At a glance
A property deal concentrates more personal data in one WhatsApp thread than most businesses hold anywhere — buyers’ KYC, sellers’ deeds, loan files, site-visit registers — and the broking habit of trading leads and circulating documents is a DPDP violation pattern by default. Brokers and agents are Data Fiduciaries with the full duties: notice, purpose-bound consent, security, deletion when deals die. And separately, real estate agents are notified reporting entities under India’s anti-money-laundering law, which adds KYC and record-keeping duties of its own.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to real estate brokers, agents and developers; it is not formal legal advice.
The situation
Real estate runs on circulation: a buyer’s details shared with five developers “to check availability,” a seller’s deed forwarded to every prospect who sounds serious, a lead list passed between brokers as professional currency. That circulation is the business model — and under the DPDP Act it’s also the exposure, because every one of those forwards is a disclosure of personal data that needed a purpose and a basis. No sector’s daily habits sit further from the Act’s defaults, which is exactly why the brokers who adapt first will have something real to say to data-nervous clients.
Does DPDP apply to a broking business?
Yes — a solo agent with a phone full of client documents is a Data Fiduciary the same as a national brokerage or a developer’s sales office. The moment you decide why and how a buyer’s or seller’s personal data is used — collecting KYC for a booking, holding deed copies for a mandate, logging site visits — the duties attach: notice at collection, a lawful basis per purpose, security for what you hold, breach reporting, and deletion once the purpose ends. The informality of the trade changes nothing; if anything it concentrates risk, because the “systems” holding this data are personal phones, chat threads and desk drawers — the places data leaks from first.
The data a property deal actually concentrates
Both sides’ identity and finances, the property’s paper trail, and a wake of enquirers who never transacted.
- Buyer-side — KYC documents, PAN, loan sanction letters and bank statements shared for eligibility, family details volunteered along the way.
- Seller-side — the deed chain (carrying previous owners’ data too), tax receipts, society records, the owner’s identity bundle.
- The deal file — agreements, token receipts, payment records: identity plus wealth, cross-linked.
- The funnel — site-visit registers, enquiry forms, portal leads: hundreds of people’s contacts per closed deal, most of whom bought nothing and consented to less.
- Tenancy work — tenant KYC and employment proofs, police-verification paperwork, landlord details.
The funnel deserves the hard look: for every deal’s worth of necessary documents, a broking business accumulates a far larger pile of prospect data with no live purpose — which is exactly the pile that gets traded.
The obligation that actually bites: leads and documents aren’t tradeable inventory
The enquiry was consent to be served, not consent to be circulated — purpose limitation lands directly on the trade’s core habits. Under the Act, data is collected for a stated purpose and used for that purpose (Section 6); each new use needs its own basis. Applied plainly:
- Lead lists can’t be sold or swapped. A buyer who enquired about one project consented to that conversation — not to their number joining a list sold to other brokers, or fed to every project in the pipeline. Buying lists is the same problem inbound: data whose consent trail you can’t show is data you can’t lawfully use, and you carry the burden of proving otherwise.
- Documents move on need, not enthusiasm. A seller’s deed goes to a serious buyer’s lawyer at diligence — not to every prospect as a listing attachment. A buyer’s KYC goes to the developer they’re booking with — not to three others “to compare offers” without being told.
- Dead deals mean deletion. The enquiry that went cold, the buyer who chose elsewhere, the mandate that lapsed — their files’ purpose has ended, and holding them “for future opportunities” is a fresh purpose needing fresh consent, not a default.
Where DPDP sits alongside RERA and the anti-money-laundering rules
RERA professionalised the trade; the anti-money-laundering law quietly made agents record-keepers; DPDP governs the data layer across all of it. RERA (real-estate regulation) registration brings conduct obligations and record expectations but no privacy regime — the DPDP Act supplies that. The less-known layer: real estate agents are notified reporting entities under the Prevention of Money-Laundering Act (PMLA), which brings client due-diligence (KYC) and record-maintenance duties on covered transactions. That matters twice: it means collecting KYC for a covered deal rests on a legal-obligation ground (Section 7) rather than pure consent — and it means those records are lawfully retained for the statute’s period even as everything else follows DPDP’s purpose-and-erasure logic. The reconciliation is the same shape as every regulated profession’s: statutory records stay for their mandated periods, each hold traceable to the law requiring it; the funnel and the dead deals don’t get to shelter under it.
Common mistakes brokers and agencies make
The trade’s defaults are the violation list.
- Trading lead lists — selling, swapping or “sharing with the network”; the flagship purpose-limitation breach.
- The WhatsApp deal file — both parties’ documents accumulating in chats and galleries across every phone the deal touched, unrecallable forever.
- Blast-forwarding documents — deeds to unserious prospects, KYC to multiple developers, loan files “for options” — disclosures without need or notice.
- The immortal funnel — years of enquiry data and site-visit registers with no purpose, no schedule and no owner.
- Team churn taking data along — agents leaving with the client base on their personal phones, because it was never anywhere else.
- Assuming RERA covers it — conduct registration mistaken for data compliance.
Collecting party documents compliantly
Stage the collection to the deal and keep one controlled copy — the same discipline your clients are being told to demand. Enquiry stage needs contact details and requirements, nothing more; document collection belongs at agreement and diligence, scoped to that stage’s genuine needs; and what you collect lives in one controlled store — not the team’s personal phones — shared onward only with the named parties the client knows about. A short notice at the enquiry form and a purpose-marked ask for documents cost nothing and read as professionalism. The mechanics are shared across professional practice — see secure client document collection for professionals and the compliant document-request pattern — and it’s worth knowing your clients’ side of the table is reading the property-documents sharing guide, which tells them to stage disclosure, watermark copies and chase deletion. The brokers who can say “that’s exactly how we work” win those clients.
FAQ
Is a solo property agent really covered by the DPDP Act?
Yes — deciding why and how clients’ personal data is used makes you a Data Fiduciary regardless of size. The duties scale in exposure, not existence, and a phone-based practice is more leak-prone, not less regulated.
Can I share a buyer’s details with other projects or brokers?
Only with the buyer’s specific consent to that sharing. The enquiry consented to being served on that requirement — circulating or selling the lead is a different purpose, and it’s the sector’s most common violation.
What’s this PMLA duty for real estate agents?
Agents are notified reporting entities under the anti-money-laundering law, carrying client due-diligence and record-keeping duties on covered transactions. It also means covered-deal KYC rests on a legal-obligation ground and is lawfully retained for the statutory period.
How long can I keep a client’s documents after a deal closes — or dies?
Statutory records for their mandated periods; everything else until its purpose ends. A dead enquiry or lapsed mandate is an ended purpose — deletion, not a “future opportunities” folder, unless the client consented to exactly that.
A seller wants their deed copies back from old prospects. Whose problem is it?
Partly yours: you circulated them, so you chase them. Practically — keep a disclosure log per deal (who received which documents, when) so cleanup is a checklist, not archaeology. That log is also your own proof of discipline.