Home » Blog » GDPR Real estate agency » How to make your real estate agency’s website GDPR and ePrivacy compliant?

How to make your real estate agency’s website GDPR and ePrivacy compliant?

Publié le

Is it important for your agency to have a website which is compliant with current regulations (GDPR, ePrivacy, etc.)?

Nowadays, people increasingly consult websites (or applications) to find properties to rent or buy.

People who want to rent or sell their property or find a property manager usually do their research by making an initial selection using the information found on these agencies’ websites.

While clear information creates trust, a non-compliant website can get you into trouble as breaches can easily be discovered by a data protection authority (DPA, the administration in charge of monitoring the GDPR and ePrivacy) without you even being aware of it.

Up until you receive the letter requesting more information from said DPA.

In this article, we take a look at the different aspects to consider for a compliant website.

Creating or revising your agency’s website

Thinking about the structure and your objectives

If you decide to create or modify your agency’s website, it is important to think about the following points:

  • Who will use your website?
    • Prospects who are looking for an agency to rent or sell their property
    • Prospective buyers or tenants looking for a good opportunity
    • Owners of flats who are looking for an agent to manage the co-owned spaces within their building
    • Property owners looking for a manager to manage the property for them
    • Workers or potential workers looking for an employer who meets their values
  • Why will they come to your site?
    • To find information about your agency, your services or the real estate sector in general (technicalities, issues, advice that you would give in a blog section)
    • Accessing specific content/platform (requiring the creation of a user account) to show interest in a property, schedule a visit, obtain information about their file with you
    • Ask you questions (via an online form)
    • Be kept up to date with your agency’s news and new properties for rent or sale (via a newsletter or rss feed)
    • Apply for a job

Once you have clarified this, you will have a better understanding of the features you will need.

These features will most likely require you to collect information about your visitors, also known as “personal data”, from individual users when they visit your site.

Impact of legislation and practices

Some personal data will be collected via cookies and other technologies that allow you to track the user on your site => Go to “Your real estate agency website and cookies”.

For all other personal data = > Go to “Your real estate agency website and personal data”.

Your website, like all websites, also requires you to respect obligations or good practices that are not specifically related to personal data => Go to “Essentials for all websites”

Your real estate agency’s website and cookies (ePrivacy)

Cookies and other trackers

Cookies are small text files that access the computer, smartphone, etc. of the visitor to your website and collect information.

Classically, cookies can be classified into families, which will:

  • help your website visitors understand the overall purpose of the cookie more quickly;
  • help you determine whether you should seek your visitor’s consent before setting or reading the cookie.

Necessary cookies

To enable the site to function or to allow the site visitor to use the features they have requested.

We are talking about necessity from the point of view of the visitor to your site, not from your point of view as the site manager.

E.g.: securing the site, managing cookie consent

Statistical cookies

To measure and analyse the site’s audience.
E.g.: number of visits to the site, identifying the most visited pages

Functional cookies

To enable a user-friendly and personalised experience (improve navigation on the site).

E.g.: integration of content from a third party platform.

Marketing cookies

To present the visitor with advertisements targeted to their presumed interests or to try to understand their interests.

Other technologies (trackers) can achieve the same results and must therefore respect the same rules.

For more information on cookies and trackers:

  • on the site of the DPA (Belgian data protection authority)
  • on the site of the CNIL (French data protection authority)
  • our detailed article on the subject

What do you have to do about cookies and trackers (ePrivacy)?

In order to fulfil your obligation to inform visitors to your site of the presence of these technologies and obtain your visitors’ consent as necessary for their use , there are several tools you have to implement:

The cookie banner

This banner, which appears on the site visitor’s screen , allows you to:

  • communicate a first level of information on the presence of cookies and other trackers on your site;
  • collect consent if necessary via buttons to be activated (the banner being linked to your consent management platform).

If your banner provider offers consent buttons that are activated by default, be aware that this is no longer a permitted practice. Also, avoid graphics and other techniques that misleadingly encourage users to accept all cookies.

Ideally, this banner should include a link to a cookie policy (or even to the data protection policy – GDPR) and be easily accessible from any page of the website (without being intrusive).

The cookie policy

This cookie policy is the second level of information, in which you should address the following topics:

  • Your identity (as the organisation responsible for the site and therefore for placing cookies / using trackers);
  • For each cookie / tracker
    • its name
    • its category / family
    • is it essential or not (consent required if not essential) ?
    • the purpose(s) / objective(s) for placing cookies / trackers
    • how long it remains on the terminal (session, precise duration)

The consent management platform

The consent management platform is the tool that allows you to keep track of the consents you have or have not obtained.

It therefore allows you, for example, to demonstrate that you have obtained the consent of a particular visitor at a given time for the use of certain cookies.

Your real estate agency’s website and personal data (GDPR)

Personal data and GDPR

Personal data is any information that directly or indirectly identifies a human being.

It can be:

  • collected via cookies;
  • observed via trackers;
  • directly collected via forms that visitors to your site are asked to fill in;
  • received from other organisations (government departments, former employer of the candidate worker, etc.);
  • generated by you (when you take notes and draw conclusions in relation to a person).

Since 2018, the General Data Protection Regulation (or GDPR) has strengthened obligations and rights in relation to the use of personal data. It is therefore crucial, if you have not already done so, to modify your website taking into account your obligations in this area.

As already stated, a website with GDPR breaches is very easily audited by the local DPA (the competent administration) or by other interested parties (consumer rights associations, activists, etc.).

If you want to avoid sanctions (including heavy fines) and contribute to protecting the privacy of your website visitors (through the compliant use of their personal data), it is therefore essential to take an interest in the GDPR and how to implement it in your business.

The privacy policy, an expression of your obligation to inform

One of your obligations as a “data controller” is to inform visitors to your site about your intention to collect and use some of their personal data.

To do this, you will need to draw up a document called a privacy policy. You can choose to call it by any name that will be most meaningful to your visitors, there are no legal obligations in this matter.

The privacy policy, its content

List of topics to be covered

Here are the topics you should address in this document:

If the personal data was not received directly from the individual: the categories of received personal data and how it was collected.

For all personal data (whether collected directly or not):

  • Identity and contact details of the data controller (your institution)
  • Details of your Data Protection Officer / DPO (if you have one)
  • What rights can the individual exercise to control your use of their personal data? How can they exercise them?
  • Specifically, the right for the individual to make a complaint to the data protection authority (in Belgium via www.autoriteprotectiondonnees.be)
  • For each processing (how you are using their data):
    • What is the legal basis that you believe justifies your use of the personal data, for each purpose (your goal/objective when you are processing/using their data) you have ?
    • Is the person obligated to provide the data? If they do not, what are the consequences?
    • Who will receive the personal data within your organisation (which department/function) and elsewhere (which other organisation/administration would be responsible or a subcontractor), for what purpose?
    • How long will you keep the personal data (a specific period of time or an objective criterion used to assess this period of time)?
    • Is the data transferred to / accessed from countries outside the EU?
    • Do you use profiling or fully automated decision making based on the personal data you collect?

This document should be accessible from any page of your website.

=> To simplify this exercise, we at Admeet have decided to include in our privacy policy solution a list of pre-encoded processing purposes based on the recommendations (sectoral guidelines) of the data protection authorities.

What are the purposes your agency seeks to achieve by collecting personal data?

In your website’s privacy statement, you should at least address the collection and use of personal data that takes place via your website, but nothing prevents you from adding data processing/use that takes place more broadly, in the various activities of your agency.

Site features for which you should explain the purpose of use
  • subscription to a newsletter
  • question form / appointment booking
  • case tracking platform and other areas reserved for registered users
  • possibility to post photos or comments
  • cookies
Examples of purposes explaining the use of personal data (via your site or more globally)
  • To enable the sale/rental of properties (to compile files, publish advertisements on various platforms, prepare visits of the property, etc.);
  • Establish the files of the candidate purchasers / tenants for pre-selection or final selection;
  • Management of your staff;
  • Enable the follow-up, in your role as management agent, of a co-owned property;
  • Promote the agency’s image by leaving recently sold properties online (see below “an example of a sanction pronounced against a real estate agency”, on this subject);

It will then be easy for you to refer any persons concerned to the website to inform them of these other uses of data.

The privacy policy is just the gateway

The obligation to inform is only one of the obligations you have to meet in order to be compliant with the GDPR.

These obligations are:

  • monitoring the principles to be followed (allowing you to determine whether the use you decide to implement is compliant or not);
  • granting rights to the people whose data you wish to use (rights they can choose to exercise and to which you must respond within 30 days);
  • the implementation of tools and procedures (multiple registers, mandatory documentation including the privacy policy, security measures adapted to the risks incurred by individuals as assessed using a data protection impact assessment).

These obligations apply to all your uses of personal data, including but not limited to those related to the functionality of your site.

An example of a sanction against a real estate agency

In 2022, the DPA sanctioned a real estate agency that had failed to respond to a buyer’s request to exercise their rights.

The agency had left the advertisement for the purchased property online, neither informing the buyer of the property of this practice nor obtaining their consent (or invoking another legal basis justifying that it had the right to do so) and without sorting which data remained available to the public.

Some of the data (address of the property, location via Google maps, identification numbers of the cadastral parcels) could be considered personal data (property belonging to the buyer) and was not necessary for the marketing objective pursued by the agency.

The agency was ordered to delete the information (on all platforms used) and to notify the buyer and the DPA once this was done.

Must-haves for all websites

Here are some other things to remember when working on your website (this list is not exhaustive):

The “legal notices”

Thanks to these, your visitor will be able to clearly identify who is the editor responsible for the contents put online on the site and how they can contact this editor in case of questions or problems (in a more general way).

These mentions are:

  • Name of the editor responsible for the site
  • Name / form of the legal entity
  • Registered office address
  • Contact email address
  • Company number “BE…” + RPM (city of registration) if legal entity
  • The contact details of the website host.

You can also add (not compulsory):

  • links to your general terms of use which may include:
    • a clause reminding the visitor that the content published on the site is protected by copyright and possibly granting them a licence to use it (under certain conditions);
    • a clause limiting your institution’s liability in the event of errors in content or referrals to other sites;
  • a reminder of the links to the privacy and cookie management policies.

Security of your site

You should also ensure that you put in place (or ask your web agency to put in place) technical measures to protect your site and the personal data of visitors who pass through it.

For more details, we refer you to

The recommendations mentioned there are provided by the CNIL (France) but are quite relevant for Belgium.

A compliant website inspiring confidence as a competitive advantage

The real estate sector is definitely a sector that can inform the various people affected in a clear and transparent way, in order to create trust and avoid unpleasant surprises.

Whether it is home visits, publishing photos of interiors on a platform, or collecting data to build up files, the agency is required to collect a lot of personal data.

Building and maintaining a website that is “compliant” (in particular with the ePrivacy Directive and the GDPR) is an essential part of building this trust.

And as you can see, this is not a project that can be improvised.

The stakes are high both for:

  • your agency (to avoid sanctions and to position yourself as an agency that takes care of the privacy of its clients, both owners and buyers/renters);
  • for the users of your site (who could suffer negative impacts in case of a personal data breach, the famous data “leak”).

We hope that this article has given you a better understanding of the different issues that need to be addressed.

And if you are looking for a partner to help you with this project, at Admeet, we offer easy-to-use cookie management and privacy policy tools that guarantee 100% transparency and compliance!