The Data Protection Commission Issues Guidance on Requesting Personal Data from Prospective Tenants
The Data Protection Commission has issued guidance to assist landlords in understanding what information they may request from prospective tenants.

 

A landlord that collects personal data from a prospective tenant usually becomes a data controller subject to General Data Protection Regulation (GDPR) obligations. The Data Protection Commission (DPC) has issued guidance to assist landlords (or letting agents acting on behalf of landlords) and tenants in understanding what information is appropriate for landlords to request from prospective tenants at the initial application stage for a residential tenancy (Guidance). The DPC has also released a podcast on this topic available here.

Guidance on complying with GDPR Principles

The Guidance emphasises the importance of only collecting data that is necessary for negotiating, and entering into, the new tenancy, in line with the GDPR principle of data minimisation.  The DPC interprets this principle in the Guidance stating that "only the minimum amount of personal data necessary to achieve a stated purpose should be collected."  Before collecting personal data, the DPC recommends a landlord ask "what is my justification for collecting this personal data?"  In 2014, the DPC found there was no basis for collecting broad data such as bank details, PPS numbers, and copies of utility bills, from prospective tenants at property-viewing stage. Whereas, it found this information could be requested once an offer to grant a lease has been made. 
In addition to the principle of data minimisation, landlords should ensure that their internal practices and procedures facilitate compliance with other relevant data protection principles, especially: 

  • purpose limitation: it should be clear to a prospective tenant why their personal information is being collected and the personal data should only be used for this specified purpose;
  • storage limitation: the personal data should not be kept for any longer than is necessary for the purposes of collection, e.g. references should not be kept once a tenant has taken up an offer of tenancy; and
  • integrity and confidentiality: the appropriate level of security and confidentiality should be adopted when storing personal data.  The DPC's examples for methods of protecting the integrity of personal data include hard copies being locked in filing cabinets and soft copies being encrypted.

Guidance on interpreting 'Lawful Basis' under GDPR

Under the GDPR, there must be a legal basis or "a justification in law for the processing" of personal data. The DPC warns against relying on 'consent' as a legal basis for processing the personal data of prospective tenants as the inherent imbalance of power in the landlord/tenant relationship is "likely to mean that the consent is not 'freely given".  Landlords should instead seek to rely on one of the following legal bases for the collection of personal data:

  • in respect of a preferred tenant, the basis of necessity for the performance of a contract or to take steps at the request of the data subject (the prospective tenant) prior to entering into a contract.
  • the basis of necessity for compliance with a legal obligation, e.g. where a PPSN of a tenant is collected in order to register the tenancy with the Residential Tenancies Board.
  • the legitimate interests legal basis, e.g. for the collection of references from a previous landlord; however, in such cases a landlord must be able to demonstrate that the information collected is not disproportionate to the tenant's right to privacy and protection of personal data. 

Key Takeaways

The appropriate level of personal data for a landlord to collect varies depending on whether the data subject is a proposed, or preferred tenant. The DPC Guidance serves as a reminder to landlords to review internal practices and procedures for the request of personal data from prospective tenants at application stage and consider whether all of the information requested is in fact necessary in order to determine whether or not the applicant should be offered a tenancy. Only after the offer is made should any additional data necessary to administer the landlord/tenant relationship be collected.  It is also important for landlords that engage letting agents or property management service providers to ensure the contractual terms underlying any such arrangements contain the data processing terms prescribed by Article 28(3) of the GDPR. 

Contributed by: Anna Ní Uiginn & Diane Courtney

 

Twitter

 

Follow us @WFIDEA @WilliamFryLaw


 

Key Contacts

David Cullen Partner

Lisa McCarthy Partner

Leo Moore Partner

Related Industry