Your Tenant Data Just Became a Liability. Here's What UAE Property Managers Are Missing.

If your building management system stores tenant names, Emirates IDs, lease terms, or maintenance visit logs, the UAE's Personal Data Protection Law (PDPL) now applies to you. Federal Decree-Law No. 45 of 2021 has been in effect since January 2022, but enforcement is tightening. Property management companies that handle tenant data are now squarely in scope.

This is not a theoretical compliance exercise. The law carries fines up to AED 5 million for serious breaches. For building operators who have spent years digitising tenant records, access logs, and maintenance histories, the question is straightforward: do your current data practices meet the standard?

What the PDPL Actually Requires from Building Operators

The law applies to any entity that collects, processes, or stores personal data of individuals in the UAE. For property managers, that covers:

• Tenant names, contact details, and Emirates ID numbers on lease agreements
• Bank account and payment information for rent collection
• Maintenance logs tied to specific units and tenants
• Access control records and CCTV footage that identifies individuals
• Visitor logs and delivery records

The key obligations are straightforward. You need a lawful basis to process tenant data. You must tell tenants what data you collect and why. You must keep data secure. You must delete it when the purpose ends. And you must respond to tenant requests to access, correct, or delete their data within 30 days.

For a 200-unit residential building in Dubai Marina, that means knowing exactly where every tenant record lives — in the lease file, the BMS access log, the maintenance ticketing system, the security desk notebook, the WhatsApp group with the building supervisor.

Where Most Property Management Systems Fall Short

The problem is not malice. It is fragmentation. Most buildings run on a patchwork of systems:

• A property management system (PMS) for leases and billing
• A building management system (BMS) for access control and HVAC
• A maintenance ticketing platform, often a different one
• Spreadsheets for visitor logs or incident reports
• Email chains and WhatsApp messages for day-to-day tenant communication

Each of these holds personal data. Few of them talk to each other. When a tenant moves out, the lease might be closed in the PMS, but their access fob remains active in the BMS. Their maintenance history stays in the ticketing system. Their email chain with the facilities manager sits in an inbox.

Under the PDPL, you are responsible for all of it. The law does not care that your data lives in five different systems. It cares that you can demonstrate control over it.

This is where the practical challenge lands on the facilities manager, not just the legal team. You need to know what data exists, where it is stored, who has access to it, and how long you keep it. That is an operational question, not a legal one.

The Specific Risks for Hospitality and Residential Operators

Hotels face additional complexity. Guest data is collected at check-in, stored in the PMS, shared with housekeeping and maintenance, and often retained for loyalty programmes. Under the PDPL, guests have the right to request deletion of their data after checkout. If your system cannot isolate and delete a single guest's records across all touchpoints — room key, minibar charges, spa booking, maintenance call — you are non-compliant.

For residential buildings, the risk is subtler. Tenant data accumulates over years. A tenant who moved in five years ago has lease renewals, maintenance requests, access logs, and possibly CCTV footage. When they move out, do you delete their data? Most buildings do not. The data sits there, unmanaged, creating exposure.

There is also the question of consent. The PDPL requires consent for data processing unless another legal basis applies. For property managers, the legal basis is usually the lease agreement — you need the data to perform the contract. But consent becomes relevant when you want to use tenant data for other purposes, like marketing building services or sharing data with third-party vendors.

A 320-room resort on the Palm Jumeirah recently discovered that their maintenance platform was sharing guest room entry logs with a third-party analytics provider. The guests had not consented. The hotel had not reviewed the data-sharing clause in their software contract. That is the kind of exposure the PDPL is designed to catch.

What Compliance Looks Like in Practice

Compliance starts with a data audit. You need to map every system that touches tenant or guest data. For each system, document:

• What data is collected
• Why it is collected
• How long it is kept
• Who has access
• Whether it is shared with third parties

This is tedious work. It is also unavoidable. Without the map, you cannot demonstrate control.

Next, implement data retention policies. Set automatic deletion schedules for data that no longer serves a purpose. Guest data: delete 90 days after checkout unless consent for retention exists. Tenant data: delete within a reasonable period after lease termination, typically 6-12 months for records needed for dispute resolution, then purge.

Third, review your vendor contracts. Every software platform you use — PMS, BMS, maintenance ticketing, access control — is a data processor under the PDPL. You need data processing agreements with each of them. You need to know where their servers are located. You need to confirm they have appropriate security measures.

Fourth, establish a process for responding to data subject requests. When a tenant asks to see their data, you have 30 days to respond. If your data is scattered across five systems, that response will take longer than 30 days. You need a single point of contact and a documented process for pulling data from every system.

Fifth, train your team. The front desk staff who take tenant details over the phone. The maintenance engineer who logs a repair in the ticketing system. The security guard who records visitor IDs. Everyone who handles personal data needs to understand the basics of the law.

For a deeper look at how regulatory changes affect building operations, see our article on RERA's 2024 digital records mandate and the shift from paper to digital compliance.

Where to Start

If you manage a building in the UAE and you have not done a data audit yet, start this week. The PDPL is not new, but enforcement is accelerating. The Dubai Data Establishment and the UAE Data Office are building capacity to investigate and fine non-compliant entities.

The good news is that most of the data you hold is already digital. The hard part is knowing where it all lives and having a system that can manage it coherently. A building management platform that centralises tenant data, access logs, maintenance records, and compliance documentation makes this significantly easier.

If you want to see how Herman handles tenant data governance, talk to the HermanWa team. We built the platform for operators who need to manage buildings, not just data.

— The HermanWa Team