PDPA and Rental: How Landlords Must Handle Tenant Personal Data
PDPA and Rental: How Landlords Must Handle Tenant Personal Data
Landlords in Malaysia collect significant amounts of personal data from tenants: IC numbers, bank statements, employment details, references, and sometimes even health information. Most landlords do not realize that this data collection makes them "data users" under the Personal Data Protection Act 2010 (PDPA), subject to the same data protection obligations as any commercial entity. A 2025 enforcement review by the Department of Personal Data Protection (JPDP) found that property management and rental activities accounted for 8% of all PDPA complaints received.
This guide explains specifically how the PDPA applies to the landlord-tenant relationship, what obligations landlords have, and how to comply without making the rental process unnecessarily complex.
How the PDPA Applies to Landlords
The PDPA applies to any person who processes personal data in the context of commercial transactions. A tenancy is a commercial transaction. Therefore, a landlord who collects a tenant's IC number, bank statements, or employment letter is processing personal data under the PDPA.
This applies regardless of whether you are a professional property investor with 20 units or an individual renting out one inherited apartment. If personal data is collected for a commercial purpose (the tenancy), the PDPA applies.
The seven Data Protection Principles apply in full:
- General Principle: Obtain consent before processing
- Notice and Choice: Inform the tenant of data collection purposes
- Disclosure: Do not share data without consent or legal basis
- Security: Protect data from unauthorised access
- Retention: Do not keep data longer than necessary
- Data Integrity: Keep data accurate and current
- Access: Allow tenants to access and correct their data
Poh Szu-Wei, a data protection lawyer at a Kuala Lumpur firm specialising in PDPA compliance, notes: "Many landlords are completely unaware that collecting a photocopy of a tenant's IC triggers PDPA obligations. The data you collect during tenant screening is some of the most sensitive personal information someone can share: identity documents, financial records, employment history. The PDPA requires you to treat it with corresponding care."
What Personal Data Landlords Typically Collect
| Data Type | When Collected | Sensitivity Level |
|---|---|---|
| Full name | Application | Low |
| IC/passport number | Application | High |
| Contact number and email | Application | Medium |
| Current address | Application | Low |
| Bank statements | Screening | High |
| Payslips | Screening | High |
| Employment letter | Screening | Medium |
| CTOS/credit report | Screening | High |
| Previous landlord reference | Screening | Medium |
| Emergency contact details | Agreement signing | Medium |
| Vehicle registration | Agreement signing | Low |
| Move-in condition photos | Move-in | Low |
Your PDPA Obligations as a Landlord
1. Obtain Informed Consent
Before collecting any personal data, inform the tenant of:
- What data you are collecting
- Why you are collecting it
- Who will have access to it
- Their right to access and correct their data
Practical implementation: Include a consent clause in your tenant application form. A simple statement works: "I consent to [Landlord Name/Management Company] collecting and processing my personal data for the purposes of tenancy evaluation, agreement execution, and property management. I understand my data will not be shared with third parties except as required by law."
2. Limit Data Collection to What Is Necessary
The PDPA's General Principle requires that data collection be adequate but not excessive. Collect only what you need for legitimate tenancy purposes.
Necessary:
- IC/passport copy (identity verification)
- Bank statements (financial assessment)
- Employment letter (income verification)
- Contact details (communication)
Potentially excessive:
- Social media passwords
- Medical records (unless relevant to the property, e.g., mobility needs)
- Religious affiliation
- Political views
3. Secure the Data
Once collected, protect tenant data from unauthorised access:
Physical documents:
- Store in a locked file cabinet or safe
- Limit access to the landlord and authorised property manager only
- Do not leave tenant documents on shared desks or in open areas
Digital data:
- Use password protection on files containing personal data
- Store on encrypted devices or secure cloud services
- Do not store tenant IC photos in your unprotected phone gallery
- Do not send sensitive documents via unencrypted email without the tenant's agreement
Platforms like EzLease store tenant data in encrypted, access-controlled systems, providing security compliance without the landlord needing to manage it manually.
4. Limit Disclosure
Do not share tenant data without consent. Common violations include:
- Sharing tenant contact details with service providers without the tenant's knowledge
- Discussing one tenant's payment history with another tenant
- Posting tenant information in building notice boards
- Sharing screening information with other landlords
Exceptions where disclosure is permitted without consent:
- As required by law (court order, LHDN tax requirements)
- For the purpose of legal proceedings
- To prevent a threat to life, health, or safety
5. Set Retention Limits
Do not keep tenant data indefinitely. Recommended retention periods:
- Successful applicants: Duration of tenancy plus 2 years (for potential deposit or damage claims)
- Unsuccessful applicants: 3-6 months after rejection, then securely destroy
- Financial records: 7 years (LHDN requirement for tax records)
- Condition reports and photographs: Duration of tenancy plus 2 years
After the retention period, securely destroy physical documents (shredding) and permanently delete digital files.
6. Honour Access and Correction Requests
Tenants have the right to:
- Request access to all personal data you hold about them
- Request correction of inaccurate data
- Withdraw consent for future processing
You must respond to access requests within 21 days and correction requests within 14 days under the PDPA.
Common PDPA Violations in Rental Contexts
JPDP's enforcement data reveals common violations specific to the rental sector:
- No consent obtained during screening (collecting IC copies, bank statements without a written consent form)
- Sharing tenant data with agents or other parties without consent (forwarding screening documents to a friend who is also a landlord)
- Retaining unsuccessful applicant data indefinitely (keeping the IC copies of every person who applied but did not rent)
- Inadequate data security (tenant IC photos stored in an unprotected WhatsApp chat or phone gallery)
- Using tenant data for unrelated purposes (adding tenant email to a marketing mailing list without separate consent)
Practical Steps for Landlords
Step 1: Add a Consent Clause to Your Application Form
A single paragraph on your tenant application form covers the Notice and Consent requirements. Include the purpose of collection, who will access the data, and the tenant's rights.
Step 2: Secure Your Data Storage
For most individual landlords, this means: store physical documents in a locked cabinet, password-protect digital files, and do not store sensitive documents in unprotected locations (plain phone gallery, unsecured cloud folders).
Step 3: Create a Simple Retention Schedule
Document how long you will keep each type of data. Conduct an annual review and destroy data that has exceeded its retention period.
Step 4: Brief Your Property Agent
If you use a property agent, ensure they are aware of PDPA obligations when handling tenant data. The agent collects data on your behalf, but the responsibility remains with you as the data user.
Frequently Asked Questions
Does the PDPA apply to individual landlords or only companies?
The PDPA applies to any person (individual or company) who processes personal data in commercial transactions. An individual landlord renting out one unit is subject to the same obligations as a property management company managing 100 units.
Can I keep a copy of my tenant's IC?
Yes, with their consent and for the purpose of the tenancy. Include the IC copy in your secure tenant file. Do not display, share, or leave copies unsecured. Destroy the copy when the retention period expires.
What happens if a tenant makes a data access request?
You must respond within 21 days, providing the tenant with all personal data you hold about them. You may charge a reasonable fee (not specified by law, but should not be excessive). Failure to respond is a violation of the Access Principle.
Can I run a CTOS check on a tenant without their consent?
No. A CTOS check involves processing personal data (the tenant's name, IC number, and resulting credit information). You must obtain the tenant's explicit consent before running any background or credit check.
What are the penalties for PDPA non-compliance?
Maximum penalties under the PDPA: fine up to RM 300,000, imprisonment up to two years, or both. In practice, JPDP typically issues enforcement notices first, but repeat violations or serious breaches can result in prosecution.
Key Takeaways
- Every landlord who collects tenant personal data (IC copies, bank statements, employment letters) is a data user under the PDPA with full compliance obligations.
- Obtain written consent before collecting personal data. A simple consent clause on your tenant application form covers the Notice and Consent requirements.
- Secure tenant data: lock physical files, password-protect digital records, and do not store sensitive documents in unprotected locations.
- Set retention limits: keep successful applicant data for tenancy duration plus 2 years, unsuccessful applicant data for 3-6 months, and financial records for 7 years.
- Property management platforms like EzLease provide encrypted data storage with access controls, helping landlords meet security obligations automatically.