Why Data Protection Legislation Is Failing Private Tenants – Part 2


Part Two

Welcome back. In part one of this series, we examined the inadequacies of data protection law when it comes to ensuring tenants and their legal representatives can access the information they need to check if a landlord or letting agent is in breach of statutory duty. We suggested that despite being legally required to action subject access requests (SARs) most landlords and letting agents simply ignored any SARs they received. In this article, we look at how EU countries and some US States manage data protection compliance breaches to see if the problems suffered by UK tenants are also present in other jurisdictions.


In 2019, the French Data Protection Authority CNIL fined a real estate company €400,000 for data protection breaches. Investigators found that documents submitted to the website by applicants for rentals were accessible to other users when they slightly modified the URL displayed in the browser. Furthermore, personal data was held by the company for longer than necessary, a breach of Article 5(1)(e).


In October 2019, the German Data Protection Authority imposed a €14.5 million fine against a real estate company for GDPR violations. Breaches included storing tenants’ personal data without having a lawful basis and failing to consider if the data needed to be kept. Additionally, obsolete data was not able to be deleted using the existing IT system.

Regarding failing to fulfil SARs, Berlin’s Data Protection Authority has issued a €195,407 fine to Delivery Hero. Although Delivery Hero is a food delivery company rather than a letting agent, the issuing of such a substantial fine illustrates that Germany’s regulators are prepared to punish businesses that ignore or only partially complete SARs.


An example of a country that has fined a real estate organisation for inadequately responding to a SAR is Cyprus. In 2021, the Office of the Commissioner for Personal Data Protection (‘the Commissioner’) fined the Real Estate Registration Authority €10,000 for failing to adequately respond to a data subject access request and not cooperating with the Commissioner.


Under the California Consumer Privacy Act (CCPA) a person can request that businesses disclose the personal information they have collected, used, shared, or sold about them, and why they collected, used, shared, or sold that information. Businesses can be asked to provide information about:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which the business collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The categories of information that the business sells or discloses to third parties

Businesses must provide this information for the 12 months preceding the request and cannot charge for actioning the request.

Letting agents that serve California residents and have a turnover of more than $25 million that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data must comply with the CCPA.

New York

In May 2021, the New York City Tenant Data Privacy Act (TDPA) was passed, aimed at protecting the privacy and personal data of tenants and guests of smart-access buildings. The TDPA states that building owners and third party entities must obtain express consent before collecting personal data from tenants and their guests. If consent is obtained, the only data permitted to be gathered is:

  • The name of the tenant or guest;
  • The unit number and areas in the building that the tenant or guest has access to with the smart access system;
  • The tenant or guest’s preferred method of contact;
  • The tenant or guest’s biometric identifier information—if the smart access system uses any physiological, biological, or behavioural characteristics to identify an individual;
  • Passcodes or identifiers associated with the physical hardware used to gain entry;
  • Lease information, including move-in and move-out dates; and
  • The time and method of entry – to be used for security purposes only.

Furthermore, unless the data is anonymised, it must be destroyed within 90 days of collection unless certain exceptions apply.


The examples above show that in other jurisdictions, real estate agents and landlords are held to account for failure to comply with data protection regulations, including SARs. In the final part of this article, we will look at solutions concerning the issue of letting agents and landlords not responding to SARs requests and consider whether not providing all the information concerning a tenancy constitutes a breach of the Civil Procedure Rules.

Veriwise helps all tenants get access to justice. If you have an issue with your rented property and your landlord is refusing to fix the problem or is ignoring you, please contact us at  contact@veriwise.co.uk and we will resolve the issue directly with your landlord/agent so you don’t have to.