GDPR · Real estate agencies

⚠ High-exposure data

GDPR for real estate agencies.
Your clients' IDs are on someone's phone.

To sell or rent a property you collect some of the most sensitive data there is: ID cards, payslips, bank details, family situations. Most agencies gather it over WhatsApp and personal email and store it on shared drives — convenient, and a textbook GDPR breach waiting to happen.

Free GDPR Check → Free GDPR Assessment for Your Agency → All GDPR sectors

€20M

or 4% turnover — max fine

72h

to report a breach (a lost phone counts)

ID + €

documents = high-risk data

AML

checks add legal retention duties

The reality

What most agencies
are getting wrong.

None of this is malicious — it's just how the work flows. But each one is a real GDPR gap a buyer, a competitor or a disgruntled ex-employee can report.

📱

IDs & payslips over WhatsApp

Buyers send ID cards, payslips and bank details by WhatsApp. They land on a personal phone, in cloud chat backups, with no encryption, access control or deletion.

📧

Client files in personal inboxes

Contracts and identity documents live in a personal Gmail/Outlook account shared by the whole office — searchable, forwardable, never deleted.

📂

One shared drive for everything

A single Google Drive or Excel with every client, owner and prospect, accessible to all staff and freelance collaborators with no access levels.

📣

Marketing with no consent

Old enquiries get added to newsletters and WhatsApp broadcast lists without a valid legal basis or a way to opt out — a classic complaint trigger.

🗄️

Data kept forever

Expired mandates, failed buyers and years-old leads sit in the CRM and inbox indefinitely — data you no longer need but are still responsible for.

🔗

Sharing with no agreement

Client data is passed to portals, mortgage brokers, notaries and CRMs with no data-processing agreement and no idea where it's stored.

⚠️

It only takes one. A lost phone, a forwarded email, a buyer who asks "what data do you hold on me and why?" — any of these can turn into a complaint to the data protection authority. The fix is far cheaper than the incident.

The fix

How we make your
agency compliant — for real.

We don't hand you a policy and leave. We change how data actually flows through your agency, with tools your team will actually use.

📥

Secure client intake

A simple, encrypted way for clients to send IDs and documents — replacing WhatsApp and personal email — that your staff and clients find easier, not harder.

🔒

Encryption & access control

Client data encrypted and organised with proper access levels: who can see what, with audit logs — no more one-drive-for-everyone.

✅

Lawful basis & consent

The right legal basis mapped to each flow (mandate, AML, marketing) and a clean, documented consent and opt-out for newsletters and listings alerts.

⏳

Retention & deletion

A retention schedule for mandates, leads and AML records — with automated clean-up so you stop holding data you no longer need.

📄

DPAs with your stack

Data-processing agreements and storage checks for your portals, CRM, email and cloud tools — so your supply chain is covered too.

🎓

Training & breach plan

A short, practical staff briefing and a simple breach procedure (including "I lost my phone"), plus the records an authority will ask for.

How we work

A path that fits
how agencies actually work.

Data-flow audit

We follow a real deal end-to-end: where the ID, the payslip and the contract go, and on which device or tool.

Gap analysis

We flag the non-compliant flows and the concrete risks — prioritised, in plain language, not a 90-page report.

Remediation

We set up secure intake, encryption, consent, retention and the DPAs — and migrate you off WhatsApp and shared inboxes.

Train & document

A short team briefing, a breach plan and the records of processing — so it stays compliant day to day.

← All GDPR sectors

FAQ

GDPR for estate agents,
answered.

The questions agencies ask us most.

Can we collect client IDs over WhatsApp?+

Not safely. A buyer's ID or payslip on WhatsApp ends up on a personal phone, in chat backups, outside any access control or retention policy. If that phone is lost or the chat is shared, it's a reportable breach. You need a secure intake channel and a defined retention period instead.

What's our lawful basis to process client data?+

Carrying out a sale or rental mandate is usually contract or pre-contractual steps; ID checks can rely on legal obligation (anti-money-laundering). Marketing to old leads generally needs consent. Trouble starts when one vague basis is used for everything — we map a correct basis to each flow.

How long can we keep client and prospect data?+

Only as long as necessary, plus any legal retention (AML, tax). Old enquiries, expired mandates and unsuccessful buyers shouldn't sit in your inbox or CRM forever. We define a retention schedule and set up deletion.

Do we need agreements with portals and our CRM?+

Yes. Portals, CRMs, email and cloud storage process personal data on your behalf, so you need a data-processing agreement (DPA) with each and must know where data is stored. We review your stack and put the right agreements and safeguards in place.

GDPR for real estate agencies.Your clients' IDs are on someone's phone.

What most agenciesare getting wrong.