GDPR for Estate Agents in Spain - reSPACio

GDPR for Estate Agents in Spain

GDPR for estate agents in Spain is a practical guide on the new privacy laws that affect all real estate agencies. Websites, CRMs and even the way you deal with a new client walk in to your office need to be compliant, find out how before its too late and avoid the potentially astronomical fines.

The new European General Data Protection Regulation (GDPR) has serious implications for estate agents operating in Spain and all of Europe. The law will affect your websites and any other systems you use to hold user data, including your CRM as well as the way in which you should work. The coming GDPR for estate agents in Spain is something that needs to be prepared for if you haven’t already.

An estate agency collects data about its clients, and under the new law the agent is defined as a Data Controller. As a data controller, you are responsible for ensuring that the systems that you use comply with the law.

Most estate agents are small or medium sized companies, and some have not even heard of the regulations, yet ignorance is no excuse.  The fines for non-compliance are astronomical, and will put you out of business, so you need to make sure that you are covered.

GDPR for Estate Agent Websites

The first and most obvious issue that is presented by GDPR for estate agents in Spain is the change required in your cookie notice. When cookies can identify an individual via their device (whether on its own or in conjunction with other information), it is considered personal data. Not all cookies are used in a way that could identify users, but most are, such as cookies for analytics, advertising and functional services, such as survey and chat tools.

Messages like, ‘By using this site, you accept cookies’ are not compliant with GDPR. You need to provide free choice which effectively means a check box with opt-in (not opt-out) preferences to accept cookies and users need to be able to change their options at any time.

Types of Cookies

When your website loads for a new user, only the cookies necessary for the site’s functionality should be loaded.

The user must be made aware that some cookies will be loaded to their browser in order for the site to function correctly. This would should be in the form of a cookie notice banner, which must be displayed prominently.

Functional cookies will allow the site to remember what properties they have searched for in order to present the right list to them, or remember their cookie preferences.

The second type of cookies are those that collect statistical data on users, such as some of the Google analytics cookies. Although these cookies do not collect data that can identify a user, the user must still be able to opt out of their use. This option should be available on the cookie banner, normally in the form of a tick box.

The third type of cookie does identify the user individually. These cookies include Google analytics cookies that record the device and location of the user, as well as cookies set by advertising networks such as Google or Facebook. These marketing cookies require the user to opt in to their use, again by a tick box. This tick box must be unticked by default so a user actually needs to opt in to their usage.

Any form on your website that the user fills such as contact forms, newsletter subscriptions and other forms should have a clear notice showing that data will be collected and processed. The user needs to opt-in (not opt-out) to agreeing to this, so there should be a tick-box for them to do so.

An example notice might read as follows:

This form collects your name and email so that we can send you newsletters with interesting articles and the latest property updates. Check our Privacy Policy to find out more about how we protect and manage your submitted data.

Clicking on ‘Privacy Policy’ should take the user to a page on your website that has your GDPR compliant privacy policy. This privacy policy will fully disclose your data collection and storage practices, see below for more information.

The completed form details should be dated and stored so that they can be retrieved later in an audit process accessed by the user.

It is preferable to use a double opt-in process for marketing subscriptions such as newsletters.

Website Privacy Policy notice

You must have a privacy policy which is concise, transparent, intelligible and easily accessible and written in clear and plain language. If you have a multilingual website, then this policy should be available in all languages.

It is satisfactory to put a link to your privacy policy page in the footer of your website, but you should also link to the page wherever you ask a user to consent to their data being collected (see above).

Your privacy policy should include the following information:

  • Your (company’s) identity and contact details
  • What data is being collected
  • The legal basis for processing the data
  • Details of any third parties with whom the data is shared
  • How the information will be used
  • How long will the data be stored
  • The rights of the user
  • How the user can raise a complaint

If you have any mortgage pre-qualification form, then you may need to include that the data may be subject to automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

User access to stored data

Users of estate agent websites have the right to access the data they have provided and edit, delete or download it. Data includes any comments they have made on your website, newsletter subscriptions, contact forms they have completed or any other form where they may have added any personal data.

If user data is held on the website then they should be able to access it easily. A solution to this element of GDPR for estate agents in Spain is to allow users to apply for link that is emailed to them and leads to a temporary page where they can view, download and delete their records.

The problem is that there are many different ways to hold and structure data on a website, and many different website platforms. If your website is built on the WordPress platform, for example, there are a multitude of contact form and newsletter plugins that you might choose from and each one holds data in a different way.

Many systems do not hold the data on the website at all, but send an email to you or, in the case of Respacio inject the data straight into your CRM. If that data is not stored on your website but stored on your CRM, then there should be a clear process showing how can view, edit, delete and download the data, see the section on Contact Management Systems below.

If the data is held on your email server, then you will need to be able to send copies of those emails back to your clients on request and delete them if required (unless there is a legal reason for not doing so).

Data Security

Data security is a key element of GDPR. It is your responsibility to ensure that any user data on your website is secure. You should ensure that passwords are sufficiently complicated so that they cannot be easily hacked and that you have software to protect your data from malicious third parties and to detect if the site has been hacked.

Data Breach Processes

In the event of a data breach, you need to have a process ready to implement. If your website is hacked then firstly you need to know that this has happened.  You should have software installed that can detect such a hack and alert you.

If the hack has led to a potential breach of data, then you need to inform the users whose data may have been stolen and the authorities within 72 hours. GDPR for estate agents in Spain means ensuring that you have a process ready in the event of such a breach.

GDPR for Estate Agent Contact Management Systems

Whether you store your contact details on a spreadsheet, a system on a local server or in a cloud, your data storage is subject to the new GDPR regulations.

As an estate agent collecting and processing data, you are defined as a ‘Data Controller’ in the regulations. If you store that data on your own computers, then you are also a ‘Data Processor’ and further regulations will apply to you. It is a much better scenario to use a cloud based real estate contact management system to limit your responsibilities than systems that are PC or local server based. Popular server/PC based systems such as Infocasa make it very difficult for a user to access or edit their data.

If your CRM does not comply to the law, then what does that mean to you? As a data controller, your obligations do not change. You are still expected to comply and your days of grace end on the 25th May. What will you do if your clients request to view (Art. 15 GDPR – Right of access by the data subject), edit (Art. 16 GDPR Right to rectification), request to delete (Art. 17 GDPR Right to erasure (‘right to be forgotten’) or download (Art. 20 GDPR Right to data portability) their personal data?

There are three key areas that you need to consider; user access to data and their ability to edit and delete their records, data security and how to deal with a breach.

We looked at 62 contact management systems that provide real estate systems specific to Spain and we discovered that none of their websites mentioned that they were compliant or even preparing for GDRP (or RGPD as it is referred to in Spanish). Perhaps its time to consider migrating to Respacio?

Users control of their data

As we have seen, a user must be able to access, edit and delete their data. However in a typical estate agency, user data may be held in a variety of places and this element of GDPR for estate agents in Spain can be complicated to comply with.

You will need to carry out a data audit in order to understand all the places where user data may be stored.  If you are using a system such as Respacio, then this is a lot easier as data is centralised and the system is GDPR prepared.

The places where personal data may be stored might include:

  • Your contact management system
  • Your email system
  • Your finance system
  • Social media
  • Spreadsheets
  • Other databases
  • E-marketing tools

If a user requires a copy of their data then they will require a copy of every instance, in all of these places.

It is likely that your contact management and email systems are the main silos of information and you need to ensure that upon request, a user can access this information.

In the Respacio system a user can be granted a personal access login to the system where they can view only their own data, including their record, email correspondence and any events, documents or spreadsheets associated with them.

They can edit this information and request it to be deleted. All records about that user that can identify the individual are deleted or anonymised. This process is far easier where information is centralised.

You must ensure that similar processes are available on the CRM that you use.

CRM Data Security

If you use a CRM and other systems that hold records on your own servers or computers, then the new laws will classify you as a data processor as well as a data controller. As a data processor you will need to ensure that you comply with GDPR’s security requirements. In this case you will need to contact your IT company and carry out a full audit.

Many CRM systems designed used by estate agents in Spain are based on local servers or PCs and all client data is held on them. To protect and limit your legal responsibilities and reduce costs you should move to a cloud based system which will provide more security for your data.

GDPR is very clear that the security of user data is your responsibility and that you should make every effort to ensure that it is safe and protected.

The weakest point of entry into any system is the user credentials, the user name and password. You should ensure that your system users are not utilising short, simple passwords that are easy to hack. If they are, then under GDPR this would be deemed to be a lapse of security and in the event of a data breach where your system has been penetrated through an inadequate password system and a data breach has occurred, you could be liable for a fine.

Passwords should also be reset at regular intervals and ideally, as in the case of Respacio, a user would not be able to log in from multiple locations or devices. This helps to prevent unauthorised access and ensures compliance of GDPR for estate agents in Spain.

Data Breach

In the case where there is a data breach and user records may have been compromised, it is your responsibility to inform any users and the authorities that may have been affected that the breach has occurred and what personal data may have been taken within 72 hours. You should have a process in place to do this.

The Respacio system, for example, provides the infrastructure to carry out a data breach process, but in the circumstances where data is held on your own servers, you will need to implement this process yourself.

Other processes to comply with GDPR for Estate Agents in Spain

Walk ins and GDPR

If you a client walks into your office and registers with your agency, then they will need to sign a consent form which explains that you will be holding and processing their data. This form should advise them of their legal rights, in the same way as your privacy policy. If you intend to send them a newsletter, then they should tick a box on this form giving their consent to do so. You should store this signed form in case of a future audit.

Collaborators and other agents you work with

If you have collaborators who introduce leads on to your company, or you introduce leads to another company, then you will need to have the client’s permission. Getting their consent on the phone is not enough unless the consent is recorded with their prior agreement. You also will need to keep this consent in case of future audit.

Therefore you should ensure, whichever side of that equation you are on, that your collaborator is compliant with GDPR or you may be liable. This will involve a signed contract between the two parties.

Collaborators that introduce clients to you must agree should sign a contract with you stating that they are GDPR compliant and that all clients whose details are passed to you have specifically consented to that data transfer, and your company has been named as the receiver of the data. As a further precaution, you might email the client and make them aware of the information that has been passed to them and confirm their permission to process it.

A summary of steps you should take for GDPR

Below is a checklist that you should run through to ensure that your organisation complies with GDPR:


  1. Check that you are displaying a cookie notice correctly and that users opt in to cookies that may identify them, such as marketing cookies
  2. Ensure that there is a process by which users can view, edit, download and delete their data if it is held on a database on your website.
  3. Upgrade your security software so that any data breach can be detected
  4. Change passwords regularly and ensure they are at least 10 characters, using a mixture of capitals, non-capitals and symbols.
  5. Put in place a process in case of data breach to inform the authorities and users.
  6. Update your privacy policy and cookie policy.
  7. Make sure all forms advise users ask for consent to store and process data.

Contact Management systems

  1. Ensure that the contact management system you are using complies with GDPR
  2. Consolidate your user data into one place, such as your CRM so that in the event of a data request, the process can be streamlined
  3. Allow users the option to view, edit, download and delete their data
  4. Ensure you have adequate security protocols in place, including the use of safe passwords, regularly changing passwords and ensure users can only log in from one device at a time.
  5. Put in place a process in case of data breach to inform the authorities and users.

General office processes

  1. Train your team to understand their obligations and what GDPR for estate agents in Spain means to the way they work.
  2. Survey your systems to understand where client data may be held, such as spreadsheets, marketing tools and other software and consolidate them into one place.
  3. Ensure consent is gained from walk in clients and phone on clients to gain their consent to store and process their data
  4. Review and update your processes and contracts with introducing agents and other collaborators

The AEPD (the Spanish data protection agency) offers a system to help you create agreements with your suppliers and clients, as well as the wording for consents in English and Spanish. You can find the tool here.

We can help you!

We can help you to reach compliance. We can review your website, recommend and the appropriate software to ensure they comply with GDPR requirements and if you like, we can also implement it for you.

We can also help with your contact management systems. Respacio is compliant with GDPR, and we can migrate data from your existing systems so that nothing is lost.

If you would like us to help, just fill in the form below for a no obligation and free assessment of your website, information about how to migrate to the Respacio CRM or just to keep in touch with the latest developments on how GDPR affects estate agents in Spain.

Disclaimer We have made every attempt to ensure the accuracy and reliability of the information provided on this report on GDPR for estate agents in Spain.. However, the information is provided "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained. We shall not be liable for any loss or damage of whatever nature (direct, indirect, consequential, or other) whether arising in contract, tort or otherwise, which may arise as a result of your use of (or failure to use) the information contained in this article.