The activity of a real estate agency continuously generates a large volume of personal data: data of owners who instruct the sale or rental of a property through an engagement letter or brokerage agreement, data of buyers or tenants who visit properties or register on the agency's portfolio, documentation evidencing financial standing — payslips, income tax returns, bank statements — and contact information obtained through property portals, web forms or direct prospecting. This multiplicity of sources and data types makes the sector particularly sensitive from a GDPR perspective: the data controller — the agency — does not always have a clear picture of which legal basis covers each purpose, how long to retain data of individuals who never signed any contract, or what happens to information when it is shared with portals, other agencies or partner financial institutions and insurers.
The first legal question that must be resolved in any real estate compliance project is the lawful basis for each processing activity, as required by Article 6 of the GDPR. Data belonging to the owner who signs the engagement letter is generally processed in performance of that brokerage contract (art. 6.1.b GDPR); data relating to the buyer or tenant during pre-signing negotiations is covered by the same basis from the moment both parties take steps aimed at concluding the contract. However, using that data for additional purposes — sending offers for new properties, sharing with insurers, inclusion in sector newsletters — requires a different basis, normally the data subject's explicit consent (art. 6.1.a GDPR). In practice, many agencies assume that acceptance of general terms and conditions is equivalent to consent for marketing, whereas the GDPR requires consent to be freely given, specific, informed and unambiguous, expressed through a clear affirmative action.
The engagement letter or exclusivity agreement is also the ideal moment to fulfil the active information duty imposed by Articles 13 and 14 of the GDPR. Article 13 applies when data are collected directly from the data subject — the typical situation with the owner signing the engagement letter and the buyer completing a form; Article 14 comes into play when the agency obtains data from third parties, for example when receiving a buyer's profile through another agency or a portal. In both cases the information must include the identity of the controller, the purposes and legal bases of each processing activity, possible recipients — portals, management platforms and other agencies in the network — the retention period and the data subject's rights. A generic clause in the website privacy policy does not fulfil this obligation when data are collected in person or by telephone without providing specific information at that moment.
The sharing of information among the agency, the owner and the buyer, or with property portals and lead-generation platforms, raises a technical question that must be resolved before any dispute arises: does the portal act as a data processor — art. 28 GDPR — or as an independent controller? The answer determines what kind of agreement must be signed and what information must be given to data subjects. In most cases, when the agency publishes listings on third-party portals, those portals act as independent controllers of the processing they carry out with data from users who contact them through their platform. But when the agency contracts an external CRM to manage its own portfolio, that provider acts as a data processor and a data processing agreement containing the minimum content required by Article 28.3 of the GDPR must be signed. Failing to distinguish between these two scenarios is one of the most frequent errors we detect before beginning a compliance project.
Commercial communications sent electronically by the agency to its contact and client base — emails, SMS messages, WhatsApp Business communications — are subject to Article 21 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI). The law prohibits sending unsolicited advertising communications that have not been previously authorised by the recipient (art. 21.1 LSSI). An exception applicable to the sector exists: where there is an existing contractual relationship with the client, the agency may send communications about properties or services similar to those covered by that relationship, provided the contact data were lawfully obtained during that relationship and that every communication includes a simple and free-of-charge mechanism allowing the recipient to opt out of future communications, including a valid electronic address in each message (art. 21.2 LSSI). Outside that exception, sending advertising for home insurance, removal services or financial products to the same list without explicit consent constitutes a breach subject to LSSI penalties, which are cumulative to those under the GDPR.
At Summum Consultoría we support real estate agencies in Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas throughout the GDPR compliance process: we map existing data flows, draw up the record of processing activities required by Article 30 of the GDPR, draft information clauses for the engagement letter and prospecting forms, review contracts with CRM providers and agreements with portals, and implement procedures for handling data subject rights requests. We train the agency's team on core obligations and internal procedures, so that a data protection culture becomes part of daily practice. We do not replace the AEPD (Spanish Data Protection Agency) and we do not guarantee the absence of sanctions, but we do provide the documentary framework, processes and training that demonstrate genuine due diligence to the regulator.