RegSol Blog

RegSol Spotlight: Letting Agents and General Data Protection Regulations

July 2019

Landlords and letting agents, as data controllers, are required to comply with General Data Protection Regulations and as such must ensure that the amount of personal information sought from renters is not excessive, is used for the appropriate purposes and is not kept longer than necessary. Personal data must be kept in accordance with 6 principles under the Regulations:

  1. processed fairly, lawfully and in a transparent manner
  2. kept for a specified purpose and processed only in ways compatible with its initial given purpose
  3. kept safe and secure
  4. kept accurate, complete and up to date
  5. adequate, relevant and not excessive
  6. retained for no longer than necessary for specified purpose(s)

Landlords and letting agents who handle personal data from tenants need to understand their responsibilities with respect to consent and that the use of blanket clauses when collecting personal data is no longer appropriate. Consent must be fully informed and freely given to be valid and sought when passed onto third parties for example for reference checking. If consent has not been sought, landlords and letting agents will need to look at how they achieve this going forward and review their contracts with third parties, contractors or suppliers, for example that might involve the sharing of personal data. 

Landlords and letting agents should also be cautious with the amount of personal data requested at pre-tenancy stage when assessing applicants. Given the current housing crisis and the sheer volumes of tenancy applications received, landlords and letting agents have used personal data to conduct due diligence on prospective tenant’s capacity to pay rent. The Data Protection Commissioner cautioned for example against the use of PPS numbers during the initial phase of the lettings process and confirmed that there is no statutory basis to use PPS numbers of tenants until the tenant has entered into the agreement and must be registered with Private Residential Tenancies Board. Unsuccessful applications should then be shredded or permanently deleted on an ongoing basis to comply with data retention principles. The Data Protection Commission has noted that it is acceptable that successful tenant’s personal data is kept for the duration of the tenancy. 

Personal data is to be kept for the purpose that it was initially obtained. Property letting agent PJ McCann was ordered to take down an online database of tenant reviews about whether rent was paid in full and the condition properties were left upon leaving. The Data Protection Commissioner told the agent they would face a €10,000 fine if they failed to comply with the order.

Landlords and letting agents must integrate GDPR into the lifecycle of their letting process from assessing potential renters right through to the termination of tenancies. 

If you’re a landlord or letting agent and would like advice or training on your GDPR compliance obligations, please contact RegSol for immediate assistance.

By Judy DeCastro for RegSol