Tenant verification red flags — and what Maltese law won't let you check
Verifying a tenant on Malta is a balancing act. You want to avoid the nightmare tenant — late payments, damage, ghosting after the deposit dispute — but you also can't ask for whatever you want. The GDPR applies here, and the Maltese Data Protection Act backs it up. Get it wrong and a rejected applicant can file a complaint with the IDPC.
This is a practical guide to what's worth checking, what the actual red flags look like, and where the legal line sits.
The red flags that matter
Pressure to skip the paperwork. A serious tenant expects a written contract registered with the Housing Authority. If someone pushes for a cash-only handshake deal, or asks you to register the lease for a shorter term than you actually agreed, walk away. You're the one exposed — unregistered leases carry fines up to €2,500 under the Private Residential Leases Act.
Vague answers about employment or income. "I work in hospitality" with no employer name, no payslip, no willingness to show a work contract. Legitimate tenants understand that a landlord needs to know rent will be paid. The ask itself is fine; the evasion is the signal.
Story that keeps changing. Number of occupants shifts between the first message and the viewing. The move-in date keeps sliding. The job suddenly becomes freelance. Inconsistencies across conversations are the single most reliable predictor that something is off.
Refusal to show ID at viewing. Not to hand over a copy — just to show it. If someone won't confirm they are who they say they are before you hand them keys, that's the whole answer.
Urgency that doesn't add up. "I need to move in tomorrow, I'll pay three months upfront in cash." Sometimes it's a relocation that genuinely fell through. Often it's someone who's been rejected elsewhere and is hoping speed will stop you from checking.
Reluctance to provide a previous landlord reference. A tenant who's rented before and won't name a single previous landlord is telling you something. One awkward past relationship is normal. Zero contactable references after years of renting is not.
Deposit pushback. Maltese law caps the deposit at the equivalent of one month's rent for leases under the PRL Act regime. A tenant who tries to negotiate it down to nothing, or asks to pay it in installments after move-in, is removing the only financial cushion you have.
What you're allowed to ask for
You can ask for, and a reasonable tenant will provide:
- A copy or sight of a valid ID card or passport
- Proof of employment or income (employer letter, recent payslips, work contract)
- A previous landlord reference
- Confirmation of who will actually live in the property
- A signed lease and the standard one-month deposit
That's the legitimate verification stack. Everything on it is directly tied to the tenancy. That's the test the GDPR cares about — the data has to be necessary for the contract you're about to sign.
What Maltese law won't let you check
This is where landlords get into trouble, usually without meaning to. Under the GDPR and the Equality Act, you cannot screen tenants on the basis of:
- Race, ethnicity, or nationality. You can't refuse to rent to someone because they're foreign, and you can't ask questions designed to figure it out.
- Religion. Not on the application, not at the viewing, not as small talk that's actually a filter.
- Sexual orientation, gender identity, or marital status. "Are you married?" is not a verification question.
- Pregnancy or family status. You can ask how many people will live in the unit. You can't ask whether a woman is planning to have children.
- Disability or health conditions. Including mental health. If the property has access limitations that genuinely matter, describe the property — don't interrogate the tenant.
- Political views or trade union membership.
You also cannot collect more data than you need. Asking for a full bank statement when a payslip would do is disproportionate. Keeping copies of ID documents indefinitely after the tenancy ends is a retention violation. The principle is: collect the minimum, use it for the purpose you collected it for, delete it when you're done.
And you can't run informal background checks — Googling is fine, but pulling someone's social media history and storing it in a tenant file is not. If it ends up in your decision, it ends up in scope.
The grey area: gut feeling
Landlords often ask whether they can reject a tenant just because something feels off. Legally, yes — you don't have to justify every decision. But if a rejected applicant believes the real reason was their nationality or religion, and they file a complaint, "gut feeling" is a weak defence. The protection is documentation: if you're rejecting someone, the reason on file should be something concrete and legitimate (income too low for the rent, references didn't check out, inconsistent story at viewing).
How Letify handles this
We built verification into the platform specifically so landlords don't have to store ID documents themselves. When a user verifies through Letify, we use a dedicated KYC provider — they handle the document, we only store the verification status. You see that a tenant is verified. You don't see, store, or become responsible for their passport scan.
That's the part most landlords get wrong on their own. Asking to see ID is fine. Keeping a folder of passport photos on your laptop for three years is a data protection problem you didn't need to create.
The short version
Verify income. Verify identity. Verify references. Trust the inconsistencies more than the credentials. And keep your questions tied to the tenancy — if you can't explain why you need a piece of information to make the rental work, you probably shouldn't be asking for it.
The goal isn't to find a perfect tenant. It's to filter out the ones who are actively hiding something, while staying on the right side of a law that exists for good reasons.
