The legal basis for tenant screening in the UAE

Tenant screening in the United Arab Emirates is the processing of personal data of a prospective tenant by a landlord or by a party acting on the landlord’s behalf, for the purpose of informing a tenancy decision. The processing is governed by Federal Decree-Law No. 45 of 2021 concerning the Protection of Personal Data and by the supplementary instruments issued under it. This page sets out the legal posture of screening: the lawful basis for processing, the consent architecture, the retention principles, and the rights of the data subject — the tenant — through the process.

The framework

Federal Decree-Law No. 45 of 2021 establishes the framework for the lawful processing of personal data in the UAE. The law is administered by the UAE Data Office, which issues guidance and resolves matters within the federal jurisdiction. Free zones with their own data protection regimes — the Dubai International Financial Centre and the Abu Dhabi Global Market in particular — operate under their own laws, which run in parallel and which apply where the relevant data processing falls within their jurisdictional scope. For tenancies within the emirates and outside the financial free zones, the federal law is the governing instrument.

The lawful basis for processing in a screen

A screen processes personal data on the basis of the data subject’s consent in combination with, where appropriate, the legitimate interests of the landlord in conducting due diligence before entering a contractual relationship. Consent is the primary basis for the most personal categories of data processed in a screen — the credit score, the employment particulars, the prior landlord references — and is the basis the screen architecture is built around.

Consent under the law is informed, specific, freely given, and capable of being withdrawn. The screen procures consent on this footing: the tenant is informed of what is being processed and why, the consent is sought per-component rather than as a blanket authorisation, the consent is given through clear affirmative action rather than implied, and the tenant retains rights under the law including the right to withdraw consent and to have data deleted at the end of the retention period.

Special categories

The law identifies categories of sensitive personal data — including health data, biometric data, and certain other categories — that attract heightened protection. A standard tenant screen does not, and should not, process special-category data. Where any element of a proposed screen would involve special-category data, the legal basis must be re-examined and additional safeguards put in place; in most ordinary screens this question does not arise.

Retention

Personal data may be held only for as long as the purpose of the processing requires. For tenant screening, this means that the data underlying a screen is held for the period during which the screen serves the tenancy decision and the early period of the tenancy where reference to the file may legitimately arise. A common, defensible retention period for screen data is twelve months from the date of issue; longer retention requires a specific lawful basis.

At the end of the retention period, the personal data is removed from active systems. Where the screening party retains records for the purpose of demonstrating that the screen occurred and that consents were properly obtained — that is, audit records rather than the substantive data itself — these may be retained for a longer period appropriate to the legal and regulatory framework. The distinction between substantive data and audit metadata is material and is part of any well-constructed retention policy.

The rights of the data subject

The tenant, as data subject, has rights under the law. The rights include: the right to be informed about the processing; the right to access the personal data held about them; the right to have inaccurate data corrected; the right to have data deleted at the end of the retention period or where the lawful basis for processing has lapsed; the right to object to processing in defined circumstances; the right to data portability where the data has been provided by the data subject. The screening party is obliged to honour these rights, with the procedural channels for exercising them stated plainly to the tenant.

The screening party's obligations

A party conducting tenant screening processes personal data and is therefore a controller, or in some arrangements a processor, under the law. The obligations include: lawful basis for each processing activity, transparency to the data subject, accuracy, retention discipline, security of the data held, and the prompt handling of data subject requests. Where the screening party processes data on behalf of a landlord, the legal relationship between the landlord and the screening party should be documented in a written instrument reflecting the law’s requirements for controller-processor relationships.

Cross-border considerations

Where any element of the screen involves transfer of personal data outside the UAE — for instance, where a sanctions check uses an international database — the transfer is governed by the rules for cross-border transfers under the law. The transfer is lawful where the recipient jurisdiction has an adequate level of protection, where the transfer is necessary for the performance of a contract to which the data subject is a party, or where the data subject has consented to the specific transfer. Cross-border arrangements should be assessed and documented.

Where this page sits in relation to legal advice

This page sets out the framework. It does not constitute legal advice in relation to any specific arrangement. Parties conducting tenant screening at scale, or in any arrangement of complexity, should obtain advice on their specific facts. The summary on this page is intended to be accurate and useful as a foundation; it does not substitute for the work of counsel on a specific implementation.