GDPR Real Estate and PropTech: What you need to remember to comply!

Several structures in the PropTech field process a lot of personal data. They are therefore affected by the GDPR, particularly when it comes to real estateGDPR .

But by the way, what is GDPR ?

📕 To implement the GDPR in the real estate sector and PropTech in particular, we need to define what it is clearly. The acronym GDPR stands for "Règlement Général sur la Protection des Données" (in English "General Data Protection Regulation" or GDPR).

This is a European regulation that strengthens and harmonizes the processing of personal data within all EU member states. This regulation came into force on May 25, 2018.

It harmonizes rules across Europe, providing a single legal framework for professionals.

It enables them to develop their digital activities within the EU based on user trust. ✨

The importance of GDPR in real estate and PropTech

Many structures in the real estate sector process a great deal of personal data. Some real estate agents collect and process sensitive data.

They are therefore affected by the GDPR. The PropTech sector is very much affected by innovation and digitalization. These innovations are made possible by the control and use of personal information: collaborative projects right from the building design stage, involvement of future users, digital tools, SaaS platforms, auctions, etc. 

Digital prospecting and online real estate agencies are also on the rise. 🚀

What is personal data?

👨‍🎓 This is any personal information that directly or indirectly identifies a natural person:

• last name, first name
• mail address
• payment card
• phone number
• identifier
• social security number
• IP address
• photo of a face
• video showing a person

Example of a company processing personal data in the real estate and PropTech sectors

Otaree

Otaree is an online platform for selling new properties. Their software solution simplifies searches and speeds up the sales process. These include an advanced search engine with 25 criteria, automatic stock updates, interactive mapping, a location evaluator and a lot comparator. As a result, Otaree processes a lot of personal data thanks to these tools. 🔧

Dipeeo has produced a webinar with Otaree on the rules of prospecting when you're in the real estate business. You can find webinar by clicking here.

HomeExchange

🏠 HomeExchange is a structure that exchanges houses and apartments between private individuals. With over 450,000 homes in 157 countries, it manages a huge amount of personal data (surname, first name, reservation, bank details, address, etc.). Home searches and requests are facilitated by the use of filters to refine the search (type of exchange, equipment, etc.), and by the organization of exchange details via the HomeExchange messaging system.

Econhomes

Econhomes develops solutions to help meet co-owners' expectations regarding condominium charges, at every stage in the life of a building. Reducing condominium charges requires personal data such as surname, first name, address, ... It is therefore important to respect and secure the data. 🔐

They have produced a client testimonial, available on our website, which explains what is at stake when it comes to personal data and why it is important for a company like Econhomes to comply. You can find by clicking here.

Significant digitization of real estate players with GDPR

In 2022, the French real estate and PropTech market is booming. What's more, numerous legal measures are optimizing profit for investors. For example, the Pinel Law introduces tax exemption measures that maximize rental income. 🏠

🚀 Real estate agencies have come a long way in recent years. With digitalization, innovative ideas are not lagging behind. Particularly in the real estate sector, with SaaS platforms for designing buildings, or apps that let you see the interior structure of buildings via a smartphone, several structures are seeing the light of day and developing rapidly.

Historic players such as estate agents are transforming themselves, seeing new players and having very digital practices.

Huge opportunity but need to control data

It's a huge opportunity for real estate agencies, but one that needs to be kept under control, in particular through controlled data use and IT security to prevent hacking, data leaks or breaches. 💥

Real estate agencies therefore need to put in place a procedure to comply with the General Data Protection Regulation. In fact, they handle a lot of data, such as past sales, sometimes very old, sometimes with sensitive data on clients, or Data retention periods that are not always respected.

✨ The main reasons for compliance are: website compliance, prospecting compliance, Data retention compliance, consent compliance, etc.

How to comply with GDPR in the real estate and PropTech sector

If you collect and process the personal data of your prospects and clients, you need to ensure that it is respected and secure.

1 - Prior consent or Opt-in

Opt-in or prior consent is one of the main principles of the GDPR. This principle requires you to collect a person's consent in order to prospect them. For example, this could be a checkbox on a contact form. In the real estate sector, the rules for this prior consent are different when you're in B2B (Business to Business) or B2C (Business to Consumer). 🚀

Many people think that in B2B, it's necessary to have prior consent or Opt in, but this is false because there is no Opt in in B2B. You don't need to collect consent from your prospects. However, in B2C, prior consent is mandatory, but only for SMS and emails. 📧

This means that for the telephone, whether B2B or B2C, there is no Opt-in. So you can contact anyone you wish to prospect, unless they are registered with Bloctel.

🗞️ As for mailings (advertising by post), which are frequently used in the real estate sector, there is no Opt-in requirement either. You can therefore send letters to the people you wish to canvass without obtaining their consent. However, you need to remain vigilant, as legislation on mailings is evolving. Soon, it will only be possible to send mail to people who have indicated "Yes advertising" on their mailboxes.

2 - The source of personal data in the real estate sector

In digital prospecting, you need to make it clear to your prospects where the data you've used comes from. You can prospect directly or indirectly. ✨

If you carry out direct commercial prospecting, as is often the case in B2B, i.e. if you have collected the prospect's prior consent yourself, you don 't need to inform us of the source of the commercial prospecting data.

🔔 On the other hand, if you carry out commercial prospecting indirectly, in other words you have obtained a prospect's personal information indirectly:

• E-mail generation tool
• Purchasing databases
• We provide you with a database...

🏠 These are very common practices in real estate and PropTech, but you are obliged to inform the sources of commercial prospecting data and you must do so for each prospecting message

For example:

We have obtained your contact details i) directly from you ii) via public informatione.g : trade fair and website) iii) via social networks (e.g : Linkedin) or iv) via tools authorized by the CNIL (National Commission for Information Technology and Civil Liberties) e.g : Drop contact), in accordance with the provisions of article L34-5 of the CPCE and the directives of the CNIL (National Commission for Information Technology and Civil Liberties).

3 - The duration of Data retention in real estate

🕰️ The Data retention period for personal data is one of the main principles of the regulation. It must therefore be respected in order to comply with the regulation. For this reason, you need to be aware of the rules governing the duration of Data retention of personal data.

In all fields, including real estate and PropTech, personal information can only be kept for a limited period , which is set either by lawe.g laws, decrees, regulations), or directly by the French supervisory authority, the CNIL (National Commission for Information Technology and Civil Liberties), via recommendations, simplified standards, etc. This also applies to real estate agencies. This also applies to real estate agencies. 🏠

B2B sales prospecting :

🚀 In B2B, there are no Data retention limits . So you can use an email address except for those who have requested an Opt out.

Similarly, there are many different interpretations of the subject. We can read that the duration of Data retention is three years. However, since B2B e-mail addresses can be used freely and without prior consent, this period lapses and can be renewed.

B2C sales prospecting :

The Data retention period for B2C personal information is 3 years from the last contact. After this period, you no longer have authorization to use the prospect's e-mail address. Each time you contact someone by e-mail, this period resets to zero and you can contact them again for 3 years. ⏰

📣 For people whose Data retention period is about to expire, you can send an e-mail to the prospects concerned just before the expiry date to ask them whether they agree to their data still being used and processed. If so, you can use their e-mail addresses.

See our article on Data retention periods for human resources, marketing, sales prospecting, marketing, accounting, etc. (Table of Data retention periods for personal data)

4 - Appointing a DPO in the real estate sectorGDPR)

🧑‍⚖️ A DPO or Data Protection Officer, whether internal or external, assists the controller or processor in complying with the General Data Protection Regulation. The data controller is the person who processes personal data. 

All DPOs must be registered with the CNIL (National Commission for Information Technology and Civil Liberties) on this link. The list of DPOs appointed by the CNIL (National Commission for Information Technology and Civil Liberties) is public information available on the CNIL (National Commission for Information Technology and Civil Liberties) website. If you are a real estate agency or a structure in the real estate sector and you process personal data, you must appoint a Data Protection Officer (DPO) and nominate him or her to the CNIL (National Commission for Information Technology and Civil Liberties).

 🔔 Internal communication within your company (or other type of organization) is recommended. All employees should be aware of his presence, his activities and the fact that he can be contacted on any subject around personal data.

5 - Privacy by design

🚀 Working in real estate and PropTech and complying with the GDPR requires knowledge of Privacy by Design. This is one of the concepts of the regulation. It's a concept that requires companies to integrate GDPR principles right from the design stage of a project, service or any other tool linked to the processing of personal data. If you're redesigning your website or developing an application for real estate, these projects must be thought around the rules of the regulation. This will help you avoid corrections after development.

GDPR topics most frequently encountered by real estate and PropTech players

1 - Is it possible to buy B2C prospect databases?

🛒 It's possible to buy a B2C prospect database, but there's one condition: you have to be careful about who sells you the prospect database.

In B2C, you can't prospect without prior consent (Opt-in). This means that if someone has sent you a database, you are not allowed to prospect the people in that database. After all, these people don't know you. BUT there is an exception! 🚀

If these people have given their consent via a checkbox that gives permission for personal information to be sent to partners or third parties, there's no problem.

📣 The person who sold you the base must therefore collect the prior consent of all prospects contained in this base and must be able to prove it. It must also undertake to comply with the regulation and demonstrate that its data sources comply with GDPR real estate.

When you do database acquisition, you need to make sure that whoever sold you the database complies with the regulation and that the source of the database is GDPR.

2 - In B2C, is it allowed to loan a prospect database or to form a partnership?

🧑‍⚖️ In B2C, it is possible to loan a prospect database if prospects have given their consent. However, this is not highly recommended, as there are 2 reasons for this: prior consent and ethics. In B2C, people no longer accept to receive a prospecting message or email without their consent, and they don't understand and are unhappy.

However, in B2C, you have the right to hold a joint communication or event such as a webinar.

3 - Do agents have the right to share a prospect database?

With the GDPR, this is a question often asked in the real estate and PropTech sector. Agents are not allowed to share a database of prospects. Why not? In a network made up of several members, all legally Independents, bound by a contract, a consumer will come for a specific mandatary, a mandatary who will have his personal database, his own. 🔐

In addition, an agent is considered a processor, because it will process data on behalf of a principal, so the data belongs to the principal.

4 - Can an agent reuse a prospect database for several companies?

🔔 An agent is considered a processor within the meaning of the GDPR ; He can reuse a database of prospects for several companies if he himself created his database as part of his business.

The database is his property. He can therefore use it for several companies in the real estate sector or not. On the other hand, if you provide him with a database and ask him to carry out a task related to it, it doesn't belong to him, so he can't reuse it as he wishes.

What are the risks and penalties for GDPR non-compliance in the real estate and PropTech sector?

When a structure is not compliant, it is exposed to numerous risks. For example, it may be subject to a personal data breach or a CNIL (National Commission for Information Technology and Civil Liberties) inspection. A CNIL (National Commission for Information Technology and Civil Liberties) inspection may be unannounced, or it may occur when someone files a complaint with the CNIL (National Commission for Information Technology and Civil Liberties). 💥

These complaints are often linked to internal causes, when an employee is unhappy (Human Resources). They can also be linked to external causes, i.e. a complaint lodged by a B2C or B2B client . The real estate sector is particularly affected, as many structures have both B2B and B2C clients .

🪙 Monetary penalties can amount to up to 20 million euros, or in the case of a company up to 4% of worldwide annual sales. These penalties may be made public.

In addition to the penalties that the regulation can give to companies that are not in GDPR real estate compliance, there are other consequences that can directly harm the company:

• Claim for damages: people who are connected with the GDPR violation may suffer material or non-material damage. The company or organization will then have to pay damages. 
• Failure to comply with the GDPR is now considered unfair competition. A decision by the Paris tribunal de grande instance has just ruled that not complying with the GDPR can be condemned as unfair competition.

Please note:

📣 In addition to paying a fine of up to 20 million euros for non-compliance, non-compliant real estate agencies will be required to pay damages. Damages do not replace administrative and criminal penalties.

An image deficit: A company's failure to comply with GDPR will surely damage its image and reputation. This could then lead to a loss of revenue, as there will be a loss of clients confidence in the company.

✨ Dipeeo: Your outsourced DPO ✨

Dipeeo offers an outsourced DPO service to handle all the client's GDPR issues.client have a single point of contact, their DPO, who is a legal expert or lawyer.

Dipeeo carries out all the client's compliance work, drafts documents, answers questions and deals with unforeseen circumstances....

In addition to video exchanges, the client and the Dipeeo DPO will collaborate via the digital platform. This automates all the low value-added tasks involved in GDPR compliance. We also offer a specific tariff for real estate agencies which is €79.90 per month.