GDPR for Property Management Companies: Tenant Data, CCTV and Leasehold Records
Property management companies sit at the intersection of sensitive personal data, financial records, and physical security systems. Whether you manage residential blocks, commercial properties, or mixed-use developments, your day-to-day operations generate and process enormous volumes of personal data about tenants, leaseholders, contractors, and third parties. GDPR applies to all of it.
This guide covers the most important data protection obligations for property managers — from tenancy agreements and right to rent checks through to CCTV in communal areas and section 20 consultation records.
Tenant Personal Data and Tenancy Agreements
A tenancy agreement is a data-rich document. It contains the tenant's full name, date of birth, contact details, National Insurance number, bank account details for rent collection, and often details of guarantors or next of kin. All of this is personal data under GDPR Article 4.
Your lawful basis for processing this data is typically contract performance (Article 6(1)(b)) — you need it to enter into and administer the tenancy. Some data, such as guarantor information, may rely on legitimate interests (Article 6(1)(f)), in which case you should document your legitimate interests assessment.
Tenants must be informed about how their data is used at the point of collection — typically via a privacy notice attached to or referenced in the tenancy agreement. If you are not currently providing this, it is a straightforward gap to fix.
Right to Rent Checks and Identity Documents
UK landlords and property managers must carry out right to rent checks under the Immigration Act 2014. This involves collecting and verifying identity documents — passports, biometric residence permits, share codes — which constitute personal data, and in some cases biometric data.
Under GDPR, biometric data used for unique identification is special category data (Article 9). Where you are processing biometric data, you need an additional lawful basis under Article 9(2) — typically explicit consent or a legal obligation basis under UK law.
You should retain copies of checked documents for the duration of the tenancy plus one year, then delete them. Do not retain them indefinitely. If you use a digital right to rent checking service, ensure you have a data processing agreement (DPA) in place with that provider.
Maintenance Request Records
Maintenance requests can contain sensitive personal data. A tenant reporting a broken lock may disclose a recent burglary attempt. A request about damp may reveal health conditions. A repair to specialist equipment may disclose a disability.
Process maintenance data on the basis of contract performance or legitimate interests, but be alert to incidental special category data. If a tenant discloses health information in a maintenance request, do not use it for any purpose beyond fulfilling the request, and restrict access to those who need to know.
If you use a property maintenance platform such as Fixflo, you are sharing tenant data with a third party and must have a DPA in place. We cover this in the software section below.
CCTV in Communal Areas
CCTV is one of the most regulated areas of property data protection. The ICO's 2023 code of practice on surveillance cameras sets out detailed requirements for lawful CCTV use in communal areas such as entrances, stairwells, car parks, and bin stores.
Key requirements include:
- Lawful basis: Legitimate interests is the most common basis for communal CCTV. Conduct and document a legitimate interests assessment before installing cameras.
- Signage: Display clear, visible signage at all camera locations informing people they are being recorded and who operates the system.
- Retention: The ICO recommends retaining CCTV footage for no more than 31 days unless there is a specific reason to retain it longer (such as an ongoing incident).
- Access controls: Restrict access to CCTV footage to authorised personnel only. Log who accesses footage and when.
- Data subject rights: Tenants and leaseholders have the right to request footage of themselves under a subject access request. You must respond within one month.
Do not position cameras where they could capture footage inside individual properties, and avoid covering areas where people have a reasonable expectation of privacy.
Sharing Data with Landlords, Contractors and Tradespeople
Property managers routinely share tenant data with third parties: landlords, contractors, energy suppliers, local authorities. Each sharing arrangement requires a lawful basis and appropriate safeguards.
When sharing data with landlords, your contract with the landlord should specify what data you will share and for what purposes. Landlords may become independent data controllers for the data they receive — your privacy notice should make this clear to tenants.
When sharing data with contractors and tradespeople, share only the minimum necessary. A plumber visiting to fix a boiler needs the tenant's name, address, and a contact number — not their payment history or tenancy duration. Use written contracts with contractors that include basic data protection obligations.
Service Charge Accounts and Financial Data
For properties where you collect service charges — whether residential blocks or commercial developments — you process financial data including bank account details, payment histories, and potentially information about arrears or disputes.
Financial data is not special category data under GDPR, but it is sensitive and must be handled with appropriate security measures. Encrypt financial data at rest and in transit, limit access to finance staff, and retain it in accordance with your data retention policy (typically seven years to comply with HMRC requirements for financial records).
If you are using a property management finance platform, ensure you have a DPA in place and understand where data is stored — particularly if the provider uses cloud infrastructure outside the UK.
Leaseholder Data for Residential Blocks
Residential leasehold blocks present particular data protection challenges. You may be managing data for dozens or hundreds of leaseholders simultaneously, including absentee landlords, investors, and residents. The Leasehold Advisory Service notes that leaseholders have the same GDPR rights as any other data subject.
Maintain an up-to-date record of data subjects, their contact details, and what data you hold. If leaseholders change — through sale or assignment of leases — ensure your records are updated promptly and that outgoing leaseholders' data is handled correctly.
Section 20 Consultation Data
Section 20 of the Landlord and Tenant Act 1985 requires landlords and managing agents to consult with leaseholders before carrying out qualifying works above certain thresholds. This consultation process involves collecting and processing personal data — written observations, contact details, responses to notices.
Retain section 20 consultation records for at least six years after the consultation concludes, as leaseholders may bring tribunal claims during this period. Ensure that leaseholder responses are stored securely and that access is restricted to relevant staff.
Credit Checks and Referencing Data
Tenant referencing generates some of the most sensitive personal data in property management: credit scores, employment details, previous landlord references, affordability assessments. This data is typically provided by specialist referencing agencies.
If you use a referencing agency, you are receiving personal data from a third party. Ensure the agency is a registered data controller and that your use of the data is consistent with how tenants were told their data would be used during the referencing process.
Referencing data should be retained only as long as necessary. For successful applicants, reference data can typically be merged into the tenancy file. For unsuccessful applicants, delete referencing data within a reasonable period — typically 6 to 12 months.
Data Breaches Involving Tenant Data
Property management companies are attractive targets for phishing and social engineering attacks, precisely because they hold financial data, identity documents, and access to properties. A data breach involving tenant data — such as unauthorised access to a tenancy management system, or accidental disclosure of tenant details to a third party — may require notification to the ICO.
Under UK GDPR Article 33, you must notify the ICO within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. Under Article 34, you may also need to notify affected tenants directly if the breach is likely to result in a high risk to them.
Maintain a data breach register, train staff to recognise and report incidents promptly, and have a documented breach response process.
Subject Access Requests from Tenants
Tenants have the right to request a copy of all personal data you hold about them under Article 15 of UK GDPR. In property management, this can be extensive: tenancy agreements, maintenance records, correspondence, payment histories, CCTV footage, and any internal notes.
You have one month to respond, extendable to three months for complex requests. You cannot charge a fee for standard requests. If a tenant submits a subject access request during a dispute — which is common — you must still respond fully and promptly.
Custodia's DSAR management tools can help you track requests, coordinate responses across departments, and maintain the audit trail required to demonstrate compliance.
Retention Periods for Tenancy Records
GDPR's storage limitation principle requires that you do not keep personal data longer than necessary. For property management, typical retention periods are:
- Active tenancy: Retain all records for the duration of the tenancy
- Post-tenancy: Retain for six years after tenancy ends (to cover potential legal claims under the Limitation Act 1980)
- Right to rent check documents: Retain for duration of tenancy plus one year
- Financial records: Retain for seven years (HMRC requirement)
- CCTV footage: 31 days unless needed for an incident
- Unsuccessful applicant data: 6–12 months
Document your retention periods in a data retention policy and enforce them through regular data deletion exercises.
Property Management Software DPAs
Most property management companies use specialist software for some or all of their operations. If that software processes personal data on your behalf, the provider is a data processor and you must have a DPA in place under Article 28.
Common property management platforms and their data protection considerations:
- Fixflo (maintenance management): Processes tenant maintenance requests and contact data. Fixflo offers a DPA; ensure it is signed and retained.
- Qube Property Management: Handles financial and tenancy data. Review their data processing terms and confirm data residency.
- Yardi Voyager: Enterprise-scale platform processing extensive tenant and financial data. Yardi is US-based; ensure appropriate transfer mechanisms (UK Standard Contractual Clauses) are in place.
- Arthur Online: Cloud-based property management; confirm UK data residency and DPA terms.
- Re-Leased: Check their sub-processor list and DPA provisions.
Do not assume that signing up to a platform's terms of service constitutes a DPA. If the provider has not provided a standalone DPA, request one before processing personal data.
Running a quick website scan with Custodia can also flag whether your web presence — including any tenant portals — is collecting data through undisclosed third-party services that require their own DPAs.
Email Marketing Under PECR
If you send marketing emails to tenants, prospective tenants, or landlords — newsletters, property alerts, service updates — you must comply with the Privacy and Electronic Communications Regulations (PECR) as well as GDPR.
PECR requires prior consent (opt-in) for marketing emails sent to individuals. Soft opt-in applies where someone has provided their email during a recent transaction (such as entering a tenancy) and you are marketing similar services — but this requires a clear opt-out in every email.
Sending unsolicited marketing to tenant email addresses using data collected for tenancy purposes is a common PECR violation in property management. Review your marketing lists and their consent basis before your next send.
Practical Compliance Checklist
Use this checklist to assess your current compliance position:
Documentation
- [ ] Privacy notice provided to tenants at start of tenancy
- [ ] Data retention policy documented and enforced
- [ ] Data processing register (Article 30 ROPA) maintained
- [ ] Legitimate interests assessments documented for CCTV and other LI-based processing
Third Parties
- [ ] DPAs in place with all property management software providers
- [ ] DPAs or data sharing agreements in place with maintenance contractors
- [ ] Referencing agency contracts reviewed for data protection provisions
Operations
- [ ] Right to rent check documents retained for correct period only
- [ ] CCTV signage in place at all camera locations
- [ ] CCTV footage deleted after 31 days (unless retained for specific incident)
- [ ] Data breach response procedure documented and tested
- [ ] Staff trained on data protection basics
Tenant Rights
- [ ] Process in place to respond to subject access requests within one month
- [ ] Process in place to handle erasure, rectification, and objection requests
Marketing
- [ ] Email marketing consent basis documented
- [ ] Opt-out mechanism in place in all marketing emails
Where to Start
If you are not sure whether your property management website, tenant portal, or internal systems are processing data correctly, start with a free scan at https://app.custodia-privacy.com/scan. Custodia scans your website for undisclosed trackers, cookie compliance issues, and third-party data flows — taking 60 seconds and requiring no sign-up.
For ongoing compliance monitoring, privacy policy generation, and DSAR management, Custodia's property management clients use the platform to automate the routine compliance work that would otherwise require expensive legal or DPO consultancy.
This guide is for informational purposes only and does not constitute legal advice. Property management companies with complex data protection questions, or those dealing with an ICO investigation or enforcement action, should seek specialist legal or data protection advice.
Top comments (0)