Leasily logo
Get free access
FeaturesHow it worksPricingDemoBlogSign upLog in
← All posts
12 April 2026·6 min read

GDPR for Landlords: What Independent Landlords in the EU Need to Know

If you rent out property in the EU and collect tenant data, GDPR applies to you. Here's what that actually means in practice — without the legal jargon.

If you rent out property in the EU — or to EU residents — and you collect personal data about your tenants, GDPR applies to you. Even if you're a private individual with a single flat.

Most landlords don't know this. Even fewer do anything about it. Here's what you actually need to know and do.

Does GDPR really apply to individual landlords?

Yes. The General Data Protection Regulation applies to any person or organisation that collects and processes personal data about EU residents, regardless of size. There's no minimum threshold for number of properties or employees.

In practice, enforcement focuses on larger organisations. But that doesn't mean you're exempt — and getting it right is straightforward once you understand what's actually required.

What counts as personal data?

More than most landlords realise:

  • Tenant names, email addresses, phone numbers
  • Bank account details
  • ID documents (passport, ID card)
  • Employment or income information from your screening process
  • Any notes about a tenant — even handwritten ones
  • Photographs of the property that include a tenant's belongings in identifiable ways
  • Communication history (emails, WhatsApp messages)

Basically: any information that could be used to identify a specific person.

What's the lawful basis?

You don't need your tenant to tick a GDPR consent box. For data you need to manage the tenancy — name, bank details, contact information — your lawful basis is "performance of a contract." You need this data to fulfil the rental agreement. That's legitimate.

Where you do need to be careful: sharing data with third parties, keeping data for longer than necessary, or using data for purposes beyond managing the tenancy.

What you actually need to do

1. Give your tenant a privacy notice

At the start of the tenancy, you should tell your tenant in writing:

  • What personal data you collect
  • Why you collect it
  • How long you keep it
  • Who you share it with (accountant, maintenance company, etc.)
  • Their rights under GDPR

This doesn't need to be a legal document. One page is fine. You can find templates from your national data protection authority.

2. Store data securely

Don't keep tenant data in an unprotected spreadsheet on your desktop, or scattered across email threads. Basic security:

  • Use a password-protected device
  • If you use cloud tools, check where data is hosted (EU-hosted is safest for EU compliance)
  • Don't share tenant data over WhatsApp unless necessary

Leasily stores all tenant data encrypted, hosted in Frankfurt (EU), and never shares it with third parties.

3. Know how long to keep data

After a tenancy ends, you don't need tenant data forever. A sensible retention policy:

  • Keep financial records (rent payments, deposit records) for as long as your country requires for tax purposes — typically 5–7 years
  • Keep the signed lease agreement for the same period
  • Delete identity documents and reference information once they're no longer needed

4. Respond to subject access requests

A tenant can ask to see what data you hold about them at any time. They can also ask for corrections or, in some circumstances, deletion. You have one month to respond.

This sounds daunting. In practice, for a small landlord, it means: have your records organised so you can pull together what you hold about a specific person quickly.

5. Don't share data unnecessarily

If you use a letting agent, maintenance contractor, or accountant, they may receive tenant data. This is fine — but tell your tenant in the privacy notice that you do this.

Don't share tenant data with other landlords, referencing agencies, or debt collectors without checking the legal basis first.

What about tenant screening data?

Reference checks, income documents, and credit reports collected during screening count as personal data too. If someone doesn't get the tenancy, you should delete their application data within a reasonable time — a few weeks is generally fine. Don't keep rejected applicants' ID documents indefinitely.

The practical reality

For an individual landlord with 1–5 properties, GDPR compliance comes down to three things:

1. Tell your tenant what data you hold and why (one-page notice at move-in)

2. Keep data secure and hosted in the EU

3. Don't keep it longer than you need to

You're not running a data brokerage. You're managing a rental property. The rules are proportionate — you won't face an enforcement action for using a spreadsheet. But getting the basics right protects you and your tenants.

If you use Leasily, the data hosting and security side is handled for you. Everything is stored in the EU, encrypted, and you can export or delete tenant data at any time.

Try Leasily free

Free until July 2026 · No credit card required · €9/mo locked in forever after

Get free access →

Newsletter

Landlord tips, straight to your inbox

Practical guides on managing rentals, saving time, and avoiding common mistakes. No spam.

More articles

Best Property Management Software for Small Landlords in 2026How to Track Rental Payments Without a SpreadsheetFirst-Time Landlord Checklist: What to Set Up Before Your Tenant Moves InHow to Handle Late Rent Payments Without Damaging the RelationshipHow to Prepare Your Rental Income for Tax Season Without the StressHow to Automate Rent Reminders (And Why Manual Ones Keep Failing)Landlord Studio vs Leasily: Which Is Better for Small Landlords?How to Screen Tenants Before Signing a LeaseHow to Calculate Rental Yield on Your Property (And What's a Good Number)The Landlord's Guide to Lease Renewals: When, How, and What to ChangeMoving From a Spreadsheet to Property Management Software: A Real Landlord's Guide