Ploxit
← Back to blog
gdprinformation-sheetdata-protectioncompliance

GDPR Compliance When Emailing Tenants the Information Sheet

Understand your GDPR obligations when emailing the GOV.UK Information Sheet 2026 to tenants. Lawful basis, data retention, and tenant rights explained.

8 February 2026 · 5 min read · Ploxit Team

The Renters' Rights Act 2025 requires landlords to provide tenants with the official GOV.UK Information Sheet 2026 by 31 May 2026. For many landlords and letting agents, email is the most practical delivery method. However, processing tenant email addresses and tracking delivery raises important GDPR compliance questions.

This guide explains your data protection obligations when emailing the Information Sheet, helping you stay compliant with both the Renters' Rights Act 2025 and UK GDPR.

Understanding Your GDPR Obligations

Lawful Basis for Processing

Under UK GDPR, you must have a lawful basis for processing personal data, including email addresses. When emailing the Information Sheet, you have two main options:

Legitimate Interest This is typically the most appropriate lawful basis. You have a legitimate interest in complying with your legal obligations under the Renters' Rights Act 2025, and tenants would reasonably expect you to contact them about important rental information.

Legal Obligation Whilst the Act requires you to provide the Information Sheet, it doesn't specify that you must use email. However, if your tenancy agreement specifies email as the primary communication method, this could strengthen your legal obligation basis.

Consent Considerations

You generally don't need explicit consent to email the Information Sheet if you're relying on legitimate interest or legal obligation. However, if you're also using the email for marketing purposes or non-essential communications, you'll need separate consent for those activities.

"Landlords should be clear about the purpose of each communication and ensure they have the appropriate lawful basis. Mixing compliance communications with marketing can create unnecessary GDPR complications."

Data Processing Requirements

Transparency and Privacy Information

Tenants have the right to know how you're processing their personal data. You must provide:

  • Clear information about why you're processing their email address
  • Details of how long you'll retain their data
  • Information about their rights as data subjects
  • Your contact details and, if applicable, your Data Protection Officer

This information should be included in your privacy notice, which should be easily accessible to tenants.

Data Minimisation

Only collect and process the personal data you actually need. For emailing the Information Sheet, this typically includes:

  • Email addresses
  • Names (for personalisation)
  • Delivery and read receipts (for compliance records)
  • Acknowledgement confirmations

Avoid collecting unnecessary data such as detailed tracking information about tenant behaviour beyond basic delivery confirmation.

Tracking and Audit Requirements

Delivery Confirmation

The Renters' Rights Act 2025 requires landlords to demonstrate they've provided the Information Sheet. This creates a legitimate need to track:

  • When emails were sent
  • Whether they were successfully delivered
  • If and when tenants opened the email
  • Whether tenants acknowledged receipt

Ploxit automatically handles this tracking whilst maintaining GDPR compliance, creating a defensible audit trail that satisfies both the Renters' Rights Act requirements and data protection obligations.

Record Keeping

You must maintain records that demonstrate:

  • Your lawful basis for processing
  • When and how you provided privacy information
  • Details of emails sent and delivery status
  • How you're protecting tenant data
  • Your data retention schedule

Data Retention and Deletion

Retention Periods

Under GDPR, you can only retain personal data for as long as necessary. For Information Sheet compliance, consider:

  • During tenancy: You may need to reference delivery records for ongoing compliance
  • After tenancy: Retain records for a reasonable period in case of disputes
  • Legal claims: Consider the limitation period for potential claims (typically 6 years)

A retention period of 6-7 years after tenancy termination is often reasonable, but document your rationale.

Secure Deletion

When the retention period expires, ensure personal data is securely deleted from:

  • Primary systems and databases
  • Backup systems
  • Email archives
  • Any third-party systems

Tenant Rights Under GDPR

Right of Access

Tenants can request copies of their personal data you're processing. You must respond within one month, providing:

  • Confirmation of what data you hold
  • Copies of the personal data
  • Information about processing purposes
  • Details of any third parties who have received the data

Right to Rectification

If tenant contact details are incorrect, they have the right to have them corrected. This is particularly important for Information Sheet delivery, as incorrect email addresses could affect compliance.

Right to Erasure

Tenants may request deletion of their personal data, but this right isn't absolute. You can refuse if retention is necessary for:

  • Compliance with legal obligations (including Renters' Rights Act requirements)
  • Establishment, exercise, or defence of legal claims

Right to Object

Tenants can object to processing based on legitimate interest. However, you can continue processing if you can demonstrate compelling legitimate grounds that override their interests, which is likely the case for legal compliance.

Third-Party Processors

If you're using email marketing platforms or compliance tools like Ploxit to send the Information Sheet, ensure:

  • You have appropriate data processing agreements in place
  • The processor provides adequate security measures
  • The processor only processes data according to your instructions
  • You understand where data is stored and processed

Practical Compliance Steps

To ensure GDPR compliance when emailing the Information Sheet:

  • Document your lawful basis for processing tenant email addresses
  • Update your privacy notice to cover Information Sheet communications
  • Implement appropriate security measures for email systems
  • Establish clear data retention and deletion procedures
  • Train staff on data protection requirements
  • Regular review and audit your data processing activities
  • Choose compliant tools and services for email delivery and tracking

Getting It Right

GDPR compliance doesn't have to complicate your obligations under the Renters' Rights Act 2025. With proper planning and the right systems, you can efficiently deliver the Information Sheet whilst protecting tenant data and maintaining comprehensive audit trails.

Ploxit simplifies this process by handling both the technical delivery requirements and GDPR compliance aspects, allowing you to focus on your core property management responsibilities whilst meeting all legal obligations.

This article provides general information about GDPR compliance and is not intended as legal advice. For specific situations, consult with a qualified data protection or legal professional.

Renters' Rights Act compliance

Don't wait until 31 May 2026

Every assured periodic tenant must receive the official Information Sheet. Ploxit handles delivery and builds a timestamped audit log you can export in seconds.