Table of Contents
For tenants, especially expats and international renters, moving to Germany often means sharing personal documents with landlords, agencies, or platforms like Wunderflats. But how much is too much? Which requests are legal? And what are your options if your data is mishandled?
The General Data Protection Regulation (GDPR) is the law that answers these questions. It gives you clear rights and holds landlords, agents, and platforms accountable for how they collect, store, and use your personal information.
This guide breaks down your rights under GDPR, what landlords can and can’t ask for, how your data should be handled, and the steps to take if something goes wrong.
What Is GDPR and Why It Protects You
The General Data Protection Regulation (Regulation (EU) 2016/679) is an EU-wide law that has applied in Germany since 25 May 2018. It also works alongside the Bundesdatenschutzgesetz (BDSG) or Germany’s own Federal Data Protection Act, which tailors GDPR rules to the national context.
Important GDPR principles you should know:
- Lawfulness, fairness, and transparency – Data must be collected for a valid reason, and you must be told how it will be used.
- Purpose limitation – Your data can only be used for the reason it was collected (e.g., signing a lease).
- Data minimization – Only the information necessary for that purpose can be requested.
- Accuracy – Data must be kept up to date.
- Storage limitation – Data should be deleted when it’s no longer needed.
- Integrity and confidentiality – Your data must be stored securely.
In plain language: GDPR stops landlords from asking for irrelevant or excessive information and gives you the power to say “no” without losing your rights as a tenant.
What Landlords Can Legally Ask For
In Germany, landlords are allowed to request documents that prove your identity and ability to pay rent. However, what’s “necessary” depends on the type and length of rental.
Generally Accepted Documents:
- Proof of identity – Passport, national ID card, or residence permit.
- Proof of income – Recent payslips, tax statements, or employment contract.
- Employment verification – Sometimes required for long-term leases.
- Credit report (SCHUFA) – Typically needed for unfurnished, long-term rentals.
- Previous landlord reference – Optional, not always required.
Documents That Are NOT Legal to Request:
Under GDPR Article 9, “special categories” of personal data are protected from processing unless under very specific conditions (e.g., explicit consent or legal necessity). Landlords cannot ask for:
- Religion or belief.
- Ethnicity or racial background.
- Sexual orientation or gender identity.
- Political opinions.
- Health information (unless directly related to a specific accommodation request).
- Marital status or family planning.
- Bank account login details.
Example:
If a landlord asks whether you are planning to have children soon, this is irrelevant and discriminatory. You are under no obligation to answer.
If a landlord asks for any of the above, you can refuse without consequence under GDPR, and you may challenge the request with the landlord, platform, or data protection authority.
Practical Tip: For furnished mid-term rentals (1–12 months), like many offered through Wunderflats, landlords often require fewer documents because the tenancy risk is lower.
Permissible Questions
Alongside documents like ID and proof of income, landlords in Germany may also ask reasonable questions directly related to the tenancy. These are not “sensitive personal data” under GDPR but practical matters that can affect the property or compliance with house rules.
Examples of legitimate questions include:
- Do you have pets? – Many leases restrict or forbid animals, or require landlord approval.
- Do you smoke? – Smoking can affect the condition of the flat and is often regulated in house rules.
- How many people will live in the flat? – Landlords need to ensure the property isn’t overcrowded and that utility costs or building regulations are respected.
These questions are routine and lawful in Germany because they directly relate to maintaining the property and fulfilling the rental contract.
If you’re unsure, ask yourself: “Does this question clearly affect the flat or rental agreement?” If yes (pets, smoking, occupants), it’s generally acceptable. If no (ethnicity, beliefs, private life), you can politely refuse.
Criminal Record Checks
Another area tenants sometimes worry about is whether they can be asked to provide a criminal record check (often called a police clearance certificate or Führungszeugnis in German).
Under GDPR Article 10, data relating to criminal convictions and offences can only be processed under the control of official authorities or when explicitly authorised by law. In Germany, there is no legal basis for private landlords to demand a criminal background check for a standard rental agreement.
What this means for you:
- A landlord cannot legally require you to submit a police clearance certificate (Führungszeugnis) or disclose past convictions.
- Even a “self-statement” about your criminal history would involve processing data covered by Article 10, and private landlords have no lawful basis to request it.
- Such requests are considered highly unusual and are not part of normal German rental practice.
Tip: If you are ever asked for criminal record data when applying for a tenancy, you can safely refuse and cite GDPR Article 10. If the landlord insists, this is a red flag, and you may wish to raise the issue with a tenants’ association or the data protection authority.
When Consent Is (and Isn’t) a Lawful Basis
Under GDPR, landlords and agencies need a lawful basis to process your personal data. While consent is one possible basis (Article 6(1)(a)), it’s not always the right one in tenancy situations.
Why? Consent must be:
- Freely given – You can say “no” without negative consequences.
- Specific – Linked to a clearly defined purpose.
- Informed – You understand exactly what you’re agreeing to.
- Revocable – You can withdraw it at any time.
Example:
If a landlord asks for your phone number to contact you about repairs, this can be justified under contract necessity rather than consent.
If a landlord wants to use your photo for a tenant newsletter, that’s not necessary for the contract; they would need valid, freely given consent, which you can refuse without consequences.
Automated Decisions and Tenant Screening”
While most rental decisions in Germany are made by landlords or agencies directly, GDPR also protects you from being unfairly treated by automated decision-making.
Under Article 22 GDPR, you have the right not to be subject to a decision based solely on automated processing (such as algorithms or profiling) if that decision produces legal effects or significantly affects you.
What this means in practice:
- If a platform or landlord used software to automatically reject, rank, or score applicants (for example, based only on credit data) without human review, you would have rights.
- You must be informed if such automated decision-making is taking place (Article 13(2)(f) GDPR).
- You have the right to:
- Object to the decision.
- Request human intervention.
- Object to the decision.
Challenge the outcome if you feel it is unfair or inaccurate.
Your GDPR Rights as a Tenant
GDPR gives you eight core rights and they apply whether your landlord is a private individual or a large property company.
1. Right to Access (Art. 15 GDPR)
You can ask for a complete list of personal data held about you, along with:
- Why is it being processed?
- Who has received it?
- How long will it be stored?
2. Right to Rectification (Art. 16 GDPR)
If something is wrong, like an incorrect address, you can have it corrected immediately.
3. Right to Erasure (Art. 17 GDPR)
Also called the Right to Be Forgotten. You can request deletion of your data if:
- It’s no longer necessary.
- You withdraw your consent.
- It was processed unlawfully.
- Your tenancy ends.
- After statutory retention periods have expired (e.g., tax or accounting laws).
Landlords and agencies must delete the data without undue delay once these conditions are met.
4. Right to Restrict Processing (Art. 18 GDPR)
You can stop your data from being processed while disputes are resolved.
5. Right to Data Portability (Art. 20 GDPR)
You can request your data in a structured, machine-readable format to give to another service.
6. Right to Object (Art. 21 GDPR)
You can say no to processing for certain purposes, such as direct marketing.
7. Right to Be Informed (Art. 13–14 GDPR)
You must be told who is collecting your data, why, and how it will be used.
8. Right to Lodge a Complaint (Art. 77 GDPR)
You can complain to the Datenschutzbehörde (German Data Protection Authority) if your rights are violated.
You can learn more about your rights in the European Commission (Rights for Individuals under GDPR) and on Federal Commissioner for Data Protection and freedom of information website (BfDI).
9. Data Protection and Anti-Discrimination (AGG)
GDPR is not the only safeguard protecting tenants in Germany. The General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz – AGG) works alongside GDPR to prevent discrimination in housing.
Under the AGG, landlords cannot lawfully deny you a rental on the basis of:
- Ethnic origin, race, or nationality
- Religion or belief
- Gender or sexual orientation
- Disability or chronic illness
- Age
This means:
- Intrusive questions about religion, ethnicity, or family planning are not only irrelevant under GDPR, but could also signal unlawful discrimination under AGG if used to reject an application.
- Even if a landlord phrases the question casually (e.g., “Are you planning to have kids soon?”), if the answer influences the rental decision, it may violate discrimination law.
What you can do:
- Keep a record of the question and the landlord’s response.
- Seek advice from a tenants’ association (Mieterverein) or anti-discrimination agency.
- File a claim under the AGG tenants can seek compensation if they are unfairly denied a rental based on protected characteristics.
Tip: GDPR gives you rights over how your data is collected and processed; the AGG protects you against why that data is used to make decisions. Together, these laws ensure both your privacy and your right to equal treatment.
Your Right to Withhold (or Even Mislead) on Impermissible Questions
Under German law, if a landlord asks you a question that is legally impermissible, for example, about your religion, pregnancy, family planning, or sexual orientation, you are not required to answer truthfully.
Courts have recognized that tenants (similar to job applicants) have the “Recht zur Lüge” (right to lie) in response to unlawful questions. This means:
- You may refuse to answer or give a misleading answer without legal consequences.
- The landlord cannot later claim that you provided “false information” to terminate the lease, because the question itself should never have been asked.
- This principle protects you from being forced into self-disclosure of sensitive personal information that is irrelevant to the tenancy.
Example:
- If a landlord asks whether you are pregnant, you may deny it, since pregnancy status is not a lawful ground for a rental decision.
If asked about your religion or sexual orientation, you may refuse to answer or give a misleading response, and this cannot be held against you.
Tip for tenants: Always distinguish between permissible practical questions (pets, smoking, number of occupants) and impermissible personal questions (religion, health, family planning). On the latter, you are fully protected under both GDPR and German case law even if you choose not to be truthful.
What to Expect in Practice
Under GDPR Articles 13 and 14, a responsible landlord or agency should always give you a privacy notice before requesting documents.
This is not optional.
This should clearly state:
- The purpose of collecting your data.
- The legal basis (e.g., contractual necessity under Art. 6(1)(b) GDPR).
- Who will have access to it.
- How long it will be stored.
- Your rights under GDPR.
If this information is not given to you at or before the time of data collection, it’s a violation of GDPR’s transparency principle and you are entitled to request it immediately.
If a landlord or agency fails to provide this information:
- You have the right to demand a privacy notice immediately.
- You can refuse to provide documents until you receive one.
You may also report the omission to a Data Protection Authority, as it violates GDPR’s transparency principle.
Tip: A professional landlord or platform (like Wunderflats) should automatically provide a privacy notice. If someone doesn’t, it’s a red flag and you should question their handling of your personal data.
Example of a compliant practice:
A Wunderflats landlord requests your passport copy and proof of income. You receive a privacy notice stating that:
- The purpose is to verify your identity and affordability.
- Only the landlord and their property manager will see the data.
- The data will be deleted 3 months after the end of the lease unless legal retention periods apply.
Under GDPR’s purpose limitation principle (Article 5(1)(b)), your data can only be used for the specific purpose you were told about when it was collected.
If a landlord or agency later wants to use your information for a different purpose, say, marketing future rentals to you, or sharing it with a partner service, they must first:
- Obtain your new, informed consent, or
- Show they have another valid lawful basis under Article 6 GDPR (such as a legal obligation).
Without this, any additional use is unlawful and you have the right to object or request deletion.
How Your Data Should Be Handled
GDPR and German law require landlords and agencies to store your data securely and only for as long as necessary.
Security Measures Should Include:
- Encrypted storage (password-protected files or secure cloud systems).
- No storage on unprotected personal devices.
- Restricted access (only authorised people).
- Avoiding email attachments without encryption.
Retention Rules:
Data must be deleted after it’s no longer needed, except when legal retention obligations apply, for example:
- Tax-related documents: up to 10 years.
- Basic contractual information: up to 3 years (limitation period for legal claims).
Prohibited Practices Include:
- Forwarding your documents to unrelated third parties.
- Storing your personal data in shared, unsecured folders.
- Keeping data indefinitely “just in case.”
What to Do if You Suspect a Violation
If you think your data rights have been breached, you can take these steps:
1. Raise the issue directly with the landlord, agency, or platform
- Put your concern in writing (email or letter).
- Reference the specific GDPR article (e.g., Article 17 for erasure).
- Give them a reasonable deadline (e.g., 14 days) to respond.
2. Escalate internally if renting via a platform
- Contact the platform’s Data Protection Officer (DPO) or privacy team.
- Provide copies of all correspondence with the landlord.
3. File a complaint with your state’s Data Protection Authority (Landesdatenschutzbehörde)
- In Germany, complaints against private-sector landlords or agencies are handled by the state-level data protection authorities, not the federal commissioner.
- You can find more details here.
- The process is free, often available in English, and can be done through simple online complaint forms.
- You can also contact the authority informally for guidance before filing a formal complaint.
- Submit all supporting evidence: the data request, privacy notice (or lack thereof), and communication records.
- Complaints can usually be made in English or German.
For example, If you are renting in Berlin, you can file a complaint directly with the Berlin Commissioner for Data Protection using their online form: https://www.datenschutz-berlin.de/datenschutz/datenpanne/datenpannenformular/
- The Federal Commissioner (BfDI) primarily oversees federal institutions and telecom/postal companies, so for tenancy issues it is usually your Landesbehörde that has jurisdiction.
- If your case involves a cross-border landlord or platform, you may also turn to the European Data Protection Board.
4. Possible outcomes and consequences for landlords or agencies
- Authorities can order the landlord or agency to delete, correct, or stop processing your data.
- They can issue formal warnings or impose fines (which may be substantial, up to €20 million or 4% of global turnover).
- You will typically be informed of the outcome of your complaint and of any enforcement steps taken.
5. Legal recourse
- You can also seek damages in civil court under Article 82 GDPR, which allows compensation for both material and non-material harm (e.g., emotional distress due to a privacy breach).
- Consult a tenants’ association (Mieterverein) or a lawyer specializing in data protection for legal support.
Tip: Keep a record of all communications, including screenshots of any unusual data requests.
Supervisory authorities are there to help you, not just to punish landlords. Don’t hesitate to reach out- even for advice-if you are unsure whether your rights are being respected.
Why GDPR Works in Your Favour
Without GDPR, landlords could request unnecessary personal information without limits. But with GDPR:
- You know exactly why data is collected.
- You can refuse irrelevant requests without losing your rental opportunity.
- You can demand deletion once the purpose is over.
- You have legal backing to take action if something goes wrong.
For Wunderflats tenants:
The platform’s processes are designed to follow GDPR standards, meaning documents are handled securely, requests are minimised, and landlords must comply with data protection rules.
International Tenants and Cross-Border Data Transfers
If you are an international tenant, your data may sometimes be transferred outside Germany, for example, if:
- The landlord is based in another country.
- The rental platform uses service providers (such as cloud storage or payment processors) located outside the EU/EEA.
Under GDPR, any transfer of personal data to a “third country” (outside the EU/EEA) is only allowed if:
- The European Commission has determined the country offers data protection (e.g., Canada, Japan).
- Standard Contractual Clauses (SCCs) – Legally binding clauses approved by the European Commission.
- Binding Corporate Rules (BCRs) – Internal rules for multinational companies ensuring GDPR-level protection.
Platforms must ensure that any cross-border processing is GDPR-compliant. Importantly, you also have enforceable rights as a tenant under Articles 13(1)(f) and 15 GDPR:
- You should be informed in the privacy notice if your data is stored or processed outside the EU/EEA.
- The notice should specify the safeguard used (e.g., Standard Contractual Clauses, adequacy decisions, Binding Corporate Rules).
- You have the right to request a copy of those safeguards.
For example, if your privacy notice mentions that your data may go outside the EU but doesn’t specify which safeguards apply, you can (and should) ask for details. For example, you may request a copy of the Standard Contractual Clauses used. This is your legal right, not just a courtesy.
Useful Resources and Templates
Official Guidance
- European Commission – Your GDPR Rights
- Complete guide to GDPR compliance
- Wunderflats Privacy Policy
- German Tenants’ Association (Deutscher Mieterbund)
Important note: your state’s Data Protection Authority (Landesbehörde) handles complaints about private landlords.
Data Access Request Template
Subject: GDPR Data Access Request
Dear [Name/Company],
Under Article 15 of the General Data Protection Regulation, I request:
– A copy of all personal data you hold about me.
– The purposes of processing.
– The recipients of the data.
– The storage period.
Please provide this information in a common electronic format.
Sincerely,
[Your Name]
Data Erasure Request Template
Subject: GDPR Data Erasure Request
Dear [Name/Company],
Under Article 17 of the General Data Protection Regulation, I request the deletion of all personal data you hold about me, as it is no longer necessary for the purposes collected.
Please confirm deletion in writing.
Sincerely,
[Your Name]
When renting in Germany, you do not have to share more than is necessary. GDPR ensures:
- Landlords and platforms collect only relevant data.
- Your documents are stored securely and deleted on time.
- You have the power to access, correct, or erase your data.
Whether you’re renting mid-term through Wunderflats or signing a long-term lease, knowing your rights means you can rent with confidence and protect your privacy.
Legal review by Stephan Hartmann, Ass. jur., Data Privacy Officer at Lecturio — Tbilisi, Georgia
Disclaimer: The contents of this page have been prepared for your information and Stephan Hartmann, Ass. jur., Data Privacy Officer at Lecturio has been commissioned to check the legal correctness of this article. However, this article does not constitute legal advice. Always consult a legal professional for personalized guidance, especially if you're renting out property in Germany as a non-resident landlord or in complex circumstances.
