Landlord Shares Tenant Data with Contractors

The Scenario

Sabine Krueger manages a mid-sized property management company in Stuttgart overseeing 340 rental units. On a Tuesday morning, a tenant from Schillerstrasse 12 calls in: water is dripping from his ceiling, clearly a water damage issue originating from the apartment above. Sabine needs to act fast — she calls plumber Hans Mertens and asks him to come by that same day.

To ensure the contractor can access both affected apartments, Sabine sends him a WhatsApp message with all the information she has at hand: the full names of both tenants, their phone numbers and email addresses, apartment sizes and rental prices — "so you know which units are involved" — and as attachments, the scanned rental contracts for both parties, which contain not only personal data but also bank account details for rent collection. She also attaches the copy of the identity card that tenant Petra Hoffmann had submitted when signing her lease — "in case the tenant is not home and you need to verify her identity."

Hans Mertens now has on his personal smartphone: the complete personal details of two people he has never met, their bank account information, rental contracts with signatures, and an identity document copy. Information he does not need in any way to repair a burst water pipe.

Four weeks later, Petra Hoffmann notices a suspicious debit on her bank account. Her investigation reveals that her IBAN and identity card copy were used for online fraud. The trail leads to the plumber's smartphone, which he had left behind in a cafe two weeks earlier. The finder had gained access to the device and copied the data before the phone was returned.

Petra Hoffmann files a police report. And she contacts the state data protection authority.

The Risks

The uncontrolled sharing of tenant data with contractors and service providers is a widespread problem in the real estate industry. The risks are systematically underestimated.

Excessive data sharing (violation of data minimization): Contractors typically need only the tenant's name, the address, and possibly a phone number for scheduling. Rental contracts, bank details, income verification, or identity card copies are neither required nor permissible for carrying out a repair.

Insecure transmission channels: WhatsApp messages, regular emails, or even printed documents handed to the contractor — none of these methods provide adequate protection for personal data. Particularly problematic is storage on contractors' personal smartphones, which are typically neither encrypted nor equipped with professional mobile device management.

No deletion practices: In practice, tenant data shared with contractors is almost never deleted. It remains in WhatsApp chats, email archives, or on hard drives — for months and years, far beyond the actual purpose of the repair.

No data processing agreement: Contractors and service providers who receive personal tenant data are processing that data in the legal sense. In most cases, the required data processing agreement under Art. 28 GDPR is missing. This alone makes the data sharing formally unlawful.

Identity theft and fraud: Identity card copies combined with bank details enable large-scale identity theft. With an IBAN and an ID copy, criminals can open online accounts, initiate direct debits, and conclude fraudulent contracts.

Legal Consequences

The GDPR sets strict limits on data sharing by landlords and property management companies.

Art. 5(1)(c) GDPR — Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes of processing. Sharing complete rental contracts and identity card copies with a plumber clearly violates this principle.

Art. 6 GDPR — Lawfulness of processing: Sharing personal data with third parties requires a legal basis. Carrying out a repair justifies sharing the name and address, but not bank details, income verification, or identity card copies.

Art. 28 GDPR — Data processing agreements: When personal data beyond what is necessary for the repair is shared with contractors, a data processing agreement is required. In practice, this is almost always missing.

Art. 33/34 GDPR — Notification obligations: If shared data falls into the wrong hands, there is an obligation to notify the supervisory authority within 72 hours and — if there is a high risk to the individuals concerned — also an obligation to notify the affected tenants.

National data protection regulations: Beyond the GDPR, national legislation such as the German Federal Data Protection Act (BDSG) imposes additional fines for the intentional or negligent unauthorized sharing of personal data. Supervisory authorities in the real estate sector have already levied fines between 5,000 and 30,000 euros for data protection violations in tenant management.

Tenancy law consequences: Tenants can claim extraordinary termination of the lease or rent reduction in cases of serious data protection violations. Additionally, there is a right to compensation under Art. 82 GDPR.

Financial Impact

The financial consequences of uncontrolled data sharing in property management are substantial:

Cost Category	Estimated Amount
GDPR fine (first offense)	5.000 – 25.000 €
Compensation claims from affected tenants	3.000 – 15.000 € per tenant
Legal advice and representation	3.000 – 10.000 €
Notification to supervisory authority & affected parties	1.000 – 2.500 €
IT forensic investigation	2.000 – 5.000 €
Reputational damage (tenant turnover)	10.000 – 40.000 €
Implementation of GDPR-compliant processes	2.000 – 5.000 €
Total costs	26.000 – 102.500 €

For a property management company with modest revenue, these costs can be existentially threatening. The investment in secure processes, by contrast, is minimal.

How to Prevent This

With SendMeSafe, Sabine Krueger could have provided the contractor with exactly the information he needed for his job — nothing more and nothing less.

1. Targeted information sharing via share links: Instead of sending the entire rental contract, Sabine creates a share link with a document containing only the relevant information: the tenant's name, the exact address, and a description of the damage. No bank details. No identity card copies. No rental prices.

2. Password protection and expiration: The share link is secured with a password and given an expiration of 24 hours. This gives the contractor access to the necessary information for exactly the duration of his assignment. After that, access is automatically revoked.

3. Secure feedback via upload links: When the contractor needs to submit photos of the damage documentation or his invoice after completing the repair, Sabine creates an upload link. The contractor uploads his files directly to encrypted storage — without sending them via WhatsApp or email.

4. Document collection for prospective tenants via Flaschenpost: During the re-letting process, Sabine also uses SendMeSafe: prospective tenants upload their self-disclosure forms, income verification, and identity copies through a secure upload link instead of sending them by email. This way, sensitive applicant data is protected from the very beginning.

5. Complete audit trail: Every file share and every access is documented. When the supervisory authority inquires, Sabine can provide seamless proof of which data was shared with whom and how access was controlled.

6. GDPR-compliant deletion: Expired share links and upload data that is no longer needed can be systematically deleted. Data does not remain on third-party smartphones or in uncontrolled email inboxes.

Frequently Asked Questions

Am I allowed to share the tenant's name and address with a contractor at all?

Yes — the tenant's name and address may be shared with contractors when this is necessary for carrying out a repair or maintenance work. The legal basis is Art. 6(1)(f) GDPR (legitimate interest) in conjunction with the landlord's obligation to maintain the rental property. Everything beyond that — rental contracts, bank details, income verification, identity card copies — is not necessary and therefore impermissible.

Do I need a data processing agreement for every contractor?

Not necessarily. If you merely share the tenant's name and address for a repair appointment, this typically constitutes independent processing rather than commissioned processing. However, once you share more extensive personal data or the contractor regularly has access to tenant data, you should conclude a data processing agreement. When in doubt, it is always advisable to have one in place — creating one using standard templates is straightforward.

What should I do if a tenant complains about data sharing?

Take the complaint seriously. First, review what data was shared and whether the sharing was necessary under the principle of data minimization. Inform the tenant transparently about the scope of the sharing and the legal basis. Ensure that any excessive data held by the contractor is deleted. If a data protection violation has occurred, you must assess whether a notification to the supervisory authority is required under Art. 33 GDPR. Document the entire incident as part of your accountability obligation under Art. 5(2) GDPR.

How can I protect tenant data during the re-letting process?

The re-letting process is a particularly sensitive area: prospective tenants submit salary statements, credit reports, identity card copies, and employer references — all highly sensitive personal data. Use a SendMeSafe upload link so applicants can securely upload their documents. This way, the documents go directly into encrypted storage rather than your email inbox, where they would be stored unencrypted and could be accidentally forwarded. After the letting is complete, rejected applicants' documents can be deleted on schedule and with full documentation.