3

If Tim the tenant and Larry the landlord enter into a tenancy, then do either of them become a data controller of the others name and address? Does the landlord as the "provider" of the housing have greater burdens of propriety in handling tenants' personal data than vice versa? More broadly, do any two parties entering into mutual contract assume compliance burdens under the GDPR, and is the case especially so with respect to something so ubiquitous as tenancies?

JosephCorrectEnglishPronouns
  • 6,409
  • 4
  • 31
  • 75

1 Answers1

3

Anyone who processes personal data using electronic means or with some filing system is a data controller, as long as

  • they fall within the GDPR's territorial scope,
  • they're not doing the processing on behalf of another data controller, and
  • they're not only doing the processing for purely personal or household purposes.

In todays world, it's almost certain that electronic means are involved. And establishing a rental contract generally involves some personal data. We can also assume that both parties are in the UK, and that both are acting on their own behalf.

So this leaves the household exception.

  • Larry the landlord will not be covered by the household exception since they're using the personal data for a business purpose. Larry is a data controller.
  • If Tim the tenant is renting a place to live in himself, he's probably acting for purely personal or household purposes and would not be a data controller.
  • If Tim the tenant is renting space for his office, for a church, or for a chessclub in which he is a member, he's no longer acting for purely personal or household means. Depending on context, Tim or Tim's organization may be a data controller.

The ICO's guidance on controllers and processors has a checklist “Are we a controller?” that lists common factors establishing controllership. On another page, they write:

Wherever personal data is used for purposes other than personal or household processing, the organisation behind it is a controller. Personal or household processing means the personal data you’d usually have in your home, such as family photo albums, friends’ addresses and notes on the fridge, none of which would be covered by data protection laws unless there was another connection to a professional or commercial activity.

amon
  • 24,244
  • 3
  • 46
  • 77