The 6 Lawful Bases of GDPR for Lettings

The General Data Protection Regulation (GDPR) and a Data Protection Act will replace the current data protection rules from 25 May 2018. 

Under the GDPR, you will need to audit the information you collect and hold, decide under what lawful basis the data is being processed, document the audit and have privacy notices available for persons to view, which will usually be provided at the time of collecting any personal information.

First, we need to identify the key definitions and the lawful bases for processing data. This will help carry out the auditing stage and produce privacy notices. 

The Information Commissioner’s Office (ICO) has issued extensive guidance on the GDPR, and most of this article is taken from their direction. Only about 1% has been used here so as not to be too overwhelming! The guidance should therefore be consulted for the complete information.

Key definitions

A ‘controller’ is the person who determines the purposes and means of processing personal data. 

‘Personal data’ means any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. 

‘Processing’ means any operation or set of operations that are performed on personal data or sets of personal data (whether or not by automated means), such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.

Controller and processor

In most cases, a landlord or letting agent will be both the controller and the processor of the data they hold. For example, a landlord or agent may receive an email enquiry from a prospective tenant expressing an interest in viewing a property. The landlord or agent is in control of the data, i.e. deciding what to do with it and will also process the information (perhaps store the information in a note, database or spreadsheet).

Processing personal information

Article 5 of the GDPR requires that personal data shall be:

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date
  • kept in a form which permits identification of data subjects for no longer than is required for the purposes for which the personal data are processed
  • processed in a manner that ensures appropriate security of the personal data.

The controller shall be responsible for and be able to demonstrate compliance with the principles. To process the data, you must have a valid and lawful basis. 

There are six lawful bases to process data:

  • consent
  • contract
  • legal obligation
  • vital interests
  • public task
  • legitimate interests

To process the personal information under one of these bases, you will need to decide the most appropriate basis (or bases), document why and have a privacy notice explaining to the individual the purposes of the processing. 

More information about processing information is on the ICO website.


The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, you can look for a different lawful basis. 

Consent will be needed for using personal information for sales or marketing purposes, for example.

  • Consent means offering individuals real choice and control.
  • Avoid making consent to processing a precondition of a service.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Explicit consent requires an unambiguous and specific statement of consent.
  • Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
  • Name any third-party controllers who will rely on the consent.
  • Keep your consent requests separate from other terms and conditions.
  • Keep evidence of consent – who, when, how, and what you told people.

Perhaps surprisingly, landlords or agents won’t rely upon ‘consent’ to process personal information as much as they may think. 

Most personal information will be processed under ‘contract’ or ‘legitimate interests’. 

For example, if you require a credit check to be completed before a tenancy is offered, you can’t seek consent from the prospective tenant to obtain a credit check because it’s not a choice. You must inform them that you will be doing a credit check (and everything else you will be using the personal information for), but you mustn’t mislead them by suggesting they have a choice when the person has no choice. 

Furthermore, when obtaining consent, they must be able to opt-out just as quickly as they opted-in under the GDPR. 

This wouldn’t be of much use to a landlord or agent if they opted-in for a credit check and then two hours later opted out! 

As such, ‘consent’ is not the most appropriate basis for processing the data for a credit check. 

More information about consent is on the ICO website.


The ‘contract’ basis for processing personal information will often be the most appropriate basis for landlords and agents, especially when dealing with tenants (as opposed to prospective tenants). 

It is a lawful basis to process personal information where:

“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

For example, if a tenant contacts a landlord or agent about a broken-down boiler, the landlord or agent will likely pass contact details to an engineer. 

This is necessary to fulfil the obligation to repair the boiler under the tenancy agreement.

 However, only ‘necessary’ information should be passed, such as name, address, telephone and email. 

Consent is not required when ‘contract’ has been decided as the most appropriate basis for processing the data. 

You will need to document your decision that processing is necessary for the contract and include information about your purposes and lawful basis in your privacy notice. 

More information about the contract is available on the ICO website.

Legal obligation

The processing will be lawful if you are required to disclose information due to some legal obligation. 

An example of this would be tenancy deposit prescribed information. 

It’s a legal requirement to provide the tenant's name, address, telephone, email and fax where a deposit has been received in connection with an assured shorthold tenancy. 

The processing of this information (collecting on an application form, for example) is lawful because it’s a legal requirement to collect and insert it into the prescribed information to be signed by the tenant(s). 

Consent is not required to collect this information, but during collection, the privacy notice should explain this basis for processing. 

If you are processing based on a legal obligation, the individual has no right to erasure, right to data portability, or right to object. 

When relying upon ‘legal obligation’ to process personal information, you must:

  • document your decision that processing is necessary for compliance with a legal obligation;
  • identify an appropriate source for the obligation in question; and
  • include information about your purposes and lawful basis in your privacy notice.

More information about legal obligation is available on the ICO website.

Vital interests and public task

Vital interests will rarely (if ever) be a lawful basis for processing personal information for landlords or agents. It is the basis used to process personal data to protect someone’s life. The public task is for public bodies such as local authorities.

Legitimate interests

This will likely be an everyday basis for our readers processing personal information. 

Legitimate interests are the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. 

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact or where there is a compelling justification for the processing. 

The legitimate interests can be your interests or the interests of third parties, including commercial interests, individual interests or broader societal benefits. 

However, to rely upon this basis, a legitimate interests assessment must be completed and recorded comprising of three tests:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

More information about how to carry out the LIA and what should be included can be found on the ICO website here

In addition to the LIA, the privacy notice will need to explain the information used. For example, when a prospective tenant wishes to take property after viewing, the landlord or agent will want a credit check carried out in most cases. 

This is a legitimate interest to protect the landlord’s assets. Furthermore, it is reasonably expected by a prospective tenant that a credit check will be carried out. 

More information about legitimate interests is available on the ICO website.

Special category data

Special rules apply if ‘special category data’ is to be processed. As the information should never be required in the day-to-day business of lettings, it’s best to avoid the processing of any of the following data about an individual entirely:

  • race;
  • ethnic origin;
  • politics;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life; or
  • sexual orientation.

Criminal offence data

The processing of criminal offence data is a tricky one because, on the one hand, there is a legitimate interest in knowing if a person has a conviction for arson when letting a property, and so asking the question about criminal offences may be thought to be acceptable. 

However, it seems that asking about criminal offences will need to be stopped. 

Article 10 of the GDPR says:

“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”

There are categories for when criminal offence data may be processed in the UK as being:

  • employment, social security and social protection;
  • substantial public interest;
  • health and social care;
  • public health;
  • archiving, research and statistics.

(Schedule 1 provides further definitions and information) However, non of these apply to property lettings. As such, it appears there is no lawful basis for landlords or agents to process (i.e. collect) criminal offence information relating to an individual. As such, it seems there’s no point in asking the question.

Existing personal information held

Only personal information held may be processed in compliance with GDPR from 25 May 2018. 

Any information held that is not in compliance or has no lawful basis for processing (for example, if consent was obtained through ticking a box NOT to receive communication) cannot be used any longer. 

As processing includes “deleting” information, the information should not be held beyond 24 May 2018.

Rights of the individual

As a general rule, the individual who is subject to the processing of data has several rights under the GDPR:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making, including profiling.

Depending upon the lawful basis of the processing, some of the above will apply (legal obligation, for example), and for other bases, all will apply (consent, for example).

 More information about the rights of data subjects is available on the ICO website here.


In respect of registration with the ICO, nothing is particularly changing. 

The guidance at the time of writing requires the same registration as previously. 

You have a maximum turnover of £632,000 for your financial year or no more than ten staff members. 

The fee is classed as tier 1 and is likely to be £40 per year with a discount of £5 if paid by direct debit. 

Most (if not all) landlords and letting agents should be registered already and will continue to need to be registered. 

You can use the simple self-assessment tool to determine if you need to register

You will need to register if all of the following apply:

  • you collect, record, store or delete personal information (such as names, addresses, telephone numbers and email addresses)
  • the data is processed (including collected or stored) by automated means (such as a mobile phone, computer, tablet etc.)
  • the processing is for “Property management, including the selling and letting of property”.

If your processing (collecting or storing etc.) is entirely on paper, you must still comply with the GDPR as outlined above, but registration won’t be necessary.

If you are even texting a tenant (perhaps to arrange an inspection or for a reminder about the next rent payment), you are storing information by automated means and require registration with the ICO.

What to do in preparation for the GDPR

The ICO has produced a “12 steps to take now” guidance leaflet and a “getting ready for the GDPR checklist”, both of which are available here

In essence, you will need to document the data you process through a data audit and have privacy policies in place for each data set. In practice, a single privacy notice will not be possible.


For small and medium-sized organisations, if you have less than 250 employees, you only need to document processing activities that:

  • are not occasional; or
  • could result in a risk to the rights and freedoms of individuals; or
  • involve the processing of special categories of data or criminal conviction and offence data.

In practice, most processing for lettings will need to be documented because it will be regular and similar processing. The following information must be recorded:

  • The name and contact details of your organisation (and, where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries, including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

The ICO has produced specific guidance on documenting processing activities

Templates for documenting are available from within the above-linked guidance (or directly on this page). 

Categories of individuals for lettings may include (but not an exhaustive list):

  • prospective viewers (general enquiries on a mailing list for new properties)
  • prospective tenants (after viewing and wish to apply for a tenancy)
  • tenants
  • ex-tenants
  • contractors

For agents, in addition to the above categories of persons, there may be additional categories, for example:

  • prospective landlords
  • landlord clients
  • ex-landlord clients

With each category of a person identified, you will need to decide what information you hold, under what lawful basis it’s processed etc. 

For example, regarding prospective viewers, you will hold basic contact information (name, telephone, email and possibly address). 

It would be best if you decided how long you will hold the information (we suggest three to six months is long enough because they’re likely to have found somewhere by then) and the lawful basis for processing. 

The lawful basis of processing will be either consent (if they subscribed to the mailing list on a website, for example - this will be the basis if they can opt out of the mailing list anytime as quickly as they opted-in). Legitimate interests may be appropriate (because they’re interested in properties and would reasonably expect you to send them information when a new property becomes available). 

It would not be suitable to process the information for any other purpose than providing information about new properties (unless you have consent for other purposes, which should then be documented).

Privacy notices

Under the “right to be informed”, privacy notices are an essential element of the GDPR. 

The starting point of a privacy notice should be to tell people:

  • who you are;
  • what you are going to do with their information; and
  • who it will be shared with.

When relying on consent, your method of obtaining the consent should:

  • be displayed clearly and prominently;
  • ask individuals to positively opt-in, in line with good practice; and
  • give them sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information, users are unlikely to be fully informed, and the consent cannot be considered valid.

In addition, if you are processing information for a range of purposes, you should:

  • explain the different ways you will use their data; and
  • provide a clear and straightforward way for them to indicate they agree to different types of processing. In other words, people should not be forced to agree to various processing simply because your privacy notice only includes an option to agree or disagree with all. People may wish to consent to their information being used for one purpose but not another.

Our tenancy agreements produced by Tenancy Builder contain privacy policies built in.

In summary

In summary, the starting point is to determine the categories of individuals you hold personal information on and decide the lawful basis for processing, which needs to be documented. 

Suppose you hold information which does not comply with GDPR (for example, you email people for sales purposes, but they have not consented). In that case, that information should not be processed beyond 24 May 2018 unless another lawful basis can be found and documented. 

Privacy notices should be created, and a means to ensure all categories of individuals see these. 

Ensure you’re up to date with individuals' rights and think about how you will deal with requests to delete an individual's data if asked or deal with subject access requests. 

Check all your consents. Are they opt-in and not too general? They need to be “specific and granular”.

View Related Handbook Page

Record Keeping and Data Protection

It is essential that landlords have a good system of record keeping. A file should be kept for a property and then each time a new tenancy is given to a new tenant