GDPR and privacy for real estate agents: data processing

Privacy is important for all of us, everyone should safeguard it especially in the workplace.

A modern real estate agent cannot afford to underestimate this aspect of his daily life, finding himself in contact with the personal data of his clients on several occasions and with the most varied facets.

Therefore, the correct processing of data becomes a must for the mediator, even more so by virtue of the stringent privacy regulations that have followed in recent years, up to the introduction of the much-discussed GDPR.

Normative requirements

Italy is a country that has always been at the forefront with regard to privacy regulations, think of the Code regarding the protection of personal data, also commonly known as the “privacy code”, or the Legislative Decree no. 196 of 30 June 2003, in force since 1 January 2004.


The introduction of the famous GDPR

As is known, on 4 May 2016 the European Regulation 679 was published in Italy, in full General Data Protection Regulation, known as GDPR (General Data Protection Regulation), a European Union regulation on the processing of personal data and privacy.

After a period of about two years for all companies in order to adapt, on 25 May 2018 the privacy legislation officially came into force and the right to privacy has thus become a fundamental right: in Italy, the Legislative Decree 101 of 10 August 2018 sanctioned a sanctioning truce and on May 20, 2019 the first checks and sanctions began.

Finally, after other small truces, from January 2020 the verification and control activities on privacy regulations are at full capacity in our country.

What is personal data?

The regulations enacted in recent years have meant that there is no longer privacy protection for legal persons, but only for individuals. In fact, personal data is nothing more than any direct or indirect element, capable of identifying a natural person.

Real estate agents are often convinced that in their daily work, they should not become aware of the sensitive data of people and therefore that they should not comply with current regulations, but beware: the current legislation does not only speak of sensitive data but of all personal data, therefore relating to natural persons residing within the European Union.

The list of personal data according to European legislation

These data cannot be processed without the consent of the interested parties and we are talking about:

  • Data of minors (Article 8 of the GDPR);
  • Particular data (Article 9) or former sensitive data, to which biometric data such as fingerprint, particular facial features, data on political and sexual orientation have been added;
  • Judicial data (Article 10), which concern criminal convictions and offenses.

While common personal data can be processed according to different conditions of lawfulness, as regards the three categories set out above, the data can only be processed with the free and express consent of the interested party.

What is meant by the processing of personal data

The processing of personal data is any operation or set of operations carried out on personal data, therefore relating to natural persons. This means that if my mailing list, for example, collects the e-mail addresses of legal persons, I am not obliged to respect any privacy constraints.

When you receive an email containing personal data, the processing of the same must already begin, even if the real estate agency does not collect that data: this is why any real estate agent should comply with current regulations.

When is the treatment lawful?

One of the main requirements to understand if you are treating a data in the correct way is that of lawfulness: a treatment is lawful only and exclusively if you have a legitimate reason to process it. 

For example, the mandate to sell or rent a property received from the owner already justifies the processing of that person’s data, in the event that the latter’s signature is present in the consent to treatment. In fact, it is not sufficient to provide the owner with information on the processing of data, but the relative consent must be made explicit and therefore signed.

Practical and concrete examples in the daily life of a real estate agent

The publication of an advertisement for the sale or rental of a property on a real estate portal by an agency, in the event that the publication of the photographs of the same is also envisaged, requires the express consent to the processing of the principal’s data.

Similarly, consent is required in the event that an email marketing campaign is to be carried out on a database of leads, who therefore must consent to the sending of advertising material via email by the real estate agency.

In the event that the data of potential customers are collected on social networks, it is possible to contact them only if they have expressly agreed to be contacted by the agency, otherwise any attempt to contact is illegal.

The purpose of the data processing

Another fundamental requirement is that of the limitation of the purpose: if the data of a natural person have been collected for a specific purpose, obviously with the express authorization of the interested party, it is not possible to use those same data for a different purpose.

This means that if a client in the past has signed an assignment for the sale of a property to a real estate agent, the same mediator will not be able to contact him again in the future through a marketing action to propose an investment or another property to buy. Likewise, signing on a visit sheet does not justify being able to contact that person again for real estate proposals.

Unfortunately, it is not enough to be in good faith and act in the interest of that customer, but in order not to incur sanctions or disputes, it is necessary to act in any case within the framework of legality.

Obviously, what is legal or illegal is not the marketing tool that is used, such as management software, a CRM or software for sending newsletters, but the methods of acquisition, management and storage of the leads that are then loaded on their tools, to be used finally for web marketing campaigns.

Who are the privacy members?

It is important to define who intervenes within the privacy system of your real estate agency, i.e. all the figures involved in this process:

  • The data controller, which is the real estate agency in the (physical) person of the owner;
  • The person in charge of the treatment, or the person who works on behalf of the data controller, such as a business agent with VAT number or a real estate agent other than the owner;
  • Authorized persons, i.e. agency staff, who have received specific training in data processing by the owner.

Who is the external processor?

The data controller, in practice, could receive personal data directly from customers who enter the agency, from a colleague, from a real estate ad portal.

Subsequently, he entrusts the data received to a VAT number collaborator, defined as an “external processing manager” through a written mandate or a document signed by the owner. In this case, the processing will be bound to the assignment entrusted by the owner and will not have any other purpose than the one commissioned, such as eg. show the apartment you are visiting or post the ad on some real estate portals.

When the collaborator, on behalf of the data controller, acquires the data of the people who must view the property, he does so by means of the forms that the data controller has already produced with the customer, and consequently can act independently with that same customer.

The obligations by the data controller

To comply with this type of relationship with your collaborator, the real estate agent responsible for the treatment, therefore:

  • Must acquire from the customer the authorization to process the data
  • He has to handle it properly
  • He must have defined a practical organizational model in the company to determine who is in charge of what
  • It must have established in advance what are the minimum security measures within the real estate agency (through the principle of accountability or responsibility of the data controller with regard to the protection of privacy)
  • He must have appointed the employee responsible for the treatment by providing him with the information in writing

With regard to the method of transmission and acquisition of information to customers, instant messaging apps such as Messenger or Whatsapp should be avoided, preferring more suitable methods such as the transmission via email or better via pec of communications containing the reference via link to an ad hoc information notice contained within its website.

For sending to the customer, the form can be the classic one written on paper, with an authentic signature at the bottom, or the digital signature obviously remains very valid in the case of electronic sending, to have the maximum protection in the proof of transmission of the information.

The case of receiving personal data from a portal

On the other hand, when a transfer of personal data is received from a real estate ad portal, from an MLS or other types of platforms, the authorization to process the data lies with the portal itself, which originally acquired the data. and is, therefore, the owner of the treatment of the same.

In this case, the real estate agent can act without presenting any type of information to customers, but it is obvious that he will have to process the data received exclusively for the purposes for which the data were transmitted to him.

When and if the lead or prospect received becomes a contact and therefore could become a potential customer, it would be advisable to have him also sign his own information.

But beware of the reverse case, that is, the one in which we want to transfer the contacts in our possession to third parties, such as colleagues, business brokers, and collaborators, to MLS: it must be borne in mind that in this case, for the passage of contacts, it is necessary that they have given their consent to the transfer of their data to third parties. Therefore, always pay attention to the purpose of the treatment!

Is it possible to delegate the ownership of the treatment to an external party?

We know: real estate agents, especially agency owners, are very busy. It is certainly possible to delegate someone to deal with the processing of the data, and therefore to appoint him/her responsible for the treatment, but the ownership remains with the person who acquired the data.

At that point, however, it is normally necessary to follow the chain of communications between the owner, the managers and all the sub-managers: the owner must be able to understand at any time where the customer’s data is and to delete it at the request of the customer.

Data processing by a third party real estate agent

In the event that a real estate agent finds himself dealing with a client’s data transferred by a collaborative agency, the latter will have to submit to him a liability contract limited to that specific client, or generic in the case of continuous collaboration.

At that point, the controller will act on that client either through the authorized persons within their agency, or directly, or through the sub-processors. The important thing is that the data controller is informed by the person in charge of the path of the personal data transmitted.

The obligations regarding the information

The regulatory obligations concern 4 levels:

  • Organizational model of privacy, i.e. the formalization of documents such as the organization chart, relations with third parties, storage times and specific training.
  • Formal adaptation, i.e. appointments, disclosures, consents, keeping the treatment register.
  • Risk management, which consists of IT and logistical security measures to be adopted in the agency such as pseudonymization, encryption, anonymization and tokenization; periodic vulnerability assessment; DPIA; privacy by design or by default.
  • Updating and control, such as procedures, policies and periodic audits to be completed and documented to show the methods of surveillance of managers and appointees.

To be “compliance” with current legislation, the information must not only be correct from a formal point of view but also accurately reflect the organizational structure of the real estate agency.

The owner and the data processors must be able to demonstrate the effective adoption, according to the accountability principle, of measures aimed at applying the regulation, and this is possible only if upstream there is a document that precisely defines the whole process.

What are the rights of the customers?

The data controller must obligatorily respond within one month to all privacy requests received, and by doing so he can extend the time to fulfill the request up to three months if this provides for longer resolution times.

The GDPR has introduced some fundamental rights for data subjects:

  1.       Art. 15. The customer has the right to access their data: what are the data that the real estate agency is processing, what are the purposes, where the data were acquired, as well as the lawfulness to process them.
  2.       Art. 16. The customer also has the right to object, as he may request, except for legal obligations or for reasons that have greater importance than that of the protection of privacy, the opposition to the processing of data, such as eg. the request to stop receiving the agency’s newsletters.
  3.       Art. 17. Another fundamental right of the customer is the right to be forgotten or to cancel their data.
  4.       Art. 18. Right to limit the processing of data, in the event of opposition, unlawful processing, dispute: this means that the interested party has the right to have his data used limited to what is necessary for the purposes of conservation.
  5.       Art. 20. Right to data portability: the interested party has the right to receive, in a readable format, the personal data concerning him provided to a data controller, as well as the right to transmit such data to another without impediments data controller.

The risks in case of failure to respect the right to privacy

It should be borne in mind by the data controller that anyone can contact the Privacy Guarantor in a very simple and completely free way, by submitting a complaint without the help of a lawyer on the appropriate website. The Guarantor at that point is required to verify and take any measures.

The penalties provided for in the event of non-compliance with the regulations on the GDPR and unlawful processing can be very high, leading to criminal provisions that also include imprisonment.

In light of this, after having treated the subject with such specificity, you have no more excuses, all that remains is to adapt to the legislation on the GDPR: real estate agent warned, real estate agent saved!