Valoda

Tēma

Blogs/1 min lasīt

GDPR for Property Managers: What You Actually Need to Do

Urbaneta Team

1 July 2026

Why GDPR matters for property managers

If you manage residential or commercial property, you handle personal data — names, contact details, payment information, sometimes even health or immigration status. The General Data Protection Regulation (GDPR) applies to every organisation that processes this data, regardless of size.

The good news: GDPR is not as scary as it sounds. Most obligations are common-sense practices you should be doing anyway. This guide walks through what actually matters for property managers, with templates you can copy and adapt.

What counts as personal data?

Personal data is any information that can identify a living person. For property managers, this typically includes:

  • Tenant names and contact details — phone, email, address.
  • Lease and payment records — rent amounts, payment history, bank details.
  • Maintenance requests — especially if they reveal personal circumstances.
  • Identity documents — passport or ID copies used for tenant screening.
  • Meter readings and utility data — linked to a specific household.

Aggregate or anonymised data (e.g. "average rent in the building") is not personal data as long as individuals cannot be re-identified.

The seven principles (in plain language)

GDPR is built on seven principles. Here is what each one means in practice for a property manager:

  1. Lawfulness, fairness, transparency — you need a legitimate reason to process data, and you tell residents what you do with their information.
  2. Purpose limitation — data collected for rent collection cannot be reused for marketing without consent.
  3. Data minimisation — only collect what you actually need. Do not ask for a passport scan if a name and phone number suffice.
  4. Accuracy — keep records up to date. If a tenant moves out, mark the record accordingly.
  5. Storage limitation — do not keep data longer than necessary. Old tenant records should be archived or deleted per a retention policy.
  6. Security — protect data with access controls, encryption, and secure backups.
  7. Accountability — be able to demonstrate compliance through documentation.

What residents can ask for

Under GDPR, individuals have rights you must honour:

  • Right of access — a resident can ask "what data do you hold about me?" You must provide a copy within one month.
  • Right to rectification — if data is wrong, they can ask you to fix it.
  • Right to erasure — in some cases, a former tenant can ask you to delete their data.
  • Right to object — they can ask you to stop processing for certain purposes (e.g. marketing).

Have a simple process for handling these requests. A shared inbox or form is enough — you do not need expensive software.

Practical checklist

Here is what a small-to-medium property management company should have in place:

  • A privacy notice — a short page on your website explaining what data you collect and why.
  • A data inventory — a spreadsheet listing what personal data you hold, where it is stored, and who has access.
  • Access controls — only staff who need tenant data can see it. Use role-based permissions.
  • Secure communications — encrypted email or a tenant portal for sensitive documents.
  • A retention policy — a written rule for how long you keep records after a tenant leaves.
  • A breach response plan — what you do if data is lost or stolen (notify the supervisory authority within 72 hours).
  • Processor agreements — contracts with any third party that handles data for you (accounting software, payment provider, etc.).

Sample privacy notice template

You need a privacy notice on your website or available on request. Here is a template you can adapt — it covers the minimum GDPR requires for a property management company:

[Company Name] Privacy Notice

Who we are: [Company Name], [registration number], [address]. We act as the data controller for personal data related to our property management services.

What data we collect: Name, contact details (phone, email, address), identity document copies (for tenant screening), lease and payment records, meter readings and utility consumption data, maintenance request history.

Why we process it: To fulfil lease agreements (Article 6(1)(b)), comply with legal obligations such as tax record retention (Article 6(1)(c)), and manage our legitimate business interests in property maintenance and communication (Article 6(1)(f)).

How long we keep it: Active resident data for the duration of the lease plus one year. Invoice and payment records for 5 years (tax law requirement). Meter reading data for 3 years. Maintenance records for 2 years after resolution.

Who we share it with: Accounting providers, payment processors, and utility companies — all under signed data processing agreements.

Your rights: You can request access to, correction of, or deletion of your data. Contact us at [privacy email] with any request. We respond within one month.

Adjust the brackets, add your company details, and publish it. That covers the transparency obligation.

Retention policy template

A retention policy does not need to be long. A one-page document that says "we keep X for Y years, then we delete it" is enough. Here is a starting point:

[Company Name] Data Retention Policy

| Data type | Retention period | Reason |

| Active resident data | Lease term + 1 year | Dispute resolution |

| Invoice and payment records | 5 years | Tax law (LV, EE, LT) |

| Meter reading data | 3 years | Billing dispute resolution |

| Maintenance request records | 2 years after resolution | Liability period |

| Communication logs | 1 year | Operational reference |

| Access logs | 1 year | Security audit trail |

| Identity document copies | 6 months after lease ends | Screening verification, then deleted |

Deletion method: Records are deleted or anonymised after the retention period. Manual deletions are logged with date and responsible staff member.

Check your local tax law for the exact invoice retention requirement — most EU countries require 5 years, but some differ. In Latvia, per the Law on Accounting, financial records must be kept for 5 years. Verify your jurisdiction before publishing.

DPA checklist: what to look for in a processor

Every third party that touches resident data on your behalf is a "processor" under GDPR. You need a signed Data Processing Agreement (DPA) with each one. Before signing, check:

  • Sub-processor disclosure — do they list who else processes the data? You have a right to know.
  • Security measures — encryption at rest and in transit, access controls, regular security testing.
  • Breach notification — they must tell you within 72 hours of any incident affecting your data.
  • Data location — is the data stored in the EU/EEA? If outside, what transfer mechanism applies (SCCs, adequacy decision)?
  • Deletion on termination — they commit to deleting your data when the contract ends, and give you written confirmation.
  • Audit rights — you can verify their compliance, either directly or via a third-party report (SOC 2, ISO 27001).

If a vendor refuses to sign a DPA or will not tell you where the data is stored, walk away. That is a compliance risk you do not need.

How Urbaneta closes specific GDPR obligations

I mention this not as a sales pitch but because the right tools genuinely make GDPR manageable. Here is how specific Urbaneta features map to obligations you would otherwise handle manually:

Role-based access (Article 5(1)(f) — security): In Urbaneta, you assign roles — super-admin, manager, staff, resident — with fine-grained permissions. A maintenance contractor cannot see payment history. A staff member handling billing cannot see identity documents. This is the "access control" GDPR requires, built into the platform rather than something you enforce by hoping people do not open the wrong file.

Audit logs (Article 5(2) — accountability): Every action in Urbaneta is logged — who viewed a record, who edited an invoice, who exported data. If a supervisory authority asks "who accessed this resident's data and when?", you have the answer in a few clicks. On spreadsheets, you have nothing.

Self-service data export (Article 15 — right of access): When a resident requests their data, you can export it from Urbaneta without manual compilation. The platform generates a structured export covering their profile, invoices, meter readings, and communication history. This turns a potential multi-hour task into a two-minute one.

Consent management: If you send marketing communications through Urbaneta, consent is tracked per resident. If someone withdraws consent, you remove them from the marketing audience in one action — no spreadsheet to update, no risk of accidentally emailing them again.

You still need the privacy notice and retention policy above. But the platform handles the day-to-day mechanics that make compliance realistic instead of aspirational.

Common mistakes to avoid

  • Over-collecting data — "let's grab everything just in case" violates data minimisation.
  • Sharing lists without consent — selling or sharing tenant contact details with third parties without permission is a breach.
  • No retention policy — keeping tenant records forever "for safety" is not compliant.
  • Weak access controls — every staff member can see every tenant's data is a security risk.

Bottom line

GDPR is about respecting the people whose data you hold. For property managers, that means collecting only what you need, keeping it safe, and being transparent about what you do with it. The templates above give you a starting point. The right software — with role-based access, audit logs, and data export built in — handles the mechanics so you can focus on running your buildings.

Want GDPR-ready property management without the spreadsheet sprawl? Try Urbaneta free — role-based access, audit logs, and self-service data export are built in from day one. No setup fee, no credit card.

Saistītie raksti