Real estate firms and GDPR
Our real estate customers often asks us how long they can retain information once a deal has been closed.
First of all it is great to see that small businesses are also beginnen to asks these types of questions, well done!
The longer you keep data, the longer it is at risk of being exposed. That is why GDPR regulation states that personal data should only be retained for a reasonable period of time and never longer than necessary to serve its initial purpose.
Real estate firms and GDPR, considerations
So, when a property has been sold or been rented out, the initial purpose for which you captured and published the data comes to expire. The advert you have put out contains photos and the address of the property. Those are personal data items and must therefore be handled with great care, in line with the GDPR regulation.
After the deal closed, the initial purpose expires and the advertisement can only remain in its original form for a reasonable period of time. So, after the deed has passed you have 3 options:
- remove the ad, which is the best option from a privacy point of view.
- anonymize the ad i.e. remove personal data. This means that you only keep 1 photo, overlayed with a banner ‘SOLD’ and remove the individual address to only keep the region, district or city. Since it is difficult to completely anonymise the photo, you should simply remove that advertisement after a reasonable period of time (e.g. 3 months).
- ask permission from both seller/owner and buyer/retner to keep the advertisement for a reasonable period of time.
Do note that you should not only enforce a reasonable retention period around your advertisements, you should apply similar principles around the data you retain in your business management systems. For example, a German firm has already received a 14,5 million Euro fine in 2019 for retaining data indefinitely.