ARTICLE
17 April 2026

Behind The Front Door: When Property Data Becomes Personal Data

GW
Gowling WLG

Contributor

Gowling WLG logo
Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Explore Firm Details
When does information collected during property transactions or tenancies constitute personal data under UK GDPR? This analysis examines the increasingly complex intersection of data protection law and property management, exploring how routine information - from tenant preferences to access logs - may trigger comprehensive regulatory obligations with significant compliance implications.
United Kingdom Privacy
Patrick Arben,Jocelyn S. Paulley,Amber Strickland
+3 Authors
 Your Author LinkedIn Connections
Gowling WLG are most popular:
  • within Compliance topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Accounting & Consultancy industries

At first glance, a lease appears to be a document about bricks and mortar - a commercial arrangement between landlord and tenant concerning a physical asset. Data protection law does not always see it that way. This article addresses an increasingly pressing question for property professionals: when does information collected during a property transaction or tenancy constitute personal data under the UK General Data Protection Regulation (UK GDPR)?

The answer is far from obvious. It arises across the range of data routinely collected by landlords, housing associations, managing agents and property lawyers - from recording a tenant's choice of property size or kitchen fitting, to gate access data monitoring who enters and exits a building. If that information identifies a living individual, it will attract the full suite of UK GDPR obligations, with potential negative consequences for organisations who fail to recognise it as such and comply.

Non-compliance risks regulatory scrutiny, enforcement action and complaints from individuals who may also pursue compensation claims - all bringing reputational damage and wasted management time.

The legal framework: what is personal data?

The UK GDPR defines personal data as "any information relating to an identified or identifiable natural person ('data subject')". A natural person is "identifiable" if they can be identified, directly or indirectly, by reference to an identifier.

Identifiers include a name, identification number, location data, online identifier, or factors specific to an individual's physical, physiological, genetic, mental, economic, cultural or social identity.

This breadth is deliberate: EU and UK legislators intended the concept of personal data to be construed widely, giving individuals meaningful control over information that concerns them. Recital 26 of the UK GDPR confirms that all means "reasonably likely" to identify an individual must be considered when assessing identifiability.

The Information Commissioner's Office (ICO)1, the UK's independent data protection regulator, has published detailed guidance on the meaning of personal data. The ICO confirms that information "relates to" an individual if it is "about" that person but cautions that this test is not always straightforward.

"Relating to": what the courts say

The 2025 High Court decision in Michael Ashley v The Commissioners for HMRC provides the most recent and authoritative judicial guidance on how courts approach the foundational question of what information "relates to" an individual for the purposes of the personal data definition.

Mike Ashley, British retail entrepreneur, made a Data Subject Access Request (DSAR) to HMRC following an enquiry into his tax return, which had included valuations of 32 properties he owned. The central dispute was whether property valuations and related assessment documentation fell within the personal data definition. HMRC had taken a narrow view, but Mr Ashley challenged this as failing to reflect the true breadth of the statutory definition.

The court held that HMRC had adopted an "unduly restrictive approach to what constitutes personal data". Mrs Justice Heather Williams confirmed that the "relating to" requirement is satisfied where "the information, by reason of its content, purpose or effect, is linked to a particular person". These three elements — content, purpose and effect — are alternatives: information may qualify as personal data if any one links it to an individual. This mirrors the ICO's approach.

Crucially, the judgment affirms that information may be personal data even if, on its face, it concerns an object rather than a person. The valuations of Mr Ashley's 32 properties were held to be his personal data because they were processed for the purpose of calculating his tax liability — a clear example of the "purpose" limb of the test being satisfied.

However, the court drew an important distinction: details about comparable properties not owned by Mr Ashley, used merely to assist in valuing his properties, were unlikely to constitute his personal data, because those details did not directly relate to him. This distinction is of immediate relevance to the property sector, as explored below.

Property specific examples

Content

If the content of the information is clearly about a specific individual, it will directly concern them and relate to them. This includes medical, banking or employment records. In a property context, it could include the terms of a tenancy agreement, break clause decisions, maintenance requests and housing allocation records.

Purpose

A property valuation carried out to assess an individual's tax liability, as in Ashley v HMRC, constitutes personal data even though it is, on its face, about an asset.

Effect

If processing information is likely to impact a specific individual or their rights or interests, that information can be considered personal data, even if that was not the intended purpose. Rent arrears data processed by a housing association, for example, could readily satisfy this limb, given the profound effect such a record may have on a tenant's housing situation. Similarly, sharing data with third parties like reference agencies or debt collectors can have a significant effect on an individual.

Context is the most important consideration. ICO guidance indicates that information about a property's market value processed purely for statistical purposes - for example, to identify trends across a geographical area - may not constitute personal data. But once that same information is linked to an identified individual to inform a decision about them, it crosses the threshold.

When to seek advice

Classification of property-related information as personal data means that the party processing that data, if they are the 'controller', has to comply with the obligations in the UK GDPR. We've focused on four areas below:

1. Data subject access requests (DSARs)

Ashley v HMRC arose from a DSAR dispute, illustrating the complexity that can arise when property-related information is identified as personal data. Property organisations receiving DSARs must carefully assess whether leases, tenancy files, maintenance logs and rent ledgers fall within scope. The breadth of the "relating to" test means this exercise will likely capture more documents than expected. Too narrow a response risks regulatory action; too broad a response may disclose third party personal data inappropriately. Specialist advice is essential.

2. Data protection complaints

The Data (Use and Access) Act 2025 reforms the data protection complaints regime under the UK GDPR. The changes come into force in June 2026. Individuals will have clearer routes to complain about mishandling of their personal data directly to an organisation, rather than first to the ICO. Organisations should now be implementing an effective data protection complaints process. Tenants who believe their lease, rent arrears or housing allocation data has been mishandled have a new route to seek redress. Property organisations that have not audited the personal data they hold, and the lawful basis on which they process it, should prioritise this work.

3. Personal data transfers

The international property market raises complex questions about international transfers of personal data under the UK GDPR. Where a landlord, managing agent or property fund shares tenant data, including lease documentation, with entities in third countries (outside the UK) that do not benefit from an adequacy decision, they must ensure appropriate safeguards are in place, such as the International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses.

This is a particular concern for large property portfolios managed across multiple jurisdictions, or for real estate transactions involving overseas investors requiring access to tenancy data for due diligence. The threshold question of whether shared information constitutes personal data - which, as the Ashley decision confirms, may depend on the purpose for which the information is being transferred - is therefore of direct practical importance. Specialist legal advice is required before cross-border sharing of property-related personal data.

Organisations also need to consider whether it is actually necessary to share the personal data within the information, depending on the purpose for which information is being shared. This is necessary to comply with the data minimisation principle.

Data storage outside the UK including on overseas IT systems, in the cloud, or via connected devices and smart building technology that transmits data to third countries must be considered in the context of international personal data transfers.

4. Data security obligations

Once the personal data threshold is crossed, UK GDPR data security duties also bite. Controllers must implement appropriate technical and organisational measures to protect that data. Tenant onboarding and identity verification processes, which typically involve collecting copies of passports, proof of address, right to rent checks and financial references, require particular attention given the sensitivity of the data involved.

Connected devices and smart building technology, such as access control and entry systems; Building Management Systems; occupancy and space-use sensors; smart CCTV and security; smart HVAC systems; smart meters; smart parking systems and smart ESG and sustainability platforms require robust security measures where they collect and transmit personal data, often to third party providers.

A robust data security incident response regime must be in place and tested, alongside regular employee training to ensure good cybersecurity posture for the business. Specialist advice may be needed to assess what "appropriate" security and incident response readiness looks like for your organisation.

Key takeaways for the property sector

Recent case law confirms that courts take a broad approach to personal data - one that captures property and asset information where linked to an identifiable individual. Property professionals should note the following practical points:

  1. Leases and tenancy agreements recording a tenant's identity and obligations are very likely to be personal data.
  2. Associated data such as valuations, rent arrears, maintenance logs, housing allocations or access records may also qualify, depending on use.
  3. The low threshold means property organisations should err on the side of caution and ensure appropriate data protection governance, including a record of data processing activities, privacy notices, data retention policies, DSAR policy and procedure, and an effective complaints process. Appropriate, relevant and up-to-date data processing agreements must also be in place.
  4. For effective personal data breach handling, incident response planning and testing, with staff training, are essential.
  5. Getting it wrong risks not just regulatory action, but reputational damage, litigation and significant financial penalties. Data protection compliance is not a one-off exercise – it must be treated as ongoing. Initial measures put in place in 2018 when the GDPR first came into force in the UK will be out of date and in need of review. This is in light not only of changes to the UK GDPR and the DPA 2018 after amendments introduced by the Data (Use and Access) Act 2025 this year, but also due to increased adoption of Prop Tech solutions, connected (IoT) devices, sensors, digital platforms and cloud services across the property sector.

Footnote

1 which will be known as the Information Commission from June 2026

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Patrick Arben
Patrick Arben
Photo of Jocelyn S. Paulley
Jocelyn S. Paulley
Photo of Loretta Pugh
Loretta Pugh
Photo of Amber Strickland
Amber Strickland
Photo of Louise Macdonald
Louise Macdonald
Photo of Isabel Roberts
Isabel Roberts
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More