GDPR for Landlords of Commercial and Residential Tenants
General Data Protection Regulation came into effect from 25th May 2018. Don’t forget Data Protection Act 2018 should be read side by side with GDPR. Under the GDPR landlords must keep tenants and other parties such as occupiers, guarantors, and referees informed about the landlord’s use of their personal data and about their legal rights in respect of that data.
As for other establishments, in order to comply with their GDPR obligations, landlords should carry out a data audit and use their findings to prepare a privacy notice. The privacy notice should then be provided to all existing tenants, occupiers, guarantors and other relevant people before 25th May 2018 and to new applicants at the point their data is collected.
A privacy notice must cover the following key points:
- What personal data is collected from tenants and guarantors;
- What that data is used for;
- The legal basis and reasons for using it;
- How long the landlord will hold data for successful and unsuccessful tenancy applicants;
- The third parties (such as utility companies) with whom the landlord will share the data.
The notice must also give information about tenants’ and guarantors’ rights, including the right of access to their data and the right to withdraw consent (where applicable). It is advisable to include relevant wording for GDPR in the Tenancy Agreements. You may be able to provide a separate document explaining above said grounds for keeping, use of the data and tenants’ rights to be forgotten.
Landlords may have to register with the ICO and appoint a data protection officer for this purpose. If you do not comply with the GDPR requirements you may be fined for noncompliance up to the larger of 4% of your turnover or 20 million Euros.