To the 25. May 2018 has entered into force the new European Data Protection Regulation (DSGVO). Every landlord collects data of his tenants. For example, the bank details, Schufa information, service charges and more, to process them yourself or, for example, to be processed by the property management. Even if a broker can take on various tasks from the landlord, he still has a duty to adhere to the privacy policy.

Below we have summarized the most important points for you.

data minimization 

"Data Saving" is based on the principle of storing only the most necessary, that is, only the data that is really relevant to a tenancy.

For example, the tenant's private preferences are not included. As a rule of thumb, you can always ask yourself, â € œWhy so, and why do I need that data?  € œ If you can reasonably argue that, then there is usually nothing to prevent it from being stored.


When searching for a tenant, you must save only relevant data for the initiation, duration and termination of the contract. Before a visit, name, contact details, telephone number or e-mail address are sufficient. If the landlord asks inadmissible questions, the interested party may give false information. The landlord may ask further questions, such as the income situation, the number of people moving in, etc. only when the interested party has expressed an interest in leasing.

At the latest when creating a lease, the landlord is required by law to collect data. All data that is already collected in the choice of the tenant, may be saved only with the consent of the potential tenant. How this consent is obtained is up to the landlord. The interested party has the right to withdraw his consent to data storage at any time. If so, all data must be deleted immediately.

New documentation requirement

From the 25.05.2018 the landlord is obligated to hold according to the DSGVO tenant data accordingly.

The following data must be documented in the directory:

  • The name + the contact details of the renter
  • The purpose of the processing
  • The receivers of the data (for example, property management, energy suppliers, etc.)
  • The deadlines for deleting the data

If no such directory is available, the fine can be imposed by the authorities.

Data processing on behalf

In the future, the transfer of data to companies for further processing on behalf of the landlord must be protected under data protection law. Here it must be contractually stated that the landlord has the data sovereignty. In addition, the service provider must be able to prove contractually suitable safety precautions. Talk to your caretaker, energy supplier, etc., as a rule model agreements are available.

Information to tenants

Tenants have a duty to explain what happens to the data whenever data is reprocessed. The explanation should be in writing and easily understandable. However, a special form is not required by the legislature.

The following should also be noted here:

  • Name + contact details of the landlord
  • Why the data is collected (eg for incidental costs)
  • The legal basis for data processing (eg for tax law reasons)
  • Deletion periods of the data
  • Basic rights of the tenant with regard to data protection
    • the right to information
    • the right to a copy of the data
    • the right to delete, if the landlord is not obliged to continue to store them and if it does not limit the processing
  • Complaint to the Privacy Commission
  • The receivers of the data
  • The right of the renter to withdraw the consent to the data storage at any time

technical security

The landlord is obliged to provide a corresponding security level. Thus, sensitive data may only be sent by secure data transmission.

Violations of the General Data Protection Regulation may result in various penalties.

In the most lenient case, it only gives a warning, but it may also impose a data-processing ban accompanied by a fine.

The decisive factor here is the question of whether an infringement was deliberate. In addition, duration, style and weight are crucial.

Furthermore, affected tenants may claim damages. In these cases, the burden of proof lies with the landlord. He must be able to prove that he has handled the data carefully.


When creating a contract, the landlord is required to query further data, in terms of data economy.

For the preparation of the contract name, address, date of birth, ID card number, telephone number, email address and the declaration of consent for a SEPA direct debit mandate are important. The date of birth serves to prevent confusion between tenants with the same surname. Further data may only be collected if they are crucial to the performance of the contract. This could be the household size and the tenant's family position. If a contract is not concluded, all previously collected data must be deleted immediately. During the rental period, photographs of the leased property are only permitted if damages are documented. Readings such as electricity, water and gas are collected at regular intervals. If reading companies are commissioned, the company name must be communicated before the appointment.

Once the tenancy agreement has been completed and an extract is due, the principle of data minimization and the principle of necessity apply. This results in the obligation to delete the tenant data after the repayment of the deposit and the final billing of the additional costs. Other reasons for a longer retention of data may be ongoing litigation or tax obligations. Please note that data protection is subordinate to the tax obligations.