Few of us will need to be reminded that the General Data Protection Regulation (GDPR) took effect earlier this year. The GDPR is an EU measure that imposes strict rules on how personal data (any information relating to an identified or identifiable individual) is collected and used. But in light of this new legislation, should landlords now require a tenant to covenant specifically to comply with the GDPR?
In short, the answer is no. There is little extra value to a landlord in requiring its tenant to covenant to comply with the GDPR. As a matter of law, whenever it is processing personal data, a tenant (and its landlord for that matter) will have to comply with its own obligations under GDPR, regardless of any obligation in the lease.
Most leases contain a covenant by the tenant to comply with statutory obligations, so far as those obligations affect the premises. If a tenant does not comply with the GDPR, then its landlord can use this covenant to force the tenant to comply, at least to the extent that the non-compliance relates to the premises and could affect the landlord.
Landlords must also comply with the GDPR (see box below). Although this may seem burdensome, landlords need not be out of pocket for doing so. Most leases in multi-let buildings will allow a landlord to recover reasonable costs of complying with statutory obligations through the service charge, in so far as such compliance affects the building or services provided to tenants. For example, if a landlord supplies Wi-Fi for visitors in the common parts, then any additional cost to ensure this complies with the GDPR should be recoverable as service charge.
Changes shouldn't necessarily need to be made to new leases to account for the GDPR. Provisions in a usual commercial lease alongside statute should be sufficient to ensure that landlords and tenants each comply with their GDPR obligations and that landlords are not out of pocket for doing so.
GDPR for landlords – in a nutshell
- A landlord who is a 'data controller' (i.e., they determine the purpose for which personal data is processed) will almost certainly need to pay a fee to the Information Commissioners Office (ICO) (while exemptions to the obligation do exist, those exemptions are unlikely to apply to landlords). Failure to pay the fee may lead to the ICO imposing a civil 'fine' as discussed in our recent bulletin.
- If a landlord leases premises to individuals, it will likely have details of their names, dates of birth, telephone numbers and email addresses, and possibly also National Insurance numbers and other personal information, such as financial information. A landlord must look after this data carefully and prevent any unauthorised persons from accessing it. There must also be a policy about how the data will be kept safe. Once the data is no longer needed, it must not be retained and should be disposed of securely.
- If a landlord provides free Wi-Fi at the premises but collects or otherwise processes the personal details of the individuals using it (for instance by the capture of device information or IP addresses), then point 2 applies.
- If personal data is lost or there is any other sort of 'data breach', it may be necessary to inform the ICO (and in some cases, the individual) within 72 hours.
- If you want to send unsolicited electronic marketing e.g., mailshots by email or text to individuals, you must obtain their proper consent, unless it is possible to rely upon the 'soft opt-in' (which applies under a different set of rules, the Privacy and Electronic Communications Regulations). The soft opt-in allows you to send these marketing communications to individuals where you have an existing customer relationship with them, the marketing relates to similar goods or services, and you have given them the opportunity to opt out. If consent is needed, however, pre-ticked boxes on a webpage no longer count.
- If data is given to third parties (managing agents, for example) to hold, look after or process under a contract, then the contract must provide that the third party will also comply with the GDPR.