Sector inmobiliario

Data protection for real estate agencies

Real estate activity generates a continuous flow of personal data: owners who instruct the sale or rental of a property, buyers who visit properties and verify their financial standing, contacts captured through portals and web forms, and sensitive documentation circulating among the agency, the parties and their collaborators. Regulation (EU) 2016/679 — the GDPR (General Data Protection Regulation) — and Organic Law 3/2018 — the LOPDGDD (Spanish Data Protection and Digital Rights Act) — require that this data be processed on a clear legal basis for each purpose and that data subjects be informed at the point of collection. At Summum Consultoría we guide real estate agencies in Castilla y León and Canarias towards GDPR compliance that is genuine, verifiable and sustainable in daily practice.

Applicable regulationGDPR (EU) 2016/679 · LOPDGDD 3/2018 · LSSI 34/2002
Common processing activitiesEngagement letter · Owners and buyers CRM · Data sharing with portals and parties
Supervisory authorityAEPD — Spanish Data Protection Agency

The activity of a real estate agency continuously generates a large volume of personal data: data of owners who instruct the sale or rental of a property through an engagement letter or brokerage agreement, data of buyers or tenants who visit properties or register on the agency's portfolio, documentation evidencing financial standing — payslips, income tax returns, bank statements — and contact information obtained through property portals, web forms or direct prospecting. This multiplicity of sources and data types makes the sector particularly sensitive from a GDPR perspective: the data controller — the agency — does not always have a clear picture of which legal basis covers each purpose, how long to retain data of individuals who never signed any contract, or what happens to information when it is shared with portals, other agencies or partner financial institutions and insurers.

The first legal question that must be resolved in any real estate compliance project is the lawful basis for each processing activity, as required by Article 6 of the GDPR. Data belonging to the owner who signs the engagement letter is generally processed in performance of that brokerage contract (art. 6.1.b GDPR); data relating to the buyer or tenant during pre-signing negotiations is covered by the same basis from the moment both parties take steps aimed at concluding the contract. However, using that data for additional purposes — sending offers for new properties, sharing with insurers, inclusion in sector newsletters — requires a different basis, normally the data subject's explicit consent (art. 6.1.a GDPR). In practice, many agencies assume that acceptance of general terms and conditions is equivalent to consent for marketing, whereas the GDPR requires consent to be freely given, specific, informed and unambiguous, expressed through a clear affirmative action.

The engagement letter or exclusivity agreement is also the ideal moment to fulfil the active information duty imposed by Articles 13 and 14 of the GDPR. Article 13 applies when data are collected directly from the data subject — the typical situation with the owner signing the engagement letter and the buyer completing a form; Article 14 comes into play when the agency obtains data from third parties, for example when receiving a buyer's profile through another agency or a portal. In both cases the information must include the identity of the controller, the purposes and legal bases of each processing activity, possible recipients — portals, management platforms and other agencies in the network — the retention period and the data subject's rights. A generic clause in the website privacy policy does not fulfil this obligation when data are collected in person or by telephone without providing specific information at that moment.

The sharing of information among the agency, the owner and the buyer, or with property portals and lead-generation platforms, raises a technical question that must be resolved before any dispute arises: does the portal act as a data processor — art. 28 GDPR — or as an independent controller? The answer determines what kind of agreement must be signed and what information must be given to data subjects. In most cases, when the agency publishes listings on third-party portals, those portals act as independent controllers of the processing they carry out with data from users who contact them through their platform. But when the agency contracts an external CRM to manage its own portfolio, that provider acts as a data processor and a data processing agreement containing the minimum content required by Article 28.3 of the GDPR must be signed. Failing to distinguish between these two scenarios is one of the most frequent errors we detect before beginning a compliance project.

Commercial communications sent electronically by the agency to its contact and client base — emails, SMS messages, WhatsApp Business communications — are subject to Article 21 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI). The law prohibits sending unsolicited advertising communications that have not been previously authorised by the recipient (art. 21.1 LSSI). An exception applicable to the sector exists: where there is an existing contractual relationship with the client, the agency may send communications about properties or services similar to those covered by that relationship, provided the contact data were lawfully obtained during that relationship and that every communication includes a simple and free-of-charge mechanism allowing the recipient to opt out of future communications, including a valid electronic address in each message (art. 21.2 LSSI). Outside that exception, sending advertising for home insurance, removal services or financial products to the same list without explicit consent constitutes a breach subject to LSSI penalties, which are cumulative to those under the GDPR.

At Summum Consultoría we support real estate agencies in Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas throughout the GDPR compliance process: we map existing data flows, draw up the record of processing activities required by Article 30 of the GDPR, draft information clauses for the engagement letter and prospecting forms, review contracts with CRM providers and agreements with portals, and implement procedures for handling data subject rights requests. We train the agency's team on core obligations and internal procedures, so that a data protection culture becomes part of daily practice. We do not replace the AEPD (Spanish Data Protection Agency) and we do not guarantee the absence of sanctions, but we do provide the documentary framework, processes and training that demonstrate genuine due diligence to the regulator.

The Data protection for real estate agencies process.

The process · four stages
01

Diagnosis and data flow mapping

We compile an inventory of all personal data flows within the agency: owners, buyers, tenants, prospecting contacts and suppliers. We identify the purposes, applicable legal bases, retention periods and recipients for each category of data, producing the data flow map that underpins the rest of the compliance project and the record of processing activities required by Article 30 of the GDPR.

02

Record of processing activities and legal documentation

We draw up the record of processing activities in the format required by Article 30 of the GDPR and draft information clauses tailored to each channel: engagement letter with owners, buyer and tenant registration form, and the website contact page. We review and update the published privacy policy and ensure that the required information reaches data subjects at the time and through the channel by which their data are collected.

03

Processor contracts and management of data sharing

We identify providers acting as data processors — CRM systems, marketing platforms, electronic signature tools — and draft or review data processing agreements containing the content required by Article 28.3 of the GDPR. We analyse the relationship with property portals and partner agencies, document data transfers and ensure that data subjects receive adequate information about possible recipients of their data.

04

Commercial communications, rights and training

We audit commercial communication practices and bring them into line with Article 21 of the LSSI: reviewing the consent-capture system, verifying the existing contractual relationship exception and including the opt-out mechanism in each message. We establish the internal procedure for handling data subject rights requests (access, rectification, erasure, restriction, portability and objection, Articles 15-22 GDPR), and train the agency's team to manage them within the statutory time limits.

What is included

What Data protection for real estate agencies includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Record of processing activities (art. 30 GDPR)

    Preparation and maintenance of the record covering all the agency's processing activities: purposes, legal bases, categories of data and data subjects, recipients, retention periods and security measures applied.

  • Information clauses for the engagement letter and forms

    Drafting of the active information required by Articles 13 and 14 of the GDPR, tailored to each data-collection channel: engagement letter with owners, buyer and tenant prospecting form, and the website contact page.

  • Legal basis for each processing activity

    Determination of the correct lawful basis for each purpose: performance of the brokerage contract, legitimate interest in retaining data of active contacts, and explicit consent for marketing purposes or sharing with third parties pursuing their own purposes.

  • Data processing agreements (art. 28 GDPR)

    Identification of providers accessing the agency's personal data — CRM, marketing tools, electronic signature — and drafting or review of the data processing agreement with the minimum content required by Article 28.3 of the GDPR.

  • Commercial communications compliant with art. 21 LSSI

    Audit and adaptation of communication practices: verification of prior consent or the existing contractual relationship exception, inclusion of the opt-out mechanism in each message and separation of marketing purposes with distinct recipients.

  • Data subject rights handling procedure

    Implementation of the channel for exercising data subject rights (access, rectification, erasure, restriction, portability and objection, Articles 15-22 GDPR), with response templates, processing time limits and a log of requests, in accordance with Articles 15 to 22 of the GDPR and the LOPDGDD.

Frequently asked questions about Data protection for real estate agencies.

What personal data does a real estate agency typically process?

A real estate agency processes at least three categories of data subjects with distinct data. First, data of owners instructing the sale or rental of a property: name, national ID number, contact details, cadastral reference and information about the ownership of the property. Second, data of buyers or tenants: identification and contact details, visit history and, frequently, documentation evidencing financial standing — payslips, income tax returns, bank statements — the collection of which must be justified and limited to what is strictly necessary for the declared purpose. Third, contact data and leads obtained through portals or forms from individuals who have not yet entered into any contractual relationship with the agency. Each category requires its own legal basis, differentiated retention periods and a specific information clause at the point of collection.

How long may an agency retain data from clients who never completed a purchase?

The GDPR does not set sector-specific retention periods for the real estate industry. The storage limitation principle — Article 5.1.e of the GDPR — requires that data not be kept longer than necessary for the purpose that justified their collection. For contacts who visited properties or registered on the agency's search portfolio without ever signing a contract, the reasonable approach is to retain data while an active search relationship exists and to erase or anonymise the information when that relationship lapses, applying an objective criterion documented in the record of processing activities — for example, one year without productive contact. The basis for such retention may be the agency's legitimate interest in offering the service, but the period must be proportionate, reviewed periodically and explicitly documented.

Must the owner be informed that their data and property details will be published on portals?

Yes. The active information duty under Article 13 of the GDPR requires that data subjects be informed, at the point of collection, of all the purposes of the processing and of all possible recipients of their data. If the agency is going to publish property data — address, photographs, features — on portals or distribution platforms, the owner must be informed before signing the engagement letter. Where publication means the portal will process that data as an independent controller, this must be stated. Best practice is to include in the engagement letter itself an information clause detailing purposes, recipients and the owner's rights, rather than simply referring them to the privacy policy published on the website, which is not always accessible or readily comprehensible to the data subject at that moment.

May an agency send new property offers to its contact database by email?

It depends on the situation of each contact. Article 21.1 of Law 34/2002 (LSSI) generally prohibits sending electronic commercial communications without prior and explicit consent. However, Article 21.2 of the same law provides an exception: where there is an existing contractual relationship with the client, the agency may send communications about properties or services similar to those covered by that relationship, provided contact data were lawfully obtained during that relationship and each communication includes a simple and free-of-charge mechanism enabling the recipient to opt out of future communications. Where leads never became clients, or where the content of the communication goes beyond what is similar to the previous relationship — advertising for home insurance, removal services or financial products — prior explicit and independent consent is required.

What penalties may the AEPD impose on a real estate agency for GDPR non-compliance?

The penalty regime is that established by Article 83 of Regulation (EU) 2016/679. Less serious infringements may lead to fines of up to 10 million euros or 2% of total annual worldwide turnover, whichever is higher; serious infringements — such as processing data without a valid legal basis or infringing data subjects' rights — may reach 20 million euros or 4% of total annual worldwide turnover. In practice, for a small or medium-sized agency, the AEPD takes into account the size of the controller, intent, degree of cooperation with the regulator and measures taken to minimise the damage. Non-compliance with Article 21 of the LSSI also carries its own penalty regime, cumulative to that of the GDPR. Summum Consultoría does not guarantee the absence of sanctions, but we do support the agency in having the documentation that evidences due diligence before the AEPD.

Are real estate agencies required to appoint a Data Protection Officer?

Appointment of a Data Protection Officer (DPO) is mandatory in the cases set out in Article 37 of the GDPR: public authorities and bodies, organisations whose core activities require large-scale regular and systematic monitoring of data subjects, and those processing special categories of data on a large scale. A small or medium-sized real estate agency does not, as a general rule, fall within any of those categories and is not required to designate a DPO. However, agencies with a high volume of processing activity, integrated into large networks or franchise groups, or managing financial solvency documentation on a large scale, must assess whether their activities exceed the thresholds that trigger the obligation. In any event, appointing an external DPO — even when not legally mandatory — strengthens the agency's position before the AEPD in the event of an incident or complaint.