Estate agents process personal data about buyers, sellers and applicants at every stage of a property transaction. UK GDPR and AML regulations both apply.
What Estate Agents Process
Sellers: identity documents, property details, valuation records, solicitor details, completion records.
Buyers: contact details, financial position, viewing records, offer history, AML identity documents.
Applicants: search preferences, email/phone for property alerts.
Lawful Bases
- Contract: Marketing and selling property, facilitating viewings and offers
- Legal obligation: AML identity verification (Money Laundering Regulations 2017)
- Legitimate interests: Buyer registration and property alert matching
- Consent/soft opt-in: Property alert emails, mortgage broker referrals
AML Compliance
Estate agents are supervised by HMRC for AML. Identity verification on sellers (at instruction) and buyers (post-offer acceptance) is mandatory. Key rules:
- Lawful basis: legal obligation — no client consent required
- Retain AML records 5 years from end of business relationship
- If filing a SAR, tipping-off restrictions apply — do not tell the client
- Issue DPAs to AML verification platforms (Credas, Thirdfort, etc.)
Marketing and Applicant Lists
- Property alerts to registered applicants: soft opt-in under PECR applies
- Mortgage broker referrals: explicit consent required
- Suppress or delete dormant applicants after 12–24 months
Retention Schedule
- Completed sale files: 6 years
- AML records: 5 years
- Viewing records: 12 months
- Applicant data: 12–24 months from last engagement
This guide was produced by Custodia — AI-powered GDPR compliance for small businesses. Scan your estate agency website free.
Top comments (0)