Please Note: This Article is 4 years old. This increases the likelihood that some or all of it's content is now outdated.

Data Protection:

What to communicate in your GDPR compliant privacy notice

Landlords and letting agents with their own websites should be aware that their business must have a privacy policy and include a Privacy Notice on the website. This must comply with the existing data protection legislation and the new GDPR regulations which come into force 25th May 2018.

Legal Document providers, Net Lawman have provided a free GDPR compliant privacy notice template for letting agents and estate agents – see below.

Despite all the recent publicity around the General Data Protection Regulation, the requirements of this new law are largely the same as existing law.

What has changed is public awareness of privacy. Your existing clients are likely to be much more concerned as to what information you collect and how you use it. Potential clients may also use your privacy policy as a basis on which to decide whether to use your services.

There are also more severe implications for non-compliance if your business is investigated by the Information Commissioner’s Office (the ICO) following a complaint. The GDPR gives the ICO the power to fine your business up to 4% of your turnover.

If someone does complain about your business, we think that the ICO will first look at your privacy notice. It you have shown effort to comply with the law, that should generate enough goodwill with the ICO to avoid a fine in the first instance.

The advantages of having a well written privacy policy in place are therefore to comply with the law, but also to convey the message of compliance both to clients and the ICO.

A good notice should comprise a combination of statements intended to reassure and statements required by law.

The information your notice should communicate include:

  • the name of your business and the head office address. This is required so that people know who is handling their data, and also so that they know where to address requests. You might also provide a telephone number or e-mail address if these are not clearly displayed elsewhere on your website.
  • the rights that data subjects have. Rather than clutter a policy with a detailed explanation of the law, we prefer to refer to a third party website that provides this information.
  • types of personal information you handle. You don’t have to list every piece of information you use, but rather communicate what types of information for different categories of individual. The majority of personal information that your business uses is likely to relate to clients, potential clients and people searching to buy or let.
  • the grounds under which you use data. There are six legal bases. You are likely to use four. You must disclose which basis you use for each type of information. You don’t have to be specific – you can say that you use data given to you in order to carry out your contract with your client under the basis of Contract. However, it can be advantageous for reassurance purposes to list some specific uses, particularly those most likely to concern clients (such as marketing).
  • whether data is processed outside the EU and how it is protected. GDPR can only be enforced on businesses who exist within the EU. If data is transferred outside the EU, then it no longer is protected by the GDPR. Most estate agents and lettings agents are unlikely to transfer data beyond a local office network, let alone outside the EU. However, a possibility to consider is whether you use a cloud-based software system operated by a business outside the EU (such as in the US).
  • how individuals can exercise their rights to see what information you hold, and request corrections and removal.

Net Lawman provides a model privacy policy specifically written for property agents from its website free of charge. You can download it from:

Included with the document are additional notes that explain your

Please Note: This Article is 4 years old. This increases the likelihood that some or all of it's content is now outdated.


  1. Thanks so much to Net Lawman for providing this free.

    However, in the words of Catherine Tate’s Gran – ‘What a load of old shit!’. I am referring to this bloody boring GDPR. It’s really just something to keep all the drones in the ICO’s office occupied so they can continue paying their rents and mortgages. Who the hell reads it?

    We will all still get the same deluge of spam emails, texts and calls and the ICO will do virtually NOTHING about it. If you call them up they are like all these government regulatory bodies, they will say ‘That’s not something we deal with’.

    Personally I am bored stiff with the GDPR, which actually sounds like some old Eastern European Soviet State.


Please enter your comment!
Please enter your name here