Landlord GDPR & Data Protection Guide UK 2026

Most landlords do not think of themselves as data controllers — but any landlord who holds personal data about tenants, applicants, or contractors is processing personal data under the UK GDPR and the Data Protection Act 2018. Obligations include registering with the ICO, maintaining a lawful basis for processing, responding to Subject Access Requests, and retaining data no longer than necessary.

What personal data do landlords hold?

• Tenant referencing data: name, date of birth, address history, employment details, credit check results, previous landlord references
• Right to Rent documentation: passport copies, biometric residence permits, share codes — these are particularly sensitive as they include nationality and immigration status
• Tenancy agreement: full name, contact details, bank account details (for rent payments and deposit protection)
• Maintenance records: repair requests, inspection reports, contractor attendance notes — these may record personal information (e.g. tenant's working hours, access arrangements)
• Financial records: rent payment history, arrears, correspondence about debt
• Correspondence: emails, letters, text messages relating to the tenancy

ICO registration — who must register?

• Any landlord who processes personal data on a computer or in a structured paper filing system must register with the ICO — unless they qualify for an exemption
• The main exemption for landlords: processing personal data solely for staff administration, advertising, or accounts/records where the processing is in-house only. Many landlords fall outside this exemption
• Annual fee: Tier 1 (turnover under £632,000, fewer than 10 staff) — £40/year. Most private landlords fall in Tier 1
• Register at ico.org.uk — registration takes 15 minutes and is renewed annually
• Check your registration status even if you registered years ago — the obligation to re-register annually is not always communicated clearly

Lawful basis for processing tenant data

• Contract: Processing necessary for the performance of the tenancy agreement (e.g. rent collection, repairs) — the primary lawful basis for most landlord data processing
• Legal obligation: Processing required by law — Right to Rent checks, deposit protection, gas safety records
• Legitimate interests: Processing for purposes not covered by contract or legal obligation but where the landlord's interests are not overridden by the tenant's rights — e.g. credit referencing for a prospective tenant
• You do not need to list the lawful basis in the tenancy agreement, but you must be able to identify it if asked

Data retention — how long to keep tenant records

• Tenancy agreement and correspondence: retain for 6 years after the tenancy ends (limitation period for contract claims)
• Gas Safety Records: retain for 2 years from the date of inspection (regulatory requirement)
• Right to Rent documentation: retain for 1 year after the tenancy ends — then securely destroy
• Referencing data for unsuccessful applicants: retain for no more than 6 months after the referencing check, then delete
• Financial records (rent, deposit): retain for 6 years after the tenancy ends for HMRC purposes
• Do not hold data 'just in case' — retention must be justified by a specific purpose and timeframe

Tenant Subject Access Requests

• A tenant can submit a Subject Access Request (SAR) asking for all personal data you hold about them — respond within one calendar month
• The response must include: confirmation that you hold data, a copy of the data, the purposes for which it is processed, the categories of data, and the retention period
• You can redact third-party data (e.g. references from previous landlords) if disclosing it would identify the third party
• You cannot charge a fee for a SAR unless it is manifestly unfounded or excessive
• If you receive a SAR, do not delete or alter any data — this can be treated as obstruction