The GDPR (General Data Protection Regulation) is the reference text for the protection of personal data. Real estate agents, who process a large amount of personal data, are no exception to this rule: what are the GDPR obligations for real estate agents and how can you put in place good practices to ensure your compliance? Here’s how.
Why are real estate agents affected by the GDPR and ePrivacy?
In the same way as any other European company, real estate agents have been subject to the GDPR, the European regulation that has governed the processing of personal data since 25 May 2018.
Personal data collected and processed by real estate agents
Let’s start by reminding you what personal data is: personal data encompasses all information that can directly or indirectly identify a natural person.
In the course of your day-to-day activities (property transactions, property sales and rentals, canvassing, recruitment of new real estate agents, etc.), you may collect and process a large amount of personal data, such as:
- Identifying information: names, addresses, telephone numbers, e-mail addresses, etc.;
- Financial information: income, borrowing capacity, credit history, etc.;
- Your customers’ accommodation preferences: number of rooms, location, budget, etc.;
- Sensitive data: health data, family situation, etc.;
- Location data: addresses of properties visited, etc.
This personal data may concern your customers (tenants, vendors, buyers), but also your employees (real estate agents, etc.).
Although the collection of this personal data is very often a legal obligation for real estate agents, don’t forget that it is subject to the application of the GDPR. Consequently, you must take custom measures to protect the personal data you handle in the course of your business.
The importance of the GDPR for real estate agents
Whether you are intimidated by the GDPR, ignoring it due to lack of resources or budget, or simply have other priorities, it is nonetheless vitally important for real estate agents: as well as being a legal obligation, compliance with the GDPR can become a real competitive advantage for you.
In fact, the use and exploitation of data by companies is causing increasing concern among citizens, and that’s where GDPR compliance comes in to reassure them.
By complying with the GDPR, you are demonstrating your commitment to protecting the personal data of your customers, prospects, agents and partners.
Non-compliance with the GDPR and ePrivacy: what are the risks for my real estate agency?
As you are no doubt aware, failure to comply with GDPR obligations can result in administrative and criminal penalties, but also reputational penalties, since a penalty made public by the CNIL can have a considerable negative impact on the image and reputation of your real estate agency, and thus drive customers to turn to real estate agencies that offer greater transparency and better protection of personal data.
In 2019, following a complaint from a prospective tenant, the CNIL fined Sergic €400,000 for “breaches of data security and failure to comply with retention periods”. Sergic is a company specialising in property development and management, and the purchase, sale and rental of real estate. In particular, the CNIL found that Sergic had failed in its obligation to protect the security of the personal data of users of its website, as set out in Article 32 of the GDPR. In fact, the website was not sufficiently secure and allowed users to download the supporting documents needed to compile their file for the rental of a property, without prior authentication.
To avoid penalties, it is therefore crucial to ensure GDPR compliance. But how do you go about it?
The main GDPR obligations to be met by real estate agents
Under the GDPR, real estate agents are considered to be data controllers. And as data controllers, you are therefore legally obliged to ensure that personal data is processed in accordance with the GDPR, in particular:
- By only collecting personal data that is strictly necessary for your data processing (minimisation principle);
- By implementing technical and organisational measures to ensure data security: strengthen your security measures with encryption, firewall and two-factor authentication, for example. If you manage jointly-owned property, make sure that only authorised people have access to it;
- By obtaining consent where necessary (particularly in the case of cookies being placed on your real estate agency’s website – see the dedicated paragraph in the article);
- By respecting the rights of individuals, and in particular the right of access, rectification and deletion of their personal data;
- By appointing a DPO where this is compulsory, particularly if you process particular categories of data on a large scale or if your activities involve regular and systematic monitoring of data subjects on a large scale. It should be noted that, although the appointment of a DPO is not compulsory for your business, it is nevertheless encouraged by the CNIL.
Applying the GDPR in your real estate agency: a practical guide
Carry out an audit of your data processing
The first step in bringing your real estate agency into compliance is to carry out an audit of all your data processing operations. This preliminary audit will enable you to identify:
- The data processing operations you carry out (rental or sale of property, commercial prospecting, organisation of or participation in events or trade fairs, etc.);
- All the personal data that you collect on buyers, sellers, tenants, prospects, employees, etc. ;
- The purposes and security measures you have put in place;
- The sub-contractors and recipients to whom you send this data (notaries, public bodies, banks, CRM, etc.).
This initial work will give you an overview of your current practices and enable you to identify areas of non-compliance and set up your data processing register.
Setting up your real estate agency’s data processing register
Once you have an overview of your data processing, you will need to set up what is known as the “data processing register”. In accordance with the GDPR, every real estate agency must keep a register of all the data processing operations it carries out. This register lists for each data processing operation:
- The purpose of the processing;
- The categories of data processed;
- The data subjects;
- The recipients of the data;
- Data retention periods and/or criteria;
- The security measures put in place to protect the data;
- Any data transfers outside the European Union.
The register is a genuine tool for monitoring GDPR compliance and may be audited by the CNIL at any time.
Ensuring transparency when collecting the necessary data
When you collect personal data as part of your real estate activities, it is crucial to be transparent with your customers or prospects. To do this, you must clearly inform them of the data you collect, why you collect it, how long you keep it, etc.
Be careful when transferring personal data
When you transfer personal data outside the European Union, make sure you comply with the rules on data transfers:
- Check whether the destination country offers an adequate level of protection, in particular using the CNIL’s interactive map;
- If the country does not offer an adequate level of protection, check the existence of guarantees put in place by the recipient (standard contractual clauses, BCR, etc.).
Make your real estate agents aware of the need to protect personal data
Real estate agents handle a great deal of personal data in their day-to-day activities, sometimes without even being aware of it, which presents a risk of data breach.
But, of course, you can’t understand what you don’t know: real estate agents are not experts in personal data protection and don’t necessarily understand all the issues involved. That’s why it’s vital to raise your teams’ awareness of personal data protection to minimise the risk.
Your real estate agency’s website: how can you make it GDPR and ePrivacy compliant to inspire confidence in your customers?
As part of your business as an estate agent, having a website to showcase your properties and find your customers is a must-have. But your website still needs to comply with the GDPR.
The essentials for a GDPR and ePrivacy-compliant website
To make your real estate agency’s website compliant, first identify the personal data processing that you implement through it, for example:
- Contact form;
- Online property valuation;
- Submitting a file online;
- Recruitment of estate agents;
- Newsletter subscription, etc.
When you process personal data, compliance with the GDPR is a legal obligation. To do this, a number of mandatory documents must be put in place, including:
This must be detailed and drafted in Legal Design, to make this legal document clear and intelligible to your target audience. This policy must clearly explain what personal data is collected, for what purpose, how it is processed, who has access to it and how users can exercise their rights. It should be placed at all collection points and should cover all data collected via the website, as well as external data.
This explains how cookies are used on your site (types of cookies, purposes of each cookie, management of preferences by the user, consequences of accepting or refusing cookies).
Cookie banner in Legal Design
A CMP (Consent Management Platform)
This enables cookie preferences to be managed: the CMP enables proof of cookie consent to be managed and stored by category. If your website deposits non-essential cookies on your users’ terminals, be sure to implement a cookie banner and compliant consent management via a CMP (Consent Management Platform).
Admeet can help you make your real estate agency website GDPR and ePrivacy compliant
Admeet helps real estate agencies like yours to make their websites compliant by providing you with the functionalities you need. Thanks to the pre-encoding of purposes specific to your sector, generate all your GDPR documents in Legal Design:
- Customised privacy and cookie policies for your website;
- Clear cookie banners and valid consents.
Save time with a fast, easy-to-use and affordable solution!