Table of Contents
Renting out a furnished apartment in Germany, especially via mid-term platforms like Wunderflats, requires more than just finding a reliable tenant.
As a landlord, you also take on the role of a data controller under the General Data Protection Regulation (GDPR). That means you are legally responsible for handling your tenants’ personal data in a way that is transparent, secure, and compliant with the law.
Many landlords underestimate this responsibility, thinking GDPR only applies to large corporations or professional property managers. In reality, even a private landlord with a single property is bound by the GDPR if they process personal data of EU residents.
This guide will walk you through (a) what GDPR means for landlords in Germany, (b) which data you are allowed to collect, (c) how to store and share it safely, and (d) what mistakes to avoid.
Why GDPR Matters for Landlords
The GDPR is the EU’s main framework for protecting personal data. It was introduced in 2018 to ensure individuals have control over their personal information and to unify data protection rules across Europe.
For landlords, GDPR compliance matters because:
- It’s the law – Non-compliance can lead to fines of up to €20 million or 4% of annual turnover, whichever is higher.
- It protects you from disputes – If a tenant believes their data was misused, they can file a complaint with the authorities.
- It builds trust – Tenants are more likely to choose and cooperate with landlords who handle their personal data professionally.
Important GDPR principles landlords must follow:
- Transparency – Clearly inform tenants about what data you collect, why, how it’s stored, and for how long.
- Data minimization – Only collect data that is strictly necessary for rental purposes.
- Purpose limitation – Use the data only for the reason you collected it (e.g., renting the apartment).
- Accuracy – Keep data up to date and correct errors promptly.
- Storage limitation – Do not keep personal data longer than needed.
- Security – Protect data against loss, theft, or unauthorized access.
- Accountability (Art. 5(2) GDPR) – As the data controller, you must not only comply with these principles but also be able to demonstrate compliance..
What Data Landlords Typically Collect
In a mid-term rental context, you may collect the following personal data from tenants:
Identification Data
- Full name
- Date of birth
- Address
- Copy of passport or national ID card
Example: If you ask for an ID scan to verify the tenant’s identity before signing the lease, this is personal data subject to GDPR.
Financial Information
- Proof of income (e.g., payslips)
- Bank account details (for rent transfers)
- Schufa credit report
- Employment contract
Example: You may request a Schufa report to assess creditworthiness, but storing it indefinitely after the tenancy ends would violate GDPR.
Contact Details
- Email address
- Phone number
Example: This allows you to communicate about tenancy matters but should not be used for unrelated purposes like marketing.
Legal and Administrative Documents
- Registration confirmation (Anmeldung) if required
- Signed rental agreement
- Wohnungsgeberbestätigung (landlord confirmation form for local authorities)
Accountability (Art. 5(2) GDPR) in Practice
- Maintain written privacy notices and provide them to tenants.
- Keep records of legal bases for each type of data collected (contract, legal obligation, legitimate interest, or consent).
- Store copies of consent forms (when used).
- Document data protection measures, such as encryption, secure storage, and deletion policies.
- Keep logs of data sharing with third parties (e.g., property managers, Wunderflats, debt collectors).
- Record how you handle tenant rights requests (access, erasure, rectification, etc.).
- Document any risk assessments or data breach responses.
Why it matters: If the local data protection authority (Datenschutzbehörde) investigates, you must be able to show evidence of GDPR compliance, not just claim that you follow the rules.
Legal Basis for Collecting Tenant Data
Under GDPR, you must have a legal basis for processing any personal data. For landlords, the most common are:
Performance of a Contract (Art. 6(1)(b) GDPR)
You need certain data to draft and execute a rental agreement. For example, you cannot create a lease without the tenant’s full name and contact details.
Examples:
- Full name and address for drafting the lease
- Contact details for communicating about tenancy matters
- Bank details for rent payment
Best practice: State in your privacy notice that these details are required to enter into and perform the tenancy contract.
Compliance with a Legal Obligation (Art. 6(1)(c) GDPR)
German law requires landlords to issue a Wohnungsgeberbestätigung (residence confirmation form) so tenants can register with local authorities. This justifies collecting specific identification data.
Examples:
- Collecting ID information to issue a Wohnungsgeberbestätigung for tenant registration
- Retaining payment records for 10 years to comply with tax law
Timing matters: Under the Bundesmeldegesetz (BMG §§ 17, 19), landlords must issue this document within 2 weeks of the tenant moving in.
What’s included: Typically the tenant’s full name, the address of the rental property, and the landlord’s signature.
Legal consequences: Failing to provide it on time is considered an administrative offense and can lead to fines.
Why this matters for GDPR: Collecting a tenant’s ID details for the Wohnungsgeberbestätigung is not optional. It’s a legal obligation, and therefore a valid basis for processing data under Art. 6(1)(c) GDPR
Legitimate Interests (Art. 6(1)(f) GDPR)
In some cases, you may collect data to protect your property or verify financial reliability (e.g., requesting proof of income). This must be balanced against the tenant’s right to privacy.
Examples:
- Requesting proof of income or a Schufa report to assess financial reliability
- Storing certain communication records during a dispute
Best practice: Perform a “Legitimate Interest Assessment” (LIA) to document why the processing is necessary and proportionate.
Consent (Art. 6(1)(a) GDPR)
Consent can be used if you want to collect or process data that isn’t strictly necessary for the contract or legal obligations. It must be:
- Voluntary
- Specific
- Informed
- Easily withdrawable at any time
Important: Consent is not a fallback for poor data practices. If you can rely on a legal obligation or contractual necessity, use that instead.
Examples:
- Using tenant photos for marketing
· Passing contact details to another landlord at the tenant’s request
Tenant Privacy vs. Rental Contract Clauses
Sometimes, landlords add very broad privacy clauses directly into the rental contract. For example, the contract might say that the tenant gives general consent for “all future data use” or that they agree to give up certain data protection rights. These types of clauses are not valid.
Why These Clauses Don’t Work
- Consent must be real, not forced – Under GDPR, consent has to be freely given, clear, and specific. If the tenant has no choice (because saying “no” would mean not getting the apartment), then the consent isn’t valid.
- Unfair contract terms are not allowed – In Germany, contracts with consumers must be fair and transparent. If a clause is too vague, one-sided, or gives the landlord unlimited power, it won’t hold up legally.
- GDPR rights cannot be signed away – Tenants always keep their rights, like the right to access or delete their data. Even if a contract says otherwise, those rights still apply.
In practice: You can’t just insert a sentence in the rental agreement giving yourself unlimited permission to use tenant data. Instead, you should provide a separate privacy notice that clearly explains what data you collect, why you need it, and how long you’ll keep it.
Best Practices for GDPR Compliance
Here’s a step-by-step approach landlords can follow:
Step 1: Draft a Privacy Notice
- Learn about Data Processing Agreement (DPA) Guidance
- Explain what data you collect
- State the purpose of the collection
- Identify your legal basis
- List those you may share data with
- Indicate how long you store the data
- Provide contact details for data protection inquiries
Tip: Keep this simple and easy to read. Provide it before or at the time you collect data.
Step 2: Minimize Data Collection
Only ask for what’s necessary:
- OK: Proof of income to check affordability
- Not OK: Details about religion, political beliefs, or health (these are special categories of personal data and need strong justification).
Collecting such sensitive data is usually unnecessary for standard tenancy agreements and requires an explicit legal basis or tenant consent.
Step 3: Store Data Securely
- Use password-protected files or encrypted drives
- Keep paper documents in locked cabinets
- Restrict access only to those who need the data
Step 4: Limit Data Sharing
- Share only with authorized parties (e.g., property managers, utility companies)
- Use secure channels (avoid unencrypted email for sensitive documents)
- Keep a record of what you shared, with whom, and why
Step 5: Set Retention Periods
Landlords often wonder: How long should I keep tenant data? The answer depends on whether you are renting as a private individual or as part of a business activity.
- Private landlords (one or two properties):
- Rental contracts, invoices, and correspondence may generally be deleted 3 years after the tenancy ends, since this is the standard limitation period for contractual claims under §195 BGB.
- Keeping data beyond this “just in case” without a clear legal basis may violate GDPR.
- Rental contracts, invoices, and correspondence may generally be deleted 3 years after the tenancy ends, since this is the standard limitation period for contractual claims under §195 BGB.
- Business landlords (agencies or landlords declaring rental income as business activity):
- German tax and commercial laws (§147 AO, §257 HGB) require certain documents to be kept for up to 10 years (e.g., invoices, payment records, and bookkeeping documents).
- In such cases, GDPR allows extended storage because it is a legal obligation.
- German tax and commercial laws (§147 AO, §257 HGB) require certain documents to be kept for up to 10 years (e.g., invoices, payment records, and bookkeeping documents).
- Special cases:
- ID copies: should be deleted immediately after they are no longer required (e.g., after issuing the Wohnungsgeberbestätigung).
- Schufa reports or proof of income: delete once the tenant is selected and the contract is signed.
- Application documents of rejected tenants: delete promptly unless you have explicit consent to keep them for future offers.
- ID copies: should be deleted immediately after they are no longer required (e.g., after issuing the Wohnungsgeberbestätigung).
Best Practice:
Always link your retention periods to a legal justification (e.g., tax law, contract law, or ongoing disputes). If none exists, delete the data as soon as the tenancy ends and all obligations are fulfilled.
Example retention periods:
- Rental contracts: 6–10 years (to comply with tax law)
- ID copies: Delete immediately after verification unless legal retention applies
- Payment records: 10 years
- Credit checks: Delete after tenancy begins unless needed for ongoing legal reasons
This avoids the “keep everything 10 years” mindset, gives landlords practical benchmarks (3 vs. 10 years), and ties it back to GDPR’s storage limitation principle.
Step 6: Delete or Anonymize Data
Once the retention period ends, securely delete or anonymize personal data so it can no longer identify the tenant.
Handling Data of Rejected Applicants
If prospective tenants don’t end up renting, their data should not just sit in email inboxes or file folders.
GDPR also applies to prospective tenants who provide personal data during the application process.
Under Art. 5(1)(e) GDPR, personal data may only be kept for as long as necessary for the purpose it was collected. For unsuccessful applicants, once it is clear they will not be renting the apartment, their data must be securely deleted or returned.
Example: A landlord receives three applications for a furnished flat. One tenant is selected and signs the contract. The landlord must delete the Schufa report and ID copies of the two unsuccessful applicants unless they consent to storage for a future rental.
When Can You Share Tenant Data?
GDPR doesn’t prohibit sharing data but requires you to have a legal reason.
Permitted examples:
- Sending a tenant’s name and address to the utility provider to set up billing
- Giving the necessary details to a property manager who handles rent collection
Not permitted:
- Forwarding ID copies to a friend “for reference”
- Sharing a tenant’s contact information with another landlord without consent
If you use third-party services (e.g., cloud storage, property management software), ensure they are GDPR-compliant and have signed a Data Processing Agreement (DPA) with you.
Video Surveillance in Rental Properties
Some landlords consider using CCTV cameras or smart doorbells for security. However, video surveillance involves processing personal data and is therefore subject to GDPR and the German Federal Data Protection Act (BDSG §4).
What’s Allowed
- Cameras may only be used if there is a clear legal basis (usually legitimate interest in protecting property).
- Surveillance must be proportionate – you cannot monitor more than is necessary.
- Clear signage is required so tenants and visitors know they are being recorded.
What’s Not Allowed
- Private spaces (inside apartments, balconies, or directly in front of doors) must never be recorded.
- Cameras should not capture public sidewalks or neighboring property beyond the entrance area.
- Continuous or excessive monitoring may be considered harassment or an unlawful intrusion into privacy.
Practical GDPR Obligations
- Provide tenants with a privacy notice describing the purpose, storage period, and who has access to footage.
- Footage should only be stored for a short period (e.g., a few days) unless needed as evidence.
If surveillance covers sensitive areas or large numbers of people, landlords may need to conduct a Data Protection Impact Assessment (DPIA) under GDPR.
Key takeaway: Misuse of video surveillance can quickly lead to complaints and fines.
Common Mistakes Landlords Should Avoid
- Over-collecting data – Asking for unnecessary sensitive information like marital status or religion
- Keeping documents forever – “Just in case” is not a legal justification
- No privacy notice – Failing to inform tenants how their data is processed
- Unsecure storage – Using personal email accounts or unencrypted USB drives for storing tenant data
- Forwarding documents without a legal reason – Even if it’s to another potential landlord
Data Protection and Anti-Discrimination Laws
When screening tenants, landlords must be careful not only about GDPR compliance but also about German anti-discrimination law (Allgemeines Gleichbehandlungsgesetz, AGG).
Under §19 AGG, landlords cannot discriminate based on:
- Ethnic origin
- Religion or belief
- Gender
- Disability
- Age
- Sexual orientation
- Family status (e.g., pregnancy, having children)
Why This Matters for Landlords
- Asking these questions is not only irrelevant under GDPR but may also be illegal under AGG.
- Tenants are not obliged to answer such questions. If asked, they even have the right to give untruthful answers without penalty to protect their privacy.
What If There’s a Data Breach?
A data breach means personal data has been accidentally or unlawfully lost, stolen, or accessed. Examples:
- A laptop with unencrypted tenant files is stolen
- An email with tenant documents is sent to the wrong recipient
Your obligations:
- Assess the risk to the tenant’s rights and freedoms.
- Learn about the European Data Protection Board Guidelines on Breach Notification.
- Notify the German data protection authority (in Germany, the state Datenschutzbehörde) within 72 hours if the risk is significant.
- Inform the tenant if the breach is likely to cause harm (e.g., risk of identity theft).
Document the incident – keep records of what happened, how you responded, and how you’ll prevent it in the future.
Tenant Rights under GDPR
Under the GDPR, tenants have clear rights regarding their personal data. As a landlord, you must both respect these rights and inform tenants about them at the time of data collection (typically in your privacy notice).
Here’s what tenants are entitled to:
1. Right of Access (Art. 15 GDPR)
- Tenants can request a copy of all personal data you hold about them.
- You must provide:
- What data you have
- Why you process it
- Who you share it with
- How long you will keep it
- Deadline: Generally within 1 month of the request.
2. Right to Rectification (Art. 16 GDPR)
- Tenants can request corrections if their data is inaccurate or incomplete.
- Example: Updating a misspelled name or new contact number.
3. Right to Erasure (“Right to be Forgotten”) (Art. 17 GDPR)
- Tenants can request deletion of their personal data in certain circumstances, for example:
- The data is no longer necessary for the purpose collected.
- They withdraw consent (if consent was the legal basis).
- Exceptions: You may refuse if you must keep data for legal obligations (e.g., tax records).
4. Right to Restrict Processing (Art. 18 GDPR)
- Tenants can ask you to limit how their data is used.
- Example: During a dispute, the tenant may request that data is stored but not otherwise processed.
5. Right to Object (Art. 21 GDPR)
- Tenants can object to certain processing, especially if it’s based on legitimate interests.
- Example: They may object to you sharing their data with a third-party service provider unless you have compelling legitimate grounds.
Best Practice for Landlords:
- Include a Tenant Rights section in your privacy notice.
- Explain how tenants can exercise these rights (e.g., by emailing you with their request).
- Keep a log of all requests and your responses for compliance records.
Sharing Tenant Data with Third Parties
Landlords often need to share tenant data with third parties to manage their rentals effectively.
Under the GDPR, you may only share personal data if you have a lawful basis and if the sharing is proportionate and secure.
Common Third-Party Landlords May Share Data With
Rental Platforms (e.g., Wunderflats)
- These platforms act as data processors or joint controllers, depending on their role.
- You must ensure they comply with GDPR and have a Data Processing Agreement (DPA) in place if they process data on your behalf.
- Only provide the information required for listing and rental processing and avoid sending extra documents (like ID scans) unless strictly necessary.
Joint Controllers vs. Processors
When landlords use rental platforms, it’s important to understand whether the platform acts as a data processor or a joint controller:
- Processor (Art. 28 GDPR):
The platform only processes data on your behalf (e.g., purely technical services). In this case, you need a Data Processing Agreement (DPA) to ensure they handle data securely and only under your instructions. - Joint Controller (Art. 26 GDPR):
If both you and the platform decide together why and how tenant data is used (e.g., for matching, screening, and rental contract facilitation), then you are joint controllers.- In this situation, GDPR requires a Joint Controller Agreement (JCA) that sets out:
- Who informs tenants about data use
- Who handles data access/erasure requests
- Who is responsible in case of a data breach
- Who informs tenants about data use
- Tenants must also be told, in clear terms, how responsibilities are divided.
- In this situation, GDPR requires a Joint Controller Agreement (JCA) that sets out:
Why this matters:
This helps landlords avoid the false sense of security that platforms “cover GDPR.” In reality, landlords are still accountable and need to make sure agreements are in place and cooperate with the platform under Art. 26.
Utility Providers
- Allowed if necessary to set up or transfer service contracts for the tenant.
- Share only relevant details (e.g., name, address, start/end date of tenancy).
- No financial or unrelated personal details should be passed.
Debt Collection Agencies
- Permissible when there is a lawful basis (usually legitimate interest in recovering owed rent).
- Ensure the agency is GDPR-compliant and that a DPA is signed if they act as a processor.
Property Managers
- If you outsource property management, they will often act as your data processor.
- A written DPA is legally required, setting out security measures and restrictions on data use.
When Is Consent Required?
- If you want to share data for purposes beyond the tenancy or legal obligations, you must get explicit, informed, written consent from the tenant.
- Consent is not valid if it’s bundled into the rental agreement without a clear, separate choice.
Best Practices for Sharing Data
- Document the purpose – Always know why you’re sharing data and which legal basis applies.
- Limit the scope – Share only the minimum data necessary for the task.
- Use secure transfer methods – Encrypted email, secure portals, or in-person handover (for paper documents).
- Check third-party compliance – Request GDPR compliance confirmations and keep DPAs in your records.
- Update your privacy notice – Clearly list all categories of recipients.
Example
“We may share your personal data with third parties, including rental platforms, utility providers, and debt collection agencies, where necessary to perform our contract with you, comply with legal obligations, or protect our legitimate interests. All such third parties are contractually bound to protect your information in accordance with GDPR.”
Do Landlords Need a Data Protection Officer?
For most private landlords with one or two properties, GDPR obligations can be managed without a dedicated Data Protection Officer (DPO). But if you operate a larger rental business or have many employees handling tenant data, additional duties apply.
When a DPO is Required
- Under §38(1) of the German Federal Data Protection Act (BDSG), a DPO must be appointed if:
- You have 20 or more employees regularly processing personal data (e.g., in an agency or larger property management business), or
- You carry out extensive processing of sensitive data (such as health information, which is rare for landlords).
- You have 20 or more employees regularly processing personal data (e.g., in an agency or larger property management business), or
Records of Processing Activities
- Even if a DPO isn’t required, larger landlords and agencies may still need to keep formal records of how they process personal data.
- This comes from Article 30 GDPR, which requires “records of processing activities” if:
- You employ more than 250 people, or
- Your data processing is not occasional, involves sensitive data, or could pose a risk to tenants’ rights.
- You employ more than 250 people, or
Practical Implications
- A private landlord with one flat is unlikely to need a DPO or processing records.
- A property management company with many employees and tenants will almost certainly need both.
Even if not legally required, keeping a simple log of what data you collect, the legal basis, who it’s shared with, and how long you store it can help demonstrate compliance (accountability principle).
Helpful Resources
- BfDI – Federal Commissioner for Data Protection: https://www.bfdi.bund.de
- GDPR Text (English): https://gdpr-info.eu
- Sample Privacy Notices – Available via local landlord associations
- European Data Protection Board homepage – https://www.edpb.europa.eu/edpb_en
- Legal Advice – Seek professional help if you manage multiple properties or handle large amounts of tenant data
As a landlord in Germany, you are legally responsible for how you collect, store, and share tenant data. GDPR compliance is not optional, but it doesn’t have to be complicated. By following these steps: only collecting what you need, keeping it secure, deleting it when you’re done, and being transparent with tenants, you protect both your tenants’ privacy and your own legal standing.
Think of GDPR as part of good business practice: it’s respecting your tenants, avoiding disputes, and building a professional reputation.
Legal review by Stephan Hartmann, Ass. jur., Data Privacy Officer at Lecturio — Tbilisi, Georgia
Disclaimer: The contents of this page have been prepared for your information and Stephan Hartmann, Ass. jur., Data Privacy Officer at Lecturio has been commissioned to check the legal correctness of this article. However, this article does not constitute legal advice. Always consult a legal professional for personalized guidance, especially if you're renting out property in Germany as a non-resident landlord or in complex circumstances.
