General Data Protection Regulations (GDPR)
The data protection legislation imposes certain obligations on all controllers and processors. These include the requirement to maintain an entry in the register of controllers and processors and complying with the data protection principles and the rights of individuals.
Entry in the register of controllers and processors
A landlord or letting company is likely to hold information on individuals, such as tenants, suppliers or other members of the public. This information includes, for example, due diligence information, tenancy agreements and CCTV recordings, if installed in the premises. These individuals are ‘data subjects’ and information relating to them is their ‘personal data’.
The landlord is a “controller” and a register entry is required if automated equipment is used for processing personal data. This includes any form of computerised documentation or correspondence, email, databases, etc. If the only reason for processing personal data is for the landlord’s own accounts or for the administration of its own staff, then an entry will not be required. However, a register entry will be required if other processing, such as CCTV occurs.
It is an offence to process personal data without a register entry, unless an exemption from that requirement applies.
A register entry, if required, should be made, and maintained, in the name of the landlord, letting company, etc., and guidance on registration is on the website.
Taken from the Isle of Man's Information Commissioners Website