One of the most persistent misunderstandings in block management is that GDPR prevents managing agents from collecting or using information about occupiers, particularly tenants rather than leaseholders. This is wrong.

Properly understood, UK GDPR does not prohibit managing agents from holding tenant or occupier data. On the contrary, block managers often must process such data to comply with the lease and with statutory duties around safety, management, and the operation of the building.

This article explains why managing agents are entitled to hold occupier data, how leases provide the contractual foundation for this access, the lawful bases under UK GDPR, and how data may also lawfully be shared with recognised bodies such as RTAs and RMCs.

1. Leases Authorise Data Use

Leases are not just about property. They create a framework of rights and obligations that make the processing of personal data unavoidable. Modern block management is impossible without knowing who occupies each flat, how to contact them in an emergency, and whether the flat is owner-occupied or let.

Most residential leases expressly or implicitly permit the landlord or managing agent to manage, maintain, insure, and keep the building safe, and to obtain information reasonably required to perform those functions. Where a leaseholder lets their flat, the lease anticipates third-party occupation and the operational need for the manager to interact with the occupier.

2. GDPR Does Not Override the Lease or the Law

A common misconception is that GDPR trumps lease obligations. It does not. UK GDPR requires that personal data is processed lawfully, fairly, and transparently. It does not require consent in most block management situations, nor does it prevent processing that is necessary for management or safety purposes.

3. Lawful Bases for Processing Occupier Data

In block management, occupier data is most commonly processed under the lawful bases of contractual necessity, legal obligation, and legitimate interests. These include managing the building, complying with fire and building safety legislation, communicating with residents, and administering service charges.

4. Transparency, Not Permission

GDPR is about transparency. Managing agents must explain what data they hold, why they hold it, how long it is retained, and who it may be shared with. This is done via a privacy notice, not by seeking consent for routine management activities.

5. What Data Managing Agents Can Hold

Provided processing is proportionate and relevant, managing agents can lawfully hold names of occupiers, contact details, emergency information, tenancy or ownership status, safety-related information, and access details.

6. Lawful Disclosure to Others

GDPR also regulates when data may be disclosed to others. In block management, there are specific situations where disclosure is lawful and sometimes required.

Recognised Tenants’ Associations

Where a tenants’ association is formally recognised under the Landlord and Tenant Act 1985, it acquires statutory rights to certain information relating to service charges and management. Disclosure of relevant information to an RTA is lawful where it is required by statute and proportionate.

Resident Management Companies

Members and directors of an RMC have rights under company law to receive information necessary for governance. Directors in particular are entitled to access company documents and records needed to discharge their duties. GDPR does not prevent this access; it regulates how it is handled.

7. GDPR Regulates – It Does Not Prohibit

GDPR does not cancel lease-based rights, statutory housing rights, or company law rights. It requires managing agents to approach data carefully, disclose it appropriately, and limit it to what is necessary. Used properly, GDPR supports effective, professional block management rather than obstructing it.
Summary

GDPR does not prevent managing agents from knowing who lives in a building. Leases permit it, statute often requires it, and GDPR simply provides the framework to do it properly, lawfully, and transparently.