit at the intersection of housing, finance, and personal relationships. They hold more sensitive personal data than most people realise — leaseholder financial histories, resident vulnerability information, access control logs, noise complaint records, and detailed correspondence about people's domestic situations. GDPR applies to all of it.
This guide covers the key data protection obligations for block managers, estate managers, right-to-manage companies, and managing agents operating in the UK and EU.
Why Property Management Companies Hold Unusually Sensitive Data
Unlike a typical business that collects customer contact details and payment information, property management companies maintain records that touch on the most private aspects of residents' lives: their finances, their health, their domestic disputes, and their home security.
A leaseholder who falls behind on service charges has financial data in your systems. A resident who disclosed a mobility impairment when requesting lift maintenance has health data in your systems. A neighbour who filed a noise complaint has provided you with information about a third party's behaviour. Each category requires careful handling under GDPR.
Leaseholder Data: Contact Details, Payment History, and Lease Terms
The core dataset every property management company maintains is the leaseholder register. This includes full names, addresses (including correspondence addresses that differ from the property), phone numbers, email addresses, and emergency contact details. It also includes financial data: service charge accounts, ground rent records, payment histories, arrears, and any debt collection correspondence.
Lease terms themselves contain personal data where they include named individuals, assignment histories, and any variations agreed between previous owners and the freeholder.
Key GDPR obligations:
- You need a lawful basis for processing this data. For most leaseholder management activity, this is contract performance (you're fulfilling obligations under the lease) or legitimate interest (managing the building requires maintaining these records).
- Leaseholders have the right to access their own data. A subject access request from a leaseholder must be responded to within one month.
- Retention periods must be documented. Financial records relating to service charges should be kept for at least six years under UK accounting requirements, but you should not retain personal data longer than that retention period requires.
Service Charge Accounts as Financial Personal Data
Service charge accounts are financial personal data. They record how much each leaseholder has paid, how much they owe, what they've been charged for, and any disputes or credit adjustments. This information is sensitive because it reveals financial circumstances — a leaseholder in persistent arrears may be experiencing financial hardship.
Under GDPR, you must:
- Process service charge data only for the purpose of managing the building's finances
- Not share individual leaseholder financial data with other residents (the annual accounts summarise building-level expenditure; individual accounts are personal data)
- Ensure contractors and accountants who access this data are covered by data processing agreements
- Securely delete financial data after the applicable retention period
Resident Vulnerability Data: Disability Accommodations and Mobility Requirements
This is some of the most sensitive data property managers hold. Residents may disclose disability information when requesting:
- Lift maintenance prioritisation
- Accessible parking arrangements
- Fire evacuation assistance plans (PEEPs — Personal Emergency Evacuation Plans)
- Adaptations to communal areas
- Adjustments to inspection schedules
Under GDPR, disability information is special category data under Article 9. Processing it requires not just a lawful basis but an additional condition from Article 9(2). For property management, the most applicable conditions are:
- Explicit consent from the resident
- Vital interests (where processing is necessary to protect someone's life or safety — relevant for PEEPs)
- Legal obligation (where the Equality Act 2010 requires you to make reasonable adjustments and maintaining records supports that obligation)
Practical requirements: vulnerability data should be stored separately from general leaseholder records, with access restricted to staff who need it. It should not be included in routine correspondence or shared with contractors unless directly relevant to the work being carried out.
CCTV in Communal Areas: Retention and Access Policies
Most residential blocks with CCTV systems in communal areas are operating under the ICO's surveillance camera code. The GDPR obligations are:
- Signage: Residents and visitors must be informed that CCTV is in operation, what it's used for, and who operates it. A small notice at each camera entry point is not sufficient on its own — your privacy notice must also cover CCTV.
- Retention periods: The default under GDPR is to delete footage when there is no longer a purpose for retaining it. For most blocks, 30 days is a reasonable retention period unless an incident has been reported.
- Access requests: Individuals captured on CCTV footage have a right of access to that footage. Responding to these requests requires care — you must provide the footage relating to the requestor but blur out or redact footage of other individuals who may appear.
- Third-party access: Police, insurance companies, and solicitors may request footage. Each request should be documented and assessed for lawfulness. Police requests backed by a court order or involving crime prevention are typically lawful; informal requests from a solicitor acting for a leaseholder in a dispute are not automatic grounds for disclosure.
Intercom and Access Control Systems: Entry Logs as Personal Data
Modern intercom and access control systems generate detailed logs: who entered which door, at what time, using which fob or code. These are personal data — they record individuals' movements and behaviours at their home.
Many managing agents don't realise these logs exist, let alone that they're subject to GDPR. Issues to address:
- Purpose: Access logs should only be used for building security and incident investigation — not for general surveillance of residents' comings and goings.
- Retention: Logs beyond 90 days are rarely justified without a specific reason.
- Data sharing: Access logs should not be shared with landlords for the purpose of monitoring specific tenants or leaseholders without a lawful basis.
- Data processor agreements: The access control system provider is processing personal data on your behalf and needs a data processing agreement in place.
Contractor Access to Resident Information
When a contractor visits a property for maintenance, they typically need access to the resident's name and flat number. Sometimes they need more — a phone number to arrange access, or information about a mobility impairment that affects how they carry out the work.
Each instance of sharing resident data with a contractor is a disclosure of personal data. Your obligations:
- Use a data processing agreement with any contractor who regularly accesses resident data
- Provide contractors only with the minimum data necessary for the job
- Do not maintain shared spreadsheets of resident data accessible to multiple contractors without appropriate access controls
- Require contractors to delete or return resident data after the job is complete
One common failure: property management companies maintain a shared cloud folder accessible to dozens of contractors containing full leaseholder contact lists, lease information, and sometimes financial data. This is a significant GDPR risk.
Noise and Nuisance Complaints: Handling Third-Party Personal Data
When a resident files a noise complaint, they provide personal data about themselves and personal data about a third party (the neighbour they are complaining about). Both sets of data require careful handling.
The complainant's data: you need to tell them how you'll use it, who you'll share it with, and what happens if the complaint is investigated.
The subject of the complaint: they have rights under GDPR too. If they make a subject access request, you may need to disclose correspondence about them — but you must balance their rights against the complainant's right to confidentiality.
Practical guidance:
- Do not routinely share the complainant's identity with the person being complained about — this can expose the complainant to retaliation and is not required by GDPR
- Document decisions about what information to share and why
- If noise nuisance escalates to formal proceedings, take legal advice before sharing complaint logs
Estate Agent Referrals and Data Sharing at Property Sale
When a leaseholder sells their property, they typically ask you to provide a leasehold information pack (also called a management pack or LPE1 form). This pack includes personal financial data about the outgoing leaseholder's service charge account.
The pack is requested by the solicitor acting for the seller and shared with the buyer's solicitor. Under GDPR:
- The leaseholder's consent to share their service charge information is typically implied by the sale transaction, but it's good practice to make the position clear in your privacy notice
- The buyer's solicitor (and ultimately the buyer) is receiving personal financial data about the seller — treat this as a formal data disclosure requiring appropriate handling
- Retain records of what was disclosed, to whom, and when
Right-to-Manage Companies and Data Transfer Obligations
When leaseholders exercise their right to manage under the Commonhold and Leasehold Reform Act 2002, the outgoing managing agent must transfer building records to the RTM company. This transfer includes personal data about leaseholders.
GDPR obligations at transfer:
- The outgoing agent remains a data controller for the data in their possession until it is transferred. They must not retain copies of personal data beyond what is needed for their own legal purposes (such as defending claims relating to their period of management).
- The RTM company becomes the data controller on receipt. They need to have a privacy notice and GDPR infrastructure in place before receiving the data.
- The transfer should be documented, and any data that is irrelevant to the ongoing management should be deleted rather than transferred.
Major Works Consultation: Data Sharing with Leaseholders
Under Section 20 of the Landlord and Tenant Act 1985, major works above a certain threshold require formal consultation. This process involves sharing contractor estimates and other information with leaseholders.
The consultation process generates personal data in both directions: leaseholder observations and objections are personal data; in some cases, individual contractor employees' details may appear in estimates.
Key issues:
- Leaseholder observations submitted during consultation are personal data and should be retained only as long as needed for the consultation process and any subsequent dispute
- Do not share individual leaseholders' observations with other leaseholders without consent — circulating who objected to what can create disputes within the building
Buildings Insurance and Resident Data Sharing with Insurers
Block buildings insurance requires sharing some information about the property and its occupants with the insurer. Following a claim, more significant data sharing occurs.
When a leaseholder makes a claim (or when a claim is made on their behalf), the insurer will request information that may include:
- Contact details
- Details of the incident (which may include sensitive information about a resident's health or domestic situation)
- Access arrangements (which may reveal information about vulnerability or routine)
Your obligations:
- Your privacy notice should reference insurance-related data sharing
- For claims involving special category data (health information relevant to an injury claim), ensure the leaseholder is aware their data is being shared with the insurer
- Loss adjusters and surveyors instructed by the insurer are data processors — ensure appropriate contractual protections are in place
Annual General Meetings and Data Protection for Residents
AGMs generate minutes, attendance records, proxy forms, and voting records — all personal data. Issues specific to residential AGMs:
- Attendance records should not be published or shared beyond what is necessary for management purposes
- Voting records on contentious resolutions (such as major works decisions) can be sensitive — leaseholders who voted against a decision may not want their position known to other residents
- Minutes should be retained as part of the building's records but personal data within them should not be retained beyond the applicable period
- Where AGMs are held online, recording obligations apply: if the meeting is recorded, residents must be informed and consent obtained (or a clear lawful basis established)
10 Common GDPR Mistakes Property Management Companies Make
1. No privacy notice for residents. Many property management companies don't have a privacy notice at all — or have one that applies to their website visitors but not to the residents and leaseholders they manage.
2. Sharing leaseholder financial data in minutes or newsletters. Circulating the names of leaseholders in arrears in meeting minutes or block newsletters is a data breach.
3. Unsecured shared folders with contractor access. A shared Google Drive or Dropbox with full leaseholder data accessible to dozens of contractors is an ongoing compliance failure.
4. No data processing agreements with contractors or software providers. The software you use to manage the block, the accounting system, the access control system, and the regular contractors are all data processors. Each needs a DPA.
5. CCTV footage retained indefinitely. Footage retained beyond 30–90 days without a specific reason is likely unlawful.
6. Treating vulnerability data like any other resident data. Disability and health information disclosed by residents requires additional safeguards — it cannot simply sit in the general property management file.
7. Ignoring subject access requests. A leaseholder who asks to see all data held about them is exercising a GDPR right. The one-month deadline is a legal requirement, not a courtesy.
8. No documented retention policy. Retaining paper files going back 20 years because "we might need them" is not a GDPR-compliant approach.
9. Including personal data in block-wide communications. Sending an email to all residents about a specific resident's noise complaint, unauthorised alteration, or arrears situation exposes personal data to the entire building.
10. Failing to update the privacy notice when the management changes. When an RTM takes over, or a new managing agent is appointed, the privacy notice must be updated to reflect the new data controller.
Getting Your Privacy Compliance Right
For property management companies, the starting point is understanding exactly what data you hold, where it's stored, who has access, and how long you keep it. A data mapping exercise is the foundation.
From there, you need a privacy notice that actually describes your processing activities — not a generic template — and data processing agreements with every contractor and software provider who accesses resident data.
If you manage multiple blocks, you're processing personal data for hundreds or thousands of individuals. A systematic approach to compliance protects both the residents you manage and your company from regulatory risk.
Ready to audit your privacy compliance? Scan your website free at Custodia — we'll identify privacy issues, missing disclosures, and compliance gaps in 60 seconds.
Last updated: March 2026
Top comments (0)