Real Estate Data Collection Under DPDPA Section 4: 5 Lawful Grounds Explained
| Applies to | Real Estate Agents, Property Dealers & Brokers operating in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-06 |
| Source | DPDPAReady Compliance Team |
Section 4 Lawful Grounds: How Real Estate Firms Process Property Data Compliantly
Real estate professionals collect extensive personal data—names, addresses, financial details, ID proofs—from the moment a prospect inquires about a property. Section 4 of the DPDPA 2023 Act requires you to establish lawful grounds before collecting or processing any of this data. Without documented grounds, your firm faces penalties up to ₹150 crore.
Section 4 states: “Personal data shall be processed on one of the following grounds: (a) consent of the data principal; (b) performance of contract; (c) compliance with legal obligation; (d) protection of vital interests; (e) carrying out functions in public interest; or (f) legitimate interests of the data principal or data fiduciary.”
When a customer enters your office with a property query, Section 4 is already active. Collecting their name, phone number, or address isn’t automatic—you need one of these six lawful grounds documented in writing.
Step 1: Map Your Data Collection Points to Section 4 Grounds
Real estate involves multiple data-collection moments. Each requires a documented ground:
- Lead Form Submission — Ground: Explicit consent checkbox
- Site Visit & Property Viewing — Ground: Contract preparation or legitimate interest in qualified leads
- Loan Document Processing — Ground: Performance of property purchase contract
- Post-Sale Follow-Up — Ground: Legitimate interest in business feedback and referrals
- Tenant Verification — Ground: Legal obligation under property laws + contract
Action: List every touchpoint where you collect data. Assign one of the six Section 4 grounds to each. Document this mapping in writing—regulators will ask for it.
Step 2: Draft a Lawful Grounds Declaration
Section 4 does not require published privacy policies alone—it requires reasoned justification for why each ground applies to your processing.
Template for Real Estate Lawful Grounds Declaration:
LAWFUL GROUNDS DECLARATION
Real Estate Business: ________________________
Date: ________________________
Data Collection Point:
Buyer inquiry form submission
Personal Data Collected:
- Name, email, phone number
- Intended purchase budget
- Property type preference
Lawful Ground (Section 4, DPDPA 2023):
(a) Consent – Data principal has explicitly ticked the consent checkbox on the inquiry form before submission
Processing Activity:
Lead qualification, property recommendation, CRM storage
Retention Period:
2 years from inquiry date or transaction completion, whichever is later
Storage Method:
Encrypted CRM database, accessible only to authorized sales team
Third-Party Sharing:
None without separate consent from data principal
Justification:
Explicit consent is obtained before form submission. Data principal is provided this Privacy Policy and Lawful Grounds Document prior to data entry.
Repeat this template for each distinct data-collection scenario (site visit, financing, tenant screening, post-sale). Keep copies in both digital and physical format.
Step 3: Prioritize Consent for High-Risk Property Data
Some data types are particularly sensitive in real estate:
- Financial Information (loan-to-value, annual income, credit score)
- Family Details (spouse, children, dependents, marital status)
- Employment Information (employer name, salary, job stability)
- Identity Proofs (Aadhar, PAN, driver’s license, passport)
For these categories, consent ground (Section 4(a)) is the safest. Why? It is explicit, reversible, and clearly documented.
Real Estate Firm Consent Checklist:
- Consent checkbox is separate from Terms & Conditions (not bundled together)
- Consent language is plain English, not legal jargon (e.g., “I agree to share my income details to process my home loan application”)
- Checkbox is not pre-ticked or forced
- User can withdraw consent at any time through a simple mechanism
- You retain timestamped, signed proof of consent for 5+ years
Step 4: Document Legitimate Interest for Post-Sale & Marketing
After a property sale closes, you may want to contact customers for referrals or testimonials. This does not require fresh consent if you use the legitimate interest ground (Section 4(f)).
Legitimate interest requires:
- Clear statement: “We have a legitimate interest in requesting referrals to grow our business.”
- Proportionality test: “Your contact will receive one SMS or email per quarter—not frequent enough to overburden you.”
- Opt-out mechanism: “You can unsubscribe at any time with one click.”
Real Estate Example:
“After your property purchase, we may contact you to request referrals or feedback on your experience. Our legitimate interest is business development and customer satisfaction. You can opt out of future contact at any time.”
This ground does not require consent but must be disclosed upfront and must pass a proportionality test. Regulators now expect real estate firms to prove the business interest is not excessive compared to customer inconvenience.
Step 5: Contract Ground for Financing & Legal Compliance
When a buyer is ready to transact, Section 4(b) (contract ground) applies directly to transaction-essential data:
- Bank loan application requires financial and identity details → Ground: performance of the mortgage contract
- Property registry filing requires buyer identity and address → Ground: performance of the sale deed
- Tenant agreement requires guarantor details → Ground: performance of the tenancy contract
For contract-based data processing:
- Keep a signed copy of the contract in your records
- Limit data collection strictly to fields needed for contract performance (no fishing for extra information)
- Retain data only as long as contract term plus statutory warranty period (typically 5 years post-transaction)
- Do not use contract-collected data for unrelated marketing or third-party sales
Step 6: Handle Minor & Guardian Consent Requirements
If a buyer or tenant is under 18, Section 4 requires parental or guardian consent for data processing. Real estate firms occasionally encounter co-purchasers or guarantors who are minors.
Minor Data Protection Checklist:
- Identify any data subject under 18 years of age
- Obtain documented consent from both parent/guardian and the minor (if age 12–17)
- For children under 12, guardian consent alone is sufficient
- Retain proof of parental consent for 7 years (post-transaction)
- Document the minor’s name, date of birth, and guardian name in your records
Step 7: Build & Maintain Your Audit Trail
Regulators will ask: “What Section 4 ground did you rely on for processing this data?” You must produce written evidence:
- Consent records — Timestamps, IP addresses, exact consent text as presented to user
- Privacy notices — Screenshots or logs of how privacy terms appeared at collection time
- Lawful grounds declaration — Internal document mapping each processing activity to a Section 4 ground
- Data processing inventory — List of all sensitive data collected, grounds used, retention dates, third parties involved
- Impact assessments — Risk analysis for high-sensitivity data (financial, identity, family info)
Real Estate Data Audit Log Template:
| Data Type | Collection Date | Collector | Ground (Section 4) | Evidence | Retention End-Date |
|---|---|---|---|---|---|
| Prospect name, phone, email | 2026-06-15 | Online form | (a) Consent | Email receipt, consent log entry | 2028-06-15 |
| Buyer income, employment, KYC | 2026-06-20 | Bank liaison | (b) Contract | Loan application, signed form | 2028-06-20 |
| Tenant guarantor ID, address | 2026-07-01 | Lease execution | (b) Contract | Tenancy agreement, executed copy | 2028-07-01 |
| Referral follow-up contact | 2026-08-10 | CRM outreach | (f) Legitimate Interest | Opt-in record, frequency log | 2027-08-10 |
Maintain this log throughout your 3–5 year data retention period. Regulators may audit compliance during investigations or routine inspections.
Real Estate Scenario: How One Firm Fixed Section 4 Non-Compliance
Priya runs a boutique property consulting firm in Bangalore, serving 50–100 active clients. She collects buyer/seller information via WhatsApp, email forms, and in-person consultations. A compliance audit revealed a critical gap:
The Problem: Priya had no documented Section 4 lawful grounds for collecting buyer inquiries or forwarding leads to partner builders. She assumed “general business necessity” was a sufficient basis.
Section 4 Compliance Solution:
- Drafted a Lawful Grounds Declaration and displayed it on her website (consent ground for inquiries) and in office (contract + legitimate interest for lead forwarding to builders).
- Added a consent checkbox to her email inquiry form: “I consent to Priya’s Property Consultancy sharing my details with partner builders to accelerate my property search.”
- For existing clients (pre-compliance), sent a one-time consent email with a link to opt in or out of future builder referrals.
- Retained all consent receipts, timestamps, and opt-out logs in a spreadsheet linked to her CRM.
- Documented third-party builder partnerships in writing, specifying data categories shared and retention periods.
Compliance Result: Priya reduced compliance risk from a potential ₹150 crore penalty to fully documented, auditable grounds for every data processing activity. When audited 6 months later, regulators found complete evidence trails.
Key Takeaways
- Section 4 applies before you collect data—identify lawful grounds before the inquiry form goes live, not after.
- Consent is the safest ground for real estate because it is explicit, revocable, and easiest to document and defend.
- Contract ground applies naturally to financing and property transfer—lean on it for transaction-essential data.
- Legitimate interest works for post-sale marketing but requires a proportionality test and opt-out mechanism.
- Audit trails beat promises—regulators ask for written evidence of Section 4 compliance, not good intentions.
- Third-party data sharing requires separate authorization—forwarding leads to builders or banks requires either consent or a documented contract clause.
- Minors require parental consent—do not process data from anyone under 18 without guardian authorization.
Frequently Asked Questions
Q: Can I collect a buyer’s Aadhar or PAN number without their consent?
A: Not under Section 4(a) consent alone. However, if the bank or government mandates Aadhar for the property transaction, Section 4(c) (legal obligation) applies. You must document which legal requirement triggers collection (e.g., RBI home loan norms, PMAY scheme, NHB housing finance rules). Your lawful ground is the legal obligation, but you still must inform the buyer upfront which law requires their identity proof. Consent is not necessary, but transparency is mandatory under Section 4.
Q: I have a 10-year relationship with my tenant. Do I still need consent to use their phone number for referral requests?
A: Yes, Section 4 applies regardless of relationship length. However, because you have a lawful basis for the original tenancy (contract ground, Section 4(b)), you can use legitimate interest (Section 4(f)) for referral requests without fresh consent—as long as you (1) clearly disclose this use upfront, (2) keep contact frequency reasonable (e.g., one referral request per quarter), and (3) provide an easy, one-click opt-out. Past relationship does not grandfather you out of Section 4 compliance.
Q: A builder wants all my prospect contact lists. What lawful ground covers sharing?
A: Sharing prospect data with third parties requires either (1) the prospect’s explicit consent (Section 4(a)), or (2) a documented contract authorizing the share. “General business development” is not a lawful ground. Before sharing any list with the builder, obtain written proof that each prospect consented to third-party forwarding—or decline the request. Regulators increasingly fine firms for unauthorized third-party data transfers, even within the real estate industry.
Q: How long should I retain a prospect’s phone number if they never close a transaction?
A: Section 4 does not specify retention timelines—that is covered under Section 10 (data minimization). However, real estate best practice is: (1) retain lead data for 2 years (standard follow-up window), (2) document your retention policy in writing (include this in your Lawful Grounds Declaration), (3) delete or anonymize data after 2 years unless the prospect explicitly opts in for ongoing contact. If a prospect withdraws consent at any time, delete their data immediately and document the deletion date.
Q: My CRM automatically forwards all leads to my sub-agents. Does each sub-agent need separate Section 4 consent?
A: Your privacy notice and consent form must disclose that leads are forwarded to partner agents within your firm. If the prospect consents to “Your Property Consultancy and its partner agents,” that one consent covers internal sub-agent forwarding (same data controller). However, if you forward to outside builders, finance companies, or brokers not employed by you, that is a third-party share requiring either (1) separate, explicit consent from the prospect or (2) a documented contract authorizing the share. Sub-agents are internal processing; outside parties require explicit permission under Section 4(a).
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →