Skip to content
News calendar_today Updated: 6 April 2026 schedule 5 min read

GDPR and Real Estate: What Landlords Need to Know

The GDPR also applies to landlords, including private individuals with multiple properties. A Spanish landlord was fined EUR 1,200 for failing to inform a tenant. This article explains what you need to arrange.

summarize Key Takeaways
  • check_circle The GDPR applies to landlords as soon as they structurally process tenant personal data
  • check_circle The household exemption only applies to purely personal activities, not when renting out multiple properties
  • check_circle A Spanish landlord was fined EUR 1,200 for failing to inform a tenant about data processing
  • check_circle Only collect data you truly need for the rental agreement and do not retain it longer than necessary

GDPR in the rental sector: no exception

As a landlord, you work with personal data daily. Name, address, income details, copy of identity documents, bank details - you collect it all. And that means the GDPR applies to you.

Yet many landlords, especially private ones, assume the GDPR does not apply to them. “I’m not a business,” they say. Or: “I only have two apartments.” But the GDPR does not distinguish between large and small. It distinguishes between personal and professional.

The Spanish case: EUR 1,200 fine for a landlord

In 2022, the Spanish supervisory authority (AEPD) fined a private landlord EUR 1,200. The reason: the landlord collected personal data from a tenant (identity document, proof of income, bank details) without informing the tenant about the processing.

Specifically, the following was missing:

  • No information about the purpose of data processing
  • No mention of the legal basis
  • No information about the retention period
  • No reference to the tenant’s rights (access, correction, deletion)

The landlord simply should have attached a short privacy document to the rental agreement. That would have taken half an hour. The fine cost EUR 1,200.

This is not an isolated case. Supervisory authorities across Europe are increasingly looking at the real estate sector, precisely because many landlords are unaware of their obligations.

The household exemption: when does it apply?

The GDPR has a “household exemption” (Article 2(2)(c)). It states that the GDPR does not apply to processing by an individual for purely personal or household activities.

But when is renting “purely personal”?

Possibly exempt:

  • You rent out a room in your own home to a housemate
  • You occasionally rent out a holiday home to family or friends

Not exempt:

  • You structurally rent out multiple properties to third parties
  • You work with an estate agent or property manager
  • You advertise on platforms like Rightmove, Zillow, or Immoweb
  • You maintain a structured administration of tenants and payments

The rule of thumb: as soon as your rental activity has an organised character, the GDPR applies. Renting out 10 apartments? No discussion. Renting out 1 via a platform? Probably also applies.

What data may you collect?

The data minimisation principle (Article 5 GDPR) stipulates that you may only collect data necessary for the purpose. For rentals, this means:

Allowed

  • Name and contact details - needed for the rental agreement
  • Identity document - for identity verification (view, do not copy unless legally required)
  • Income details - for assessing whether the tenant can afford the rent (payslips, employment contract)
  • Bank details - for collecting rent
  • Rental history/references - relevant for tenant assessment

Not allowed

  • Medical data - not relevant for rental
  • Religion, political preference, sexual orientation - special categories you may never ask for
  • Social media profiles - not necessary for the rental agreement
  • Criminal record - private landlords may not request this
  • Excessive copying - a full file with all bank statements from the past 5 years is disproportionate

What do you need to arrange as a landlord?

1. Inform your tenants

Attach a short privacy document to the rental agreement. State:

  • What data you collect and why
  • The legal basis (usually: performance of the rental agreement)
  • How long you retain the data
  • The tenant’s rights (access, correction, deletion)
  • Your contact details for privacy enquiries

2. Limit what you collect

Only ask for what you truly need. A payslip to verify income? Fine. All bank statements from the past year? Excessive.

3. Set retention periods

  • During the rental agreement: all data needed for performance
  • After the rental agreement ends: financial records up to 7 years (tax legislation), delete all other data
  • Rejected prospective tenants: delete data within 4 weeks, unless a longer period has been agreed

4. Secure the data

Do not store tenant files in an unsecured folder on your desktop. Use at minimum:

  • Password protection on digital files
  • Restricted access (only you and possibly your property manager)
  • A locked cabinet for paper files

5. Be careful with property platforms

If you use an external platform or agent that has access to tenant data, you may need a data processing agreement. Check whether the platform already offers one in its terms and conditions.

Summary: the three major landlord mistakes

  1. Not informing - not telling tenants what you do with their data (precisely the mistake from the Spanish case)
  2. Collecting too much - requesting everything “just in case” when it is not necessary
  3. Never deleting - retaining tenant files for years after the contract ends

None of these mistakes is difficult to prevent. A short privacy document, a conscious selection of data, and an annual cleanup are enough to get the basics in order.

auto_awesome Automate your GDPR compliance as a landlord?

GDPRWise helps landlords and property managers set up their processing register, privacy notice, and retention periods. In minutes, not weeks.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.