GDPR Compliance
Legal bases, data subject rights, and technical measures — how Locari implements GDPR requirements concretely in the rental process.
Locari was built from the ground up so you as a landlord can comply with GDPR without needing to be a data protection expert. Consent, retention periods, and data subject rights are integrated directly into the rental workflow.
What Locari does automatically: send consent emails (Art. 7), fulfill information obligations at first contact (Art. 13/14), monitor retention periods, delete data after expiry. What you decide: approving deletion requests, configuring retention periods, manual corrections to applicant profiles.
Common Tasks
- Look up the legal basis for my processing
- Fulfill a data subject right — access, deletion, rectification
- Configure retention periods
- Download the DPA
- Pre-launch checklist
- Understand the consent process
How To
Handle an access request (Art. 15)
- Applicant submits a written access request.
- Open the applicant profile > Data Protection > Create data export.
- Example: Applicant Müller receives a PDF export with contact data, consent history, communication log, and document list.
- Release export — applicant receives the extract by email.
Approve a deletion request (Art. 17)
- Applicant requests deletion via the withdrawal link or in writing.
- Locari automatically checks: is an active process still open? Are there statutory retention obligations?
- During active process: Locari informs the applicant and notes the request.
- After process end: approve — deletion is carried out within 30 days.
What Locari checks: whether an active application process is in progress, whether statutory retention obligations apply. What you decide: whether to approve deletion. During active processes, Locari recommends informing the applicant about the status first.
Legal Bases
Locari supports three GDPR legal bases relevant to the rental process:
- Art. 6(1)(a) — Consent: applicants actively consent to AI-assisted profile evaluation and data processing in the application process.
- Art. 6(1)(b) — Pre-contractual measures: data processing for reviewing a potential tenant selection and preparing the lease agreement.
- Art. 6(1)(f) — Legitimate interest: communication as part of the active application process.
- Art. 22 — Automated decision-making: AI profiling requires explicit consent — Locari obtains this before evaluation.
Data Subject Rights
Right of Access (Art. 15)
Applicants can request what data is stored. Locari generates a complete data export on request, which you release.
Right to Rectification (Art. 16)
Applicants can have incorrect data corrected. Corrections are made directly in the applicant profile via Edit; the change is documented in the history.
Right to Erasure (Art. 17)
Applicants can request deletion. Locari automatically checks whether obstacles to deletion exist. After the process ends, complete deletion is carried out upon approval within 30 days (or automatically after the configured period expires).
Right to Data Portability (Art. 20)
Applicants can request their data in machine-readable format (JSON/CSV). Export under Applicant profile > Data Protection > Create data export.
Right to Object (Art. 21)
Applicants can object to processing at any time. The withdrawal link in every consent email is permanently valid and never expires — Locari implements the withdrawal immediately.
Retention Periods
During Process
All data is stored while the application process is active.
After Acceptance
Data for the selected tenant is transferred to the lease agreement process.
After Rejection or Expiry
| Data Type | Period After Process End |
|---|---|
| Contact data | 6 months |
| Communication | 6 months |
| Documents | 30 days |
| Notes | 6 months |
Configure periods under Settings > Data Protection > Deletion Periods. Tax-relevant documents may be subject to statutory retention of up to 10 years — Locari marks these records and only deletes them automatically after the period expires.
Technical Measures
Encryption and Servers
- TLS 1.3 for all connections
- AES-256 for stored data
- Server location: EU (Stockholm, production) — no data transfer outside the EU
Access Control
- Role-based permissions (administrator, member)
- Multi-factor authentication available — Set up MFA
- Activity log for all security-relevant actions
Data Processing Agreement
Locari acts as a data processor (Art. 28 GDPR). The following is in place:
- Data Processing Agreement (DPA) concluded with Locari
- Technical and Organizational Measures (TOMs) documented
- Register of processing activities created
Download DPA: under Settings > Data Protection > Download DPA.
Checklist for Landlords
- [ ] Privacy policy on your website up to date and linked
- [ ] DPA with Locari concluded and downloaded
- [ ] Retention periods configured (default: 6 months basic data, 30 days documents)
- [ ] Team informed about data protection responsibilities
- [ ] MFA activated for all administrator accounts
Permissions and Multi-select
- View Data Protection tab: all team members.
- Create and release data export: only administrators.
- Approve deletion request: only administrators — the action is irreversible.
- Multiple applicants at once: Applicant List — bulk reject, filter by phase and status, sort by score.