Kgutlela ho Blog
Molao le Ho Obamela POPIA compliance tenant screening data privacy

POPIA Compliance for Landlords: What You Must Do Before Screening Tenants

Indlu Team 7 metsotso ho bala
POPIA Compliance for Landlords: What You Must Do Before Screening Tenants

Since the Protection of Personal Information Act (POPIA) came into full effect on 1 July 2021, every South African landlord who collects tenant data — and that means every landlord who screens applicants — has legal obligations around how that data is collected, stored, used, and eventually deleted.

Ignore POPIA and you risk fines of up to R10 million, imprisonment, or both. More practically, a tenant who feels their data was mishandled can lodge a complaint with the Information Regulator, triggering an investigation that no landlord wants.

This guide explains exactly what POPIA requires of landlords and how to stay compliant without drowning in paperwork.

What Is POPIA and Why Does It Matter for Landlords?

POPIA is South Africa’s data protection law, modelled on the EU’s GDPR. It regulates the processing of personal information by any person or organisation — including individual landlords and property managers.

As a landlord, you process personal information whenever you:

  • Collect a rental application form
  • Run a credit check through TPN, TransUnion, or Experian
  • Verify an applicant’s identity (ID number, passport)
  • Contact an employer for salary verification
  • Obtain references from previous landlords
  • Store tenant contact details, lease agreements, or payment records

All of these activities fall under POPIA. You are the responsible party (the person who determines the purpose and means of processing), and the tenant or applicant is the data subject (the person whose information is being processed).

POPIA requires that personal information be processed lawfully. For landlords, the most relevant lawful basis is consent — especially when conducting credit checks and background screening.

Before Any Credit Check

You must obtain the applicant’s written consent before:

  • Running a credit check with any bureau (TPN, TransUnion, Experian)
  • Accessing their criminal record
  • Conducting a deeds office search
  • Verifying their identity through a third-party service

The consent must be:

  • Specific — state exactly what checks you will perform
  • Informed — the applicant must understand what they are consenting to
  • Voluntary — the applicant must not be coerced (though you can make screening a condition of your application process)
  • Written or recorded — verbal consent is difficult to prove

Here is language you can adapt for your own consent form:

I, [Full Name], ID number [ID Number], hereby consent to [Landlord Name / Indlu (Pty) Ltd] processing my personal information for the purpose of evaluating my application to rent the property at [Property Address].

I understand that this processing may include:

  • Credit checks through TPN, TransUnion, and/or Experian
  • Verification of my identity through the Department of Home Affairs
  • Verification of my employment and income with my current employer
  • Contacting previous landlords for rental references
  • A deeds office search

I understand that my information will be stored securely and retained only for as long as necessary to fulfil the purpose stated above. I am aware of my right to access, correct, or request deletion of my personal information.

Signature: _________________ Date: _________________

What Data You Can Collect and Store

POPIA’s minimality principle means you should only collect information that is directly relevant to the purpose at hand. For tenant screening, relevant data includes:

Acceptable to collect:

  • Full name and surname
  • ID or passport number
  • Contact details (phone, email, physical address)
  • Employment details (employer name, job title, duration)
  • Income information (salary, other sources of income)
  • Credit check results
  • Previous rental history and landlord references
  • Bank account details (for debit order rent collection)

Not necessary for screening (avoid collecting):

  • Medical records or health information
  • Political affiliation or party membership
  • Religious beliefs
  • Sexual orientation
  • Biometric data (fingerprints, facial recognition) — unless specifically required for building access

If you do collect sensitive information (e.g. criminal records as part of a background check), you need explicit consent for that specific category of data.

How Long Can You Keep Tenant Data?

POPIA requires that personal information be retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

Practical guidelines for landlords:

  • Unsuccessful applicants: Delete their data within 6 months of the application being declined (unless they consent to being kept on file for future vacancies)
  • Current tenants: Retain data for the duration of the tenancy
  • Former tenants: Retain financial records for 5 years (as required by the Tax Administration Act for SARS purposes), then securely delete or anonymise
  • Credit check reports: Retain for the duration of the lease, then destroy

Tenant Rights Under POPIA

Your tenants and applicants have the following rights:

Right to Access

A tenant can request a copy of all personal information you hold about them. You must respond within a reasonable time.

Right to Correction

If a tenant’s information is inaccurate, incomplete, or misleading, they can request that you correct it. For example, if a credit check contains an error, the tenant can ask you to note this in your records and request correction from the bureau.

Right to Deletion

A tenant can request that you delete their personal information once there is no longer a legitimate reason to retain it. After the lease ends and all financial obligations are settled, you cannot hold onto their data indefinitely.

Right to Object

A tenant can object to the processing of their personal information for direct marketing purposes. If you’re using tenant data to send promotional material, you need separate opt-in consent.

Penalties for Non-Compliance

The Information Regulator can impose:

  • Administrative fines of up to R10 million
  • Criminal prosecution resulting in imprisonment of up to 10 years (for serious offences like selling personal information)
  • Civil claims from data subjects who suffer damages due to non-compliance

In practice, the Information Regulator has focused enforcement on large-scale data breaches and systemic non-compliance. But individual landlords are not exempt — a single tenant complaint can trigger an investigation.

Common Mistakes Landlords Make

Running a credit check without the applicant’s prior written consent is a POPIA violation, full stop. The fact that “everyone does it” is not a defence.

2. Sharing Tenant Information Without Authorisation

Discussing a tenant’s financial situation with other tenants, neighbours, or third parties (outside of what’s necessary for screening or legal proceedings) violates POPIA.

3. Keeping Data Forever

Many landlords never delete former tenant data. Once the lease has ended and all obligations are settled, there’s no reason to keep an ex-tenant’s ID copy, payslips, and credit report on file beyond the legally required retention periods.

4. Inadequate Data Security

Storing tenant applications in an unlocked filing cabinet, or emailing unencrypted credit reports, creates POPIA liability. Personal information must be protected against unauthorised access, loss, and damage.

5. No Privacy Notice

POPIA requires you to inform tenants about how their data will be used at or before the time of collection. A simple privacy notice on your application form covers this requirement.

How Indlu Handles POPIA for You

POPIA compliance is built into every step of Indlu’s tenant management workflow:

  • Auto-generated consent forms — every screening request includes a POPIA-compliant consent form that the applicant signs digitally before any checks are run
  • Audit trail — Indlu logs every data processing activity (who accessed what, when, and why) so you can demonstrate compliance if questioned
  • Secure storage — all personal information is encrypted at rest and in transit, hosted on secure infrastructure
  • Automated retention — Indlu flags data that has passed its retention period and prompts you to review and delete
  • Bureau integration — credit checks through TPN, TransUnion, and Experian are conducted through authorised channels, ensuring lawful access
  • Tenant access portal — tenants can view what data you hold about them and request corrections, directly from their Indlu dashboard

You don’t need to become a data protection expert. Indlu handles the compliance plumbing so you can focus on finding great tenants.

Checklist: POPIA Compliance for Landlords

Use this checklist to make sure you’re covered:

  • Obtain written consent before running any credit or background checks
  • Include a privacy notice on your application form
  • Only collect information directly relevant to tenant screening and management
  • Store personal information securely (encrypted digital storage or locked physical files)
  • Limit access to tenant data to authorised persons only
  • Respond to tenant data access and correction requests promptly
  • Delete unsuccessful applicant data within 6 months
  • Delete former tenant data once the retention period expires
  • Never share tenant data with unauthorised third parties
  • Log data processing activities for audit purposes

Indlu handles POPIA so you don’t have to — consent forms, audit trails, and secure storage built in. Start screening compliantly.

E ngotsweng ke

Indlu Team

Leka Indlu mahala