Real Estate Section 4 Compliance: 7-Point Audit Checklist for Lawful Processing Grounds
| Applies to | Real Estate & Property businesses, residential society managers & property developers operating in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | up to ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-06 |
| Source | DPDPAReady Compliance Team |
A Property Manager’s Section 4 Compliance Gap
Sharan Realty, a 200-unit residential society in Bangalore, collects tenant mobile numbers for lease paperwork. During a compliance audit, the data protection officer uncovers a gap: no documented consent, no legitimate interest memo, no processing agreement. Section 4 DPDPA violation. Exposure: ₹150 crore penalty.
This scenario repeats across India. Real estate businesses process vast amounts of personal data—tenant contact details, co-borrower information, employment records, property photographs, payment histories. Section 4 DPDPA mandates you document a lawful basis for every data collection and processing activity. Miss it, and you face statutory penalties and regulatory enforcement.
Understanding Section 4: The Foundation of Lawful Processing
Section 4 of DPDPA 2023 is the compliance backbone. It specifies six lawful grounds on which personal data may be processed. Without at least one applicable ground documented at the point of collection, processing is illegal—no exceptions for legitimate business need.
The critical requirement: You must identify and document the lawful ground before tenant data enters your CRM, database, or spreadsheet. For real estate, this means processing notices in lease agreements, signed consent forms, or documented Legitimate Interest Assessments.
Section 4 DPDPA — Statutory Requirement
Personal data shall be processed by the data fiduciary only on one or more of the following grounds: (a) with the consent of the data principal; (b) where processing is necessary to perform a contract to which the data principal is a party; (c) where processing is necessary to comply with a legal obligation; (d) where processing is necessary to protect the vital interests of the data principal; (e) where processing is necessary for a function conferred by law upon a government agency; or (f) where processing is necessary for a legitimate interest pursued by the data fiduciary.
Real estate businesses must audit their data inventory and assign one or more of these grounds to each category of personal data.
The 6 Lawful Processing Grounds for Real Estate + Real-World Application
Ground 1: Consent — Explicit Permission from the Tenant
When to use: Marketing communications, tenant photos in brochures, SMS/WhatsApp lease reminders, sharing contact with service vendors.
Real estate example: A tenant signs a consent form authorizing the property manager to send monthly rent reminders via SMS. The consent is dated, specific in scope (monthly rent updates only), and revocable.
Compliance action:
- Obtain written, dated consent before processing.
- Specify the exact purpose (e.g., “monthly rent reminders,” not “any purpose”).
- Provide an opt-out mechanism (e.g., “reply STOP to unsubscribe”).
- Retain the original signed consent form.
- Do not share tenant contact data with third parties without separate consent.
Ground 2: Contract Performance — Data Necessary to Execute the Lease
When to use: Tenant name, address, ID proof (Aadhaar/PAN/Passport), contact number, co-borrower details, employment verification, income proof, rent payment tracking.
Real estate example: A property manager collects a co-borrower’s employment certificate to verify loan eligibility for a 5-year lease. This data is necessary to perform the lease contract and assess tenant creditworthiness.
Compliance action:
- Include a processing clause in the lease agreement: “Tenant’s personal data, including ID proof and employment details, is processed under Section 4(b) of DPDPA 2023 to perform this lease contract.”
- Document why each data category is necessary (e.g., “Aadhaar required for identity verification”).
- Retain data only for the contract duration + 1 year (for dispute resolution and tax compliance).
- Do not repurpose tenant contract data for marketing without separate consent (Ground 1).
Ground 3: Legal Compliance — Statutory Obligation
When to use: Property tax verification, Aadhaar verification (if mandated by local authority), GST registration, building society regulatory filings, police verification for certain building types.
Real estate example: A municipal corporation mandates Aadhaar verification for public housing societies. A building processes tenant Aadhaar under Ground 3 (legal obligation to comply with municipal regulation).
Compliance action:
- Document the specific statute or regulation requiring data collection (e.g., “Municipal Housing Act Section 12”).
- Retain the regulation citation in your processing records.
- Process only the data mandated by the regulation (not additional data under the guise of legal obligation).
- Limit processing to the tenure of the legal obligation (e.g., GST records retained for 6 years per GST law).
Ground 4: Vital Interests — Protection of Life or Health
When to use: Emergency contact numbers, medical information in case of tenant injury, allergies/health conditions for safety protocols.
Real estate example: A tenant suffers a fall in the building stairwell. The property manager accesses the tenant’s emergency contact number (previously collected) to notify family and emergency services. This processing is under vital interests (Section 4(d)).
Compliance action:
- Collect emergency contact data at lease signup, but process it only for emergencies.
- Do not use emergency contact data for routine communications or marketing.
- Document the emergency in your records (date, incident, action taken).
- Delete emergency contact data 1 year after lease termination (no ongoing vital interest).
Ground 5: Legitimate Interest — Business Necessity Without Outweighing Tenant Privacy
When to use: Rent payment history for collection and default tracking, tenant directory for building notices, security incident documentation, maintenance records, dispute resolution.
Real estate example: A property manager maintains a 7-year rent payment history to distinguish defaulters from compliant tenants for renewal decisions and to defend against tenant claims of “never missed rent” in disputes. This is a legitimate business interest (Ground 6, see below) proportionate to tenant expectations.
Compliance action:
- Prepare a Legitimate Interest Assessment (LIA) document for each use case.
- LIA template (one page per use case):
- Purpose: [e.g., rent collection & default prevention]
- Necessity: [e.g., without rent history, cannot identify payment patterns or defaults]
- Balancing test: [e.g., tenant expectation to have rent monitored is reasonable; privacy impact is minimal; business interest is proportionate]
- Mitigation: [e.g., data deleted 7 years after lease ends; access restricted to finance team; no sale to brokers]
- Do not process under legitimate interest if tenant privacy is clearly outweighed (e.g., selling tenant list to brokers without consent).
- Provide an opt-out mechanism where feasible (e.g., tenant can request their details not be in the society directory).
Ground 6: Function Conferred by Law — Government or Mandated Entity Processing
When to use: Building society registration, elected committee processing resident lists per Societies Act, fire safety officer records per fire code.
Real estate example: An elected housing society committee processes a tenant resident list per the Maharashtra Apartment Ownership Act to conduct Annual General Meetings (AGMs) and maintain building records. This function is conferred by statute.
Compliance action:
- Document the statute conferring the function (e.g., “Societies Act, 2012”).
- Process only the data necessary for the statutory function.
- Limit processing to the tenure of the function (e.g., committee tenure = 2–3 years).
- Do not repurpose government-mandated data for other purposes without a separate legal ground.
Real Estate Section 4 Compliance Checklist (7-Point Audit)
Use this checklist to audit your current data practices and document compliance:
1. Inventory All Personal Data Categories
- Tenant name, contact details (phone, email, address)
- Tenant identity documents (Aadhaar, PAN, passport, driving license)
- Financial data (salary certificate, employment letter, bank account details, income tax returns)
- Co-borrower and family member details
- Tenant photographs (for brochures, identity verification)
- Medical/health information (allergies, emergency contact, medical conditions)
- Emergency contact numbers
- CCTV footage and security recordings
- Visitor and guest logs
- Property staff employee records
- Rent payment history
2. Assign a Lawful Ground to Each Data Category
For each category in the inventory above, mark which Section 4 ground(s) apply:
- Consent (a): Which tenants have provided written consent? For what purpose? Is consent documented and dated?
- Contract (b): Which data is necessary to perform the lease contract? (e.g., name, contact, ID proof for lease execution)
- Legal Obligation (c): Which data is required by statute? (e.g., Aadhaar for municipal verification) Cite the law.
- Vital Interests (d): Which data is collected for emergency use only? (e.g., emergency contact number)
- Legitimate Interest (f): Which data is needed for building operations, rent collection, or security? Have you prepared an LIA for each use case?
- Government Function (e): Which data is processed by elected committees or mandated officers? Cite the statute.
3. Update Lease Agreements & Tenant Notices
- Lease agreement includes Section 4 processing clause: “Tenant data is processed under Section 4(b) DPDPA 2023 for lease performance.”
- Separate Consent Form for marketing communications (WhatsApp, SMS, email reminders), with opt-out option.
- Tenant handbook includes a Data Processing Notice explaining: (i) data categories collected, (ii) lawful grounds, (iii) retention period, (iv) tenant rights (access, deletion, correction).
- Notice provided at lease signup (not retroactively).
4. Document Legitimate Interest Assessments (LIAs)
For each use case marked as Ground 6 (f), prepare a one-page LIA:
- Rent payment history (7-year retention for tax & dispute purposes) → LIA prepared and dated.
- Tenant directory (list of residents for AGM, maintenance notices) → LIA prepared with tenant opt-out option.
- CCTV footage (30-day retention for security incidents) → LIA prepared.
- Visitor/guest logs (90-day retention for building security) → LIA prepared.
- Complaint/dispute records (2-year retention for resolution) → LIA prepared.
Store all LIAs in a centralized file (e.g., “DPDPA_LIA_Register.xlsx”).
5. Audit Data Retention & Deletion Practices
- Tenant personal data deleted 1 year after lease termination (unless legal hold or vital interest applies).
- Emergency contact data deleted 1 year after lease termination (no ongoing vital interest).
- CCTV footage deleted after 30 days (or 90 days if a security incident is under investigation).
- Visitor/guest logs deleted after 90 days (or until any incident is resolved).
- Rent payment records archived to secure storage after 7 years (tax retention period expires; access limited).
- Complaint/dispute records retained during dispute + 1 year, then deleted.
Implement a data deletion calendar (Excel tracker) with deletion dates and sign-off.
6. Train Staff on Section 4 Compliance
- Leasing team: Explain consent requirements (Ground 1) and contract processing (Ground 2). When to collect data, what to retain, how to handle deletion requests.
- Finance team: Document legitimate interest for rent tracking (Ground 6) and explain 7-year retention for tax purposes (Ground 3).
- Security team: Explain vital interests ground (Ground 4) for emergency use and legitimate interest for incident documentation (Ground 6). Clarify CCTV retention (30 days).
- Operations team: Explain lawful grounds for visitor logs, maintenance records, and building notices.
- Management: Assign a data protection officer (DPO) responsible for DPDPA compliance and audit oversight.
7. Prepare for Regulatory Audit & Inquiry
- Maintain a Processing Register (master document) listing all data categories, lawful grounds, retention periods, and data deletion dates.
- Keep all signed consent forms organized by tenant ID and dated.
- Store LIA documents for each Ground 6 (f) use case, signed and dated.
- Retain lease agreements showing Section 4 processing clause.
- Document all deletion actions in a log (tenant ID, date deleted, ground reason).
- Prepare a DPO contact list for regulatory inquiries.
Real Estate Section 4 Processing Template (Editable)
[Copy and customize for your property/society]
PROPERTY / SOCIETY NAME: ________________________
DATA PROTECTION OFFICER: ________________________
DATE AUDIT COMPLETED: ________________________
| Data Category | Section 4 Ground | Purpose | Retention Period | Consent Form on File? | LIA Document? |
|---|---|---|---|---|---|
| Tenant name, phone, email, address | (b) Contract | Lease execution & communication | Until lease + 1 year | No | — |
| Tenant Aadhaar, PAN, passport | (b) Contract | Identity verification for lease | Until lease + 1 year | No | — |
| Co-borrower employment letter, income proof | (b) Contract | Loan eligibility verification | Until lease + 1 year | No | — |
| Monthly rent payment history | (f) Legitimate interest | Rent collection, default tracking, tax records | 7 years | No | Yes |
| Tenant photo for brochure/ID | (a) Consent | Marketing, lease documentation | Until consent revoked | Yes | — |
| Emergency contact (name, phone, relation) | (d) Vital interests | Emergency use only | Until lease + 1 year | No | — |
| CCTV footage (common areas) | (f) Legitimate interest | Security, incident investigation | 30 days (or 90 if incident under review) | No | Yes |
| Visitor & guest logs | (f) Legitimate interest | Building security, incident response | 90 days | No | Yes |
| Maintenance/repair work orders | (f) Legitimate interest | Building maintenance record | 2 years | No | Yes |
| Tenant directory (resident contact list) | (f) Legitimate interest + (a) Consent (opt-in) | AGM, maintenance notices, community communication | 1 year | Yes (opt-in) | Yes |
| Building society committee records | (e) Government function | Statutory compliance per Societies Act | Per statute (typically 2–3 years) | No | — |
Legitimate Interest Assessment Template (Fill-In)
For each Ground 6 (f) use case above, complete one LIA per purpose:
| Field | Your Response |
|---|---|
| Data Category | [e.g., “Monthly Rent Payment History”] |
| Purpose of Processing | [e.g., “Rent collection, default prevention, tax record”] |
| Necessity | [e.g., “Without 7-year rent history, we cannot track tenant payment patterns or defend against false claims of ‘never missed rent’ in disputes. History is essential for tenant re-verification at lease renewal.”] |
| Balancing Test | [e.g., “Tenant expectation: Reasonable to monitor rent compliance during lease. Privacy impact: Low (data held internally, not shared). Business interest: High (rent collection is core business function). Conclusion: Interest is proportionate; tenant privacy is not outweighed.”] |
| Mitigation Measures | [e.g., “Data deleted 7 years after lease ends (tax retention expires). Access restricted to finance team only. No sale to third parties. Encrypted storage. Annual audit.”] |
| Date Prepared | [e.g., “15-06-2026”] |
| Prepared By | [e.g., “Compliance Officer Name & Signature”] |
Real Estate Compliance Pitfalls & Section 4 Fixes
Pitfall 1: “Silent Collection”
- Problem: Property manager collects tenant mobile number “just in case” for building communication, without mentioning Section 4 compliance or data use.
- Section 4 fix: Identify the lawful ground before collection. If it’s legitimate interest (Ground 6), prepare an LIA. If it’s optional, collect only with explicit consent (Ground 1). Include a processing notice in the lease or onboarding document.
Pitfall 2: Overstated Consent
- Problem: Lease agreement says “we may use your data for marketing purposes,” but tenant never explicitly consented to that use.
- Section 4 fix: Add a separate, dated Consent Form titled “Consent for Marketing Communications” with opt-out option. Distinguish from consent embedded in the lease (which may only cover contract performance, Ground 2).
Pitfall 3: Unlicensed Data Sales
- Problem: Property manager sells tenant contact list to an insurance broker or real estate agent without tenant knowledge or consent.
- Section 4 fix: Stop immediately. Section 4 does NOT permit data sale without consent (Ground 1) or a documented legitimate interest that does NOT outweigh tenant privacy. Selling tenant data to third parties is a breach unless you have separate, signed consent with the insurance broker’s name and purpose disclosed.
Pitfall 4: Excessive CCTV Retention
- Problem: Building retains CCTV footage for 2 years “for security audit trail.”
- Section 4 fix: Section 4 (Ground 6, legitimate interest) requires proportionality. CCTV retention should match the investigative need: typically 30 days for routine security. Extend to 90 days only if a specific incident is under investigation. After incident resolution, delete within 30 days. A 2-year blanket retention violates proportionality.
Pitfall 5: Indefinite Visitor Logs
- Problem: Society keeps visitor sign-in logs forever “for audit trail.”
- Section 4 fix: Retain visitor logs only as long as necessary under Ground 6 (legitimate interest in building security). Typical retention: 90 days. If a security incident is under review, extend to incident closure + 30 days. Then delete. Indefinite retention is disproportionate.
Pitfall 6: No Consent Documentation
- Problem: Tenant verbally agrees to receive rent reminders via WhatsApp, but no signed consent form exists.
- Section 4 fix: Obtain dated, written consent on a template that specifies: (i) “I consent to receive rent reminders via WhatsApp from [Property Name],” (ii) tenant name and signature, (iii) date, (iv) opt-out instruction (“Reply STOP to unsubscribe”). Store the signed form in your tenant file.
Pitfall 7: Repurposing Contract Data
- Problem: Tenant provides employment certificate for lease qualification (Ground 2, contract). Manager then sells employment data to a third-party recruiter without tenant knowledge.
- Section 4 fix: Ground 2 (contract performance) does not permit repurposing. Employment data collected for lease verification must be used only for that purpose. Any secondary use (recruiting, marketing) requires a separate lawful ground (e.g., consent, Ground 1). Delete employment data within 1 year of lease end if no legitimate interest in retention exists.
Frequently Asked Questions
Q1: If a tenant refuses to provide their Aadhaar, can I deny them a lease?
A: Only if a statutory law mandates Aadhaar verification under Section 4(c) (legal obligation). For most residential buildings, Aadhaar is not required by law. If you insist on Aadhaar without a lawful ground, you violate Section 4. Alternative: Collect PAN or passport for identity verification (Ground 2, contract performance) or retention. Inform the tenant that identity verification is a lease condition; Aadhaar is one option, PAN/passport is another. If the tenant refuses all identity proofs, you may decline the tenancy based on business risk (inability to verify identity), not DPDPA violation.
Q2: Can I share a tenant’s contact number with the building’s plumber for an emergency repair?
A: Yes, under Section 4(d) (vital interests)—the plumber needs the tenant’s contact to coordinate emergency repairs (e.g., burst pipe, electrical fault). Conditions: (1) Share only the one contact number, not a full tenant profile. (2) Limit sharing to the immediate emergency—do not give the plumber a tenant directory for future jobs. (3) Inform the tenant afterward that their number was shared and for what purpose (building transparency). (4) Do not store the plumber’s access logs beyond the repair completion + 30 days. Document the vital interest ground in your records: “Tenant contact shared [date] for emergency repair at [property/unit].”
Q3: Are rent payment histories covered under Ground 2 (contract) or Ground 6 (legitimate interest)?
A: Both apply, sequentially.
- Ground 2 (contract performance): Collecting and monitoring current rent payment status is necessary to enforce lease terms (tenant must pay rent on time). Processing is ongoing and active.
- Ground 6 (legitimate interest): Retaining historical payment data for 7 years (to satisfy tax regulations and to defend against tenant disputes) is a legitimate business interest. Prepare an LIA for the 7-year retention explaining: purpose (tax compliance + dispute defense), necessity (without history, cannot prove payment patterns), balancing test (tenant expects rent to be monitored; retention period is standard in real estate). After 7 years, delete unless a specific dispute is ongoing.
Q4: What if a tenant asks me to delete all their personal data immediately after lease termination?
A: You must honor the deletion request, except for data with a competing lawful ground:
-
Contract data (Ground 2): If the lease has ended and there are no ongoing disputes, you must delete tenant personal data within 30 days of the request.
-
Legal hold (Ground 3): You may retain data if a statutory obligation applies (e.g., 7-year rent records for income tax compliance, property tax records for municipal authority). Inform the tenant: “We retain your rent payment history for 7 years per Income Tax Act, 1961. This data will be deleted [date].”
-
Legitimate interest (Ground 6): If you have a documented, proportionate legitimate interest in retention (e.g., tenant damage claim under investigation), you may delay deletion. But inform the tenant of the reason and expected resolution date. Once the interest expires (e.g., damage claim resolved), delete within 30 days.
-
If no ground remains: You must delete. Failure to delete is a Section 12 DPDPA breach (erasure/deletion right), carrying up to ₹200 crore penalty.
Q5: Is a “tenant directory” (list of all resident names, phone numbers, units) compliant under Section 4?
A: Only with one of two grounds:
-
Consent (Ground 1): Obtain explicit, dated consent from each tenant before including them in the directory. Consent form: “I consent to my name, unit, and phone number being listed in the Society Directory for member communication.” Provide an opt-out option—tenants who decline are not listed.
-
Legitimate Interest (Ground 6): Directory is necessary for building operation (AGM notices, maintenance alerts, emergency communications). Prepare an LIA explaining: purpose (building operation), necessity (how-to-contact residents for urgent matters), balancing test (tenant expectation to be reachable for building emergencies is reasonable), mitigation (access restricted to society management, no sale to brokers, annual audit). Provide an opt-out option—tenants can request removal.
Do NOT circulate the directory to external parties (brokers, agents, marketers) without separate consent per Ground 1, or without documenting that external sharing is part of the legitimate interest. Most external sharing requires explicit consent.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →