Gita Shivarattan and Kim Clifford provide advice on what to do with data found at a vacated property.
For many landlords, recovering possession of a property following forfeiture, service of a break notice, a notice of disclaimer or expiry of a lease often means focusing on any outstanding sums due under the lease, dilapidations settlement and securing a new tenant. But what about the scenario where a landlord takes back a property and finds that there are personal data records remaining at the premises? The General Data Protection Regulation has been a hot topic for some time now, but what does this actually mean for landlords and how concerned should they be about these obligations?
The legislation
Under the UK Data Protection Act 2018 and the General Data Protection Regulation 2016/679 (data protection legislation) there are legal obligations to ensure the security of data to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.
Changing the locks to a property following recovery of possession will prevent a tenant from meeting its legal and regulatory obligations and may amount to the tenant having a “loss of access to personal data” or “unlawful access” to personal data by the landlord, each of which would be considered a personal data breach by the tenant, as controller, under data protection legislation.
Depending on the nature of the personal data at the property and/or the relationship between the landlord and the tenant, there is a risk that a tenant may choose or be required to notify the data protection supervisory authority that there has been a personal data breach. If made, such notification could result in a data protection supervisory authority directing the return of personal data to the tenant (which could be costly) or providing access to the tenant to retrieve the personal data.
Failing to take the correct action could result in a landlord being considered a processor of the tenant under data protection legislation as it will not have its own purpose for processing the personal data and holding the data at the property is likely to be considered as storage on behalf of the tenant as controller.
Under data protection legislation, processors are accountable for compliance with various obligations, including the obligation to maintain the security of any personal data on-site. Failure to implement appropriate technical organisational security measures to protect personal data could result in fines from a data protection supervisory authority of up to 2% of global annual turnover or €10m, whichever is higher.
Landlords should tread carefully, as any use or processing of the relevant personal data (excluding mere storage or destruction) may result in the landlord being assessed as a controller, resulting in potentially more onerous obligations under data protection legislation.
Practical steps for landlords to take
- If personal data, whether hard copy or electronic, has been left at a landlord’s premises, a landlord should immediately notify the tenant and request that it is collected within a reasonable period, stating that if such personal data is not collected it will be destroyed. This data could also constitute chattels and landlords would therefore need to serve notices in accordance with the Torts (Interference with Goods) Act 1977 to avoid a claim of trespass.
- A landlord should not interfere with, attempt to access or alter any of the personal data and should implement appropriate security measures to protect the data pending collection by the tenant. This could involve moving the personal data records to a secure storage or restricting access to the premises by unauthorised and/or unaccompanied third parties.
- If a tenant does not respond to any notices to retrieve the personal data records, the landlord should securely destroy the personal data and record the steps taken. Clearly, there is likely to be a cost associated with such destruction if the records are voluminous, and landlords should assess whether these costs can be recovered under the lease provisions.
- More generally, landlords should also consider whether lease agreements should be updated to address how personal data records left at the property will be dealt with and, where aware that a significant volume of records will be held at the property, consider if other provisions should be included to protect against destruction costs and other potential liability.
Gita Shivarattan is a counsel and Kim Clifford is an associate at Ashurst LLP
