Skip to main content
Book a call — £89
Menu

GDPR for Commercial Landlords UK: Duties & Rights

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofUK Property Law Guide

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
If you let commercial property in the UK, you are almost certainly handling personal data about your tenants, their directors, guarantors, and sometimes their staff. That brings you squarely within the scope of the UK GDPR and the Data Protection Act 2018. Many commercial landlords assume data protection is mainly a concern for consumer-facing businesses, but the reality is different. Collecting a tenant's ID, running a credit check, storing bank details for rent collection, or sharing information with a managing agent all count as processing personal data. On this page I set out the key duties, the lawful bases you are likely to rely on, and the practical steps to take so your letting activities line up with what the ICO expects. If you would rather talk it through with someone who knows the territory, the call option at the bottom of the page is there for exactly that.

Overview

GDPR compliance for commercial landlords is the framework of legal duties that apply whenever you collect, store, use, or share personal information connected to your lettings. The UK GDPR works alongside the Data Protection Act 2018 and is regulated by the Information Commissioner's Office (ICO).

Even though most commercial tenants are companies rather than individuals, the data you hold usually includes information about identifiable people: directors signing leases, personal guarantors, sole traders, partners in a partnership, staff named as contacts, or tradespeople attending site. All of that is personal data.

As a landlord you will typically be acting as a data controller, meaning you decide why and how the information is used. That brings obligations around lawful processing, transparency, security, retention, and responding to requests from the individuals whose data you hold.

Getting this right protects you from complaints, fines, and reputational damage, and it also builds trust with the businesses you let to.

Key steps

  1. Map the personal data you hold. Start by listing every category of personal information you collect across the letting lifecycle. That includes names and contact details on the lease, ID verification documents, credit check outputs, bank details, correspondence, CCTV footage, access logs, and any data passed to agents or contractors. You cannot comply with rules you have not identified as applying.
  2. Identify your lawful basis for each activity. Under the UK GDPR every processing activity needs a lawful basis. For most commercial landlords the common bases are performance of a contract (managing the lease), legitimate interests (credit checks, security, debt recovery), and legal obligation (anti-money laundering or tax reporting). Record which basis applies to which activity, because you need to be able to show this.
  3. Provide a clear privacy notice. Tenants and their representatives have a right to know what you do with their information. Prepare a privacy notice covering what you collect, why, who you share it with, how long you keep it, and how someone can exercise their rights. Make it available at the point you collect data, for example in the heads of terms pack or on your website.
  4. Put sensible security measures in place. You must protect personal data against loss, unauthorised access, and accidental disclosure. For most small landlords this means strong passwords, encrypted storage, restricted access to tenant files, secure disposal of paper records, and written arrangements with managing agents and contractors who process data on your behalf.
  5. Have a process for rights requests and breaches. Individuals can ask for a copy of their data, ask for corrections, and in some cases ask for deletion. You normally have one calendar month to respond. Separately, if you suffer a personal data breach that poses a risk to individuals, you must report it to the ICO within 72 hours of becoming aware. Decide now who handles these and how.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Does GDPR apply if my tenant is a limited company?
Information about a company itself is not personal data, but almost every commercial letting involves personal data somewhere. Think of the director who signs the lease, a personal guarantor, a sole trader tenant, or named contacts at the tenant business. As soon as you can identify a living individual from the information, UK GDPR applies to that data and you need a lawful basis to process it.
Q Do I need to register with the ICO as a commercial landlord?
Most organisations that process personal data electronically need to pay the data protection fee to the ICO unless an exemption applies. The fee depends on size and turnover. It is worth checking the ICO's self-assessment tool to confirm your position, because operating without registering when you should have can itself lead to enforcement action.
Q How long can I keep tenant data after a lease ends?
There is no single retention period set by law. You should keep data only for as long as you have a clear reason to hold it. Many landlords retain lease-related records for six years after the tenancy ends to align with limitation periods for contract claims, and longer for tax purposes. Set a retention schedule, document your reasoning, and delete data when the period expires.
Q Can I share tenant information with my managing agent?
Yes, but you need a written contract that meets the requirements of Article 28 of the UK GDPR if the agent is processing data on your behalf. This contract should cover what they can do with the data, security standards, use of sub-processors, and what happens at the end of the arrangement. Check your existing agreements to see whether these clauses are already there.
Q What happens if a tenant makes a subject access request?
A subject access request is a formal request for a copy of the personal data you hold about an individual. You usually have one calendar month to respond and cannot charge a fee in most cases. You will need to locate the data, check whether any exemptions apply (for example legally privileged material), redact third-party information, and provide the response in an accessible format.
Q What counts as a data breach I need to report?
A personal data breach is any security incident that leads to destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Examples include lost laptops, emails sent to the wrong person, or a break-in where tenant files are taken. If the breach is likely to risk people's rights or freedoms, you must notify the ICO within 72 hours, and sometimes the affected individuals too.
Q Is CCTV at a commercial property covered by GDPR?
Yes. If your CCTV captures identifiable people, it processes personal data and the UK GDPR applies. You need a lawful basis (usually legitimate interests), clear signage telling people they are being recorded, a sensible retention period, restricted access to footage, and a process for handling requests from individuals who want a copy of footage showing them.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.