Confidential Dispatch
At a glance

A property deal concentrates more personal data in one WhatsApp thread than most businesses hold anywhere — buyers’ KYC, sellers’ deeds, loan files, site-visit registers — and the broking habit of trading leads and circulating documents is a DPDP violation pattern by default. Brokers and agents are Data Fiduciaries with the full duties: notice, purpose-bound consent, security, deletion when deals die. And separately, real estate agents are notified reporting entities under India’s anti-money-laundering law, which adds KYC and record-keeping duties of its own.

Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to real estate brokers, agents and developers; it is not formal legal advice.

The situation

Real estate runs on circulation: a buyer’s details shared with five developers “to check availability,” a seller’s deed forwarded to every prospect who sounds serious, a lead list passed between brokers as professional currency. That circulation is the business model — and under the DPDP Act it’s also the exposure, because every one of those forwards is a disclosure of personal data that needed a purpose and a basis. No sector’s daily habits sit further from the Act’s defaults, which is exactly why the brokers who adapt first will have something real to say to data-nervous clients.

Does DPDP apply to a broking business?

Yes — a solo agent with a phone full of client documents is a Data Fiduciary the same as a national brokerage or a developer’s sales office. The moment you decide why and how a buyer’s or seller’s personal data is used — collecting KYC for a booking, holding deed copies for a mandate, logging site visits — the duties attach: notice at collection, a lawful basis per purpose, security for what you hold, breach reporting, and deletion once the purpose ends. The informality of the trade changes nothing; if anything it concentrates risk, because the “systems” holding this data are personal phones, chat threads and desk drawers — the places data leaks from first.

The data a property deal actually concentrates

Both sides’ identity and finances, the property’s paper trail, and a wake of enquirers who never transacted.

  • Buyer-side — KYC documents, PAN, loan sanction letters and bank statements shared for eligibility, family details volunteered along the way.
  • Seller-side — the deed chain (carrying previous owners’ data too), tax receipts, society records, the owner’s identity bundle.
  • The deal file — agreements, token receipts, payment records: identity plus wealth, cross-linked.
  • The funnel — site-visit registers, enquiry forms, portal leads: hundreds of people’s contacts per closed deal, most of whom bought nothing and consented to less.
  • Tenancy work — tenant KYC and employment proofs, police-verification paperwork, landlord details.

The funnel deserves the hard look: for every deal’s worth of necessary documents, a broking business accumulates a far larger pile of prospect data with no live purpose — which is exactly the pile that gets traded.

The obligation that actually bites: leads and documents aren’t tradeable inventory

The enquiry was consent to be served, not consent to be circulated — purpose limitation lands directly on the trade’s core habits. Under the Act, data is collected for a stated purpose and used for that purpose (Section 6); each new use needs its own basis. Applied plainly:

  1. Lead lists can’t be sold or swapped. A buyer who enquired about one project consented to that conversation — not to their number joining a list sold to other brokers, or fed to every project in the pipeline. Buying lists is the same problem inbound: data whose consent trail you can’t show is data you can’t lawfully use, and you carry the burden of proving otherwise.
  2. Documents move on need, not enthusiasm. A seller’s deed goes to a serious buyer’s lawyer at diligence — not to every prospect as a listing attachment. A buyer’s KYC goes to the developer they’re booking with — not to three others “to compare offers” without being told.
  3. Dead deals mean deletion. The enquiry that went cold, the buyer who chose elsewhere, the mandate that lapsed — their files’ purpose has ended, and holding them “for future opportunities” is a fresh purpose needing fresh consent, not a default.

Where DPDP sits alongside RERA and the anti-money-laundering rules

RERA professionalised the trade; the anti-money-laundering law quietly made agents record-keepers; DPDP governs the data layer across all of it. RERA (real-estate regulation) registration brings conduct obligations and record expectations but no privacy regime — the DPDP Act supplies that. The less-known layer: real estate agents are notified reporting entities under the Prevention of Money-Laundering Act (PMLA), which brings client due-diligence (KYC) and record-maintenance duties on covered transactions. That matters twice: it means collecting KYC for a covered deal rests on a legal-obligation ground (Section 7) rather than pure consent — and it means those records are lawfully retained for the statute’s period even as everything else follows DPDP’s purpose-and-erasure logic. The reconciliation is the same shape as every regulated profession’s: statutory records stay for their mandated periods, each hold traceable to the law requiring it; the funnel and the dead deals don’t get to shelter under it.

Common mistakes brokers and agencies make

The trade’s defaults are the violation list.

  • Trading lead lists — selling, swapping or “sharing with the network”; the flagship purpose-limitation breach.
  • The WhatsApp deal file — both parties’ documents accumulating in chats and galleries across every phone the deal touched, unrecallable forever.
  • Blast-forwarding documents — deeds to unserious prospects, KYC to multiple developers, loan files “for options” — disclosures without need or notice.
  • The immortal funnel — years of enquiry data and site-visit registers with no purpose, no schedule and no owner.
  • Team churn taking data along — agents leaving with the client base on their personal phones, because it was never anywhere else.
  • Assuming RERA covers it — conduct registration mistaken for data compliance.

Collecting party documents compliantly

Stage the collection to the deal and keep one controlled copy — the same discipline your clients are being told to demand. Enquiry stage needs contact details and requirements, nothing more; document collection belongs at agreement and diligence, scoped to that stage’s genuine needs; and what you collect lives in one controlled store — not the team’s personal phones — shared onward only with the named parties the client knows about. A short notice at the enquiry form and a purpose-marked ask for documents cost nothing and read as professionalism. The mechanics are shared across professional practice — see secure client document collection for professionals and the compliant document-request pattern — and it’s worth knowing your clients’ side of the table is reading the property-documents sharing guide, which tells them to stage disclosure, watermark copies and chase deletion. The brokers who can say “that’s exactly how we work” win those clients.

FAQ

Is a solo property agent really covered by the DPDP Act?

Yes — deciding why and how clients’ personal data is used makes you a Data Fiduciary regardless of size. The duties scale in exposure, not existence, and a phone-based practice is more leak-prone, not less regulated.

Can I share a buyer’s details with other projects or brokers?

Only with the buyer’s specific consent to that sharing. The enquiry consented to being served on that requirement — circulating or selling the lead is a different purpose, and it’s the sector’s most common violation.

What’s this PMLA duty for real estate agents?

Agents are notified reporting entities under the anti-money-laundering law, carrying client due-diligence and record-keeping duties on covered transactions. It also means covered-deal KYC rests on a legal-obligation ground and is lawfully retained for the statutory period.

How long can I keep a client’s documents after a deal closes — or dies?

Statutory records for their mandated periods; everything else until its purpose ends. A dead enquiry or lapsed mandate is an ended purpose — deletion, not a “future opportunities” folder, unless the client consented to exactly that.

A seller wants their deed copies back from old prospects. Whose problem is it?

Partly yours: you circulated them, so you chase them. Practically — keep a disclosure log per deal (who received which documents, when) so cleanup is a checklist, not archaeology. That log is also your own proof of discipline.

Reviewed by Confidential Dispatch Editorial Team
Last updated 17 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →