Registration guidance for private landlords

If you rent out your property to tenants you have a legal obligation to maintain an annual registration with the Data Protection Authority under The Data Protection (Bailiwick of Guernsey) Law, 2017 (‘The Law’). You also have several other legal obligations which ensure you are treating your tenants’ information with the care the Law requires.  

If you have a lease which details your tenants’ names (or any other personal information about them) or anything else including facts or opinions about your tenants this means you are ‘processing’ personal data. 

You are required to register as a controller with the ODPA if you are: 
1. Established in the Bailiwick and 
2. Processing personal data. 

If you have no documented knowledge of your tenants’ personal data then you are not processing personal data and therefore you are not required to register with the ODPA. Should this situation change then registration would potentially be required, and you would need to examine your position again at that point.
 

 

    • Personal data’ is any information that relates to an identified (or identifiable) living individual. The information can be facts or opinions. 
    • Processing’ is a very broad term which covers anything you do with information about people and can include activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data.
    •  A ‘controller’ is any entity* who is responsible for the decisions made about why and how they use personal data about staff, customers, suppliers, or any other people. 
      * this entity would normally be an organisation, but it could be a specific human being (e.g. sole traders, landlords, elected officials etc).
    • A ‘processor’ is any entity* that is given the task of processing personal data by a controller. Processors do not determine the nature or the means of the processing; they just do what the controller tells them to do. If you are part of such an arrangement you need to have in place a Controller/Processor agreement. 
      * this entity would normally be an organisation, but it could be a specific human being (e.g. sole traders, landlords, elected officials etc).

  • If you use a property agent in connection with properties you rent to people you are still required to register with the ODPA as a controller, assuming that either you or the property agent are established in the Bailiwick. This would be applicable in all cases where you have documented knowledge of your tenants’ identities, such as in the form of a lease agreement where the individual tenants are identified or if you have anything else that including facts or opinions about your tenants. 

    If you are only renting to commercial / corporate entities you are not required to register with the ODPA.

    To further clarify this, although the day-to-day management of your property and other duties with regards to the property can be delegated to a property agent, the role of ‘controller’, under the Law, cannot be delegated and you as the landlord remain legally the controller for that personal data, with the property agent acting as ‘processor’, on your behalf.

    If you are a landlord who is based outside of the Bailiwick of Guernsey, but you use the services of a property agent who is based within the Bailiwick you are still considered a controller (as you are causing people’s data to be processed in the Bailiwick) and therefore you are established in the Bailiwick

    If you are a landlord based outside the Bailiwick and you use the services of a local property agent you will also need to officially designate a ‘Section 38 representative’ in your annual registration. This representative is a legal requirement and can be a property agent or another legal person within the Bailiwick who will act as your point of contact locally.

  • No. The Law is only applicable to controllers and processors of personal data. 

    Tenants, in this context, are ‘data subjects’ (i.e. they are the subject of the personal data used by controllers/processors).
    Data subjects in their private lives are covered by the Law’s ‘domestic purposes exemption’.