✓ Link copied
DPDPA 2023 Compliance

Buyer vs Seller Data: Section 4 DPDPA Processing Grounds for Real Estate

Applies toReal Estate Agents, Property Dealers & Management Companies operating in India
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

A real estate agent in Mumbai collected buyer contact details from a property listing portal without explicit consent, justifying it as a “legitimate business interest.” When the enforcement authority audited her records, she had no documented basis under Section 4 of DPDPA. Result: administrative proceedings, operational delays, and reputational damage in a competitive market.

Section 4 is DPDPA’s pivot pin for real estate processors. It sets the lawful grounds on which you can collect, store, and process personal data from buyers, sellers, and associated parties. Without grounding each data collection in Section 4, you operate outside the law—regardless of how the data is stored or protected.

What Does Section 4 Actually Require?

Section 4(1) of DPDPA states:

“A data processor shall not process personal data relating to a data principal unless such processing is based on one or more of the grounds specified in sub-section (2).”

Sub-section (2) lists six lawful grounds:

  1. Consent of the data principal
  2. Processing necessary to perform a contract with the data principal
  3. Compliance with a legal obligation
  4. Vital interests of the data principal
  5. Processing by public authorities (not applicable to private real estate agents)
  6. Legitimate interests of the data processor or third parties, subject to the fundamental rights and freedoms of the data principal

For real estate, grounds 1 (consent), 2 (contractual necessity), and 6 (legitimate interests) are the primary workable bases. Each ground has different documentation, consent, and retention requirements.

Comparison: Buyer Data vs Seller Data Under Section 4

AspectBuyer DataSeller Data
What you collectPhone, email, budget range, property preferences, site visit history, loan detailsName, bank details, property title documents, KYC (PAN/Aadhaar), family details, sale history
Section 4 ground (typical)Consent (for marketing) + Contractual necessity (for transaction)Contractual necessity (to execute sale) + Legal obligation (KYC verification)
Consent requirementRequired for marketing purposes; not required if data is essential to an active transaction you’re executingMay be waived if KYC is a legal requirement (PMLA, RERA); contractual processing doesn’t require separate consent
Duration of processingOnly as long as buyer is in negotiation; must be deleted if buyer disengages and withdraws consentDuring and after transaction (for warranty, disputes, tax records); can be retained per legal hold requirements
Third-party sharingCannot share with lenders, builders, or co-brokers without explicit consent per Section 4(2)(i); legitimate interests alone are insufficientCan share with bank/NBFC for KYC/loan processing without additional consent (contractual necessity ground); cannot share beyond contract stakeholders
Risk if mishandledMarketing calls to non-consenting buyers; retargeting ads without consent; data breach liabilityKYC misuse; tax/regulatory violations; GST returns with unverified sellers; legal hold violations
Penalty for Section 4 breachEnforcement action, data deletion order, reputational loss; potential ₹150 crore exposure if systematicSame, but compounded if government data (KYC) is mishandled; cross-statute penalties under PMLA/RERA possible

Why the Comparison Matters

Many real estate agents treat all personal data identically and use a single “catch-all consent” form. Section 4 forces you to segregate your grounds by data type and use case:

  • Buyer phone number for a pending offer → Contractual necessity (no consent needed for that specific use)
  • Buyer phone number for marketing future properties → Consent (separate, explicit, revocable)
  • Seller bank account for payment → Contractual necessity (no consent needed)
  • Seller KYC documents → Legal obligation (PMLA, RERA) + Contractual necessity (no consent required, but legally mandated)

If you conflate these, you create a Section 4 violation. Regulators will ask: “Which ground did you process this buyer’s email on?” If you cannot point to a documented, contemporaneous basis, the processing is unlawful.

Section 4 Grounds in Practice: Real Estate Scenarios

Scenario 1: Buyer Inquiry (Consent vs Contractual Grounds)

A buyer browses your portal and clicks “Request Site Visit.” You need her email to send the site visit confirmation (contractual necessity, Section 4(2)(ii)). Before sending the confirmation, you email marketing materials for 10 other properties. Section 4 issue: site-visit data can be processed on contractual grounds for the visit itself. But marketing materials constitute a separate, unrelated purpose requiring explicit consent under Section 4(2)(i). If you bundled both into one checkbox (“I consent to site visit and marketing communications”), regulators will find that consent invalid—it conflates two distinct purposes. Section 4 violation.

Scenario 2: Seller KYC (Legal Obligation Ground)

A seller lists a ₹2 crore property. RERA rules mandate you to verify the seller’s PAN and Aadhaar before listing. Section 4 ground: Legal obligation (Section 4(2)(iii) — RERA Act). You don’t need the seller’s separate consent for KYC collection because it’s mandated by law. But you cannot use that KYC data to market other properties to the seller without separate consent under Section 4(2)(i). Using KYC for an unrelated purpose violates Section 4(2)(vi)‘s requirement that legitimate interests not override data principals’ rights. Document your grounds separately.

Scenario 3: Buyer Financial Data (Contractual + Consent Mix)

A buyer is ready to make an offer on an ₹80 lakh property. The builder requests you to collect the buyer’s loan eligibility letter from the bank. Section 4 ground: Contractual necessity (needed to finalize the deal, Section 4(2)(ii)). But if the builder later shares this data with a financial services company for “credit score improvement offers,” that is an illegitimate use—it violates Section 4(2)(vi) because it’s no longer tied to the original contract and exceeds your legitimate interest as a real estate agent. You’d need fresh, explicit consent from the buyer before any third-party financial use. No consent = Section 4 breach.

Common Section 4 Mistakes in Real Estate

  1. Blanket consent forms: A single checkbox covering “marketing, analytics, third-party sharing, SMS/WhatsApp calls.” DPDPA treats this as coercive and invalid. Section 4(2)(i) requires purpose-specific, granular consent. Separate checkboxes for each use case.

  2. No documentation of grounds: You process buyer data “on the ground of legitimate interest” without documenting a Legitimate Interest Assessment (LIA). Section 4(2)(vi) requires you to balance your business interest against the data principal’s fundamental rights. Regulators will demand this balance document; absence means automatic breach.

  3. Mixing consent and legal obligation: Telling a seller “Section 4 requires KYC, so you must provide it,” then using that KYC for marketing emails. Legal obligation grounds (Section 4(2)(iii)) cover only the KYC requirement itself, not follow-on commercial uses. Each use needs its own documented ground.

  4. No processing register: You cannot produce a record showing which ground you used for each data type. Section 4 compliance audits require a processing register linking each data category to its lawful ground, data principal category, retention period, and processing lawfulness. Without it, you cannot defend any breach.

  5. Ignoring the “subject to” clause in Section 4(2)(vi): Processing on legitimate interest is valid only if it doesn’t override the data principal’s fundamental rights and freedoms. In real estate, this means you cannot use a buyer’s site visit history for discriminatory targeting (e.g., “don’t show affordable properties to low-income applicants” or “show only luxury properties to wealthy IP addresses”). That is textbook Section 4(2)(vi) violation—legitimate interest that overrides fair treatment rights.

  6. Sharing buyer data with unaffiliated third parties without consent: If you share buyer data with a lender for loan processing (contractual necessity, OK) but then share it with an insurance broker or property surveyor (new purpose, not part of original transaction), you need new consent per Section 4(2)(i). Sharing on legitimate interest grounds alone is insufficient—third parties outside the transaction are not legitimate receivers of buyer personal data.

Compliance Checklist for Real Estate Under Section 4

  • Data Mapping: Document every data type you collect (buyer phone, seller bank, property photos with family info, financial details, site visit logs) and assign one Section 4 ground per data type. Use a spreadsheet or processing register.

  • Purpose-Specific Consent: If relying on consent (Section 4(2)(i)), use separate checkboxes per purpose: site visits, marketing calls, SMS updates, co-broker sharing, lender sharing. No bundled consent.

  • Legitimate Interest Assessments (LIAs): For any processing claimed under Section 4(2)(vi), document an LIA showing: (a) what your legitimate business interest is, (b) why you need this data for that interest, and (c) why your interest does not override the data principal’s rights. Without LIAs, Section 4(2)(vi) processing is indefensible.

  • Processing Register: Maintain a register (spreadsheet or system) recording: date of collection, purpose, ground (consent/contract/legal obligation/legitimate interest), data principal category (buyer/seller/co-broker), retention period, third-party sharing rules.

  • Data Processing Agreements (DPAs): If sharing buyer/seller data with lenders, builders, co-brokers, or legal teams, ensure DPAs reference which Section 4 ground applies and prohibit further re-sharing without consent.

  • Retention Limits: Document how long you retain data per ground. Legal obligation (KYC) may last 7 years per IT Act. Consent-based data must be deleted upon withdrawal. Contractual data can be retained during transaction + reasonable dispute-resolution window (typically 1-2 years).

  • Opt-out & Withdrawal Mechanism: For consent-based processing, provide an easy opt-out (via SMS link, email unsubscribe, or web form). Document withdrawals and deletion requests. No re-processing after withdrawal without fresh consent per Section 4(2)(i).

  • Audit Trail & Access Logs: Log who accessed sensitive data (buyer financials, seller KYC) and when. This proves lawful processing if audited by enforcement authorities.

  • Staff Training: Brief your agents on Section 4 grounds. Teach them to ask: “Which ground am I using to process this data?” before collecting buyer/seller information. Mistakes at agent level (calling non-consenting buyers, sharing data without approval) cascade into Section 4 violations for your entire organization.

  • Third-Party Risk Assessment: Before sharing any data with vendors (call centers, analytics platforms, co-brokers), verify their Section 4 compliance. If they claim “legitimate interest” but have no LIA, you’re complicit in their Section 4 breach.

Frequently Asked Questions

Q1: If a buyer is already in an active transaction with me, do I need consent under Section 4 to email them project updates or payment reminders?

A: No. Emails for transaction-related updates fall under Section 4(2)(ii)—contractual necessity. You do not need separate consent for operational emails tied to the transaction itself (e.g., “Your offer is accepted,” “Payment deadline is Friday,” “Inspection scheduled for 3 PM”). But if you email them a marketing newsletter for unrelated properties or a third-party offer (e.g., insurance, home loans), that requires explicit consent under Section 4(2)(i). Keep transaction emails separate from marketing emails. If you bundled both into a single consent box at signup, that consent is invalid for marketing purposes—Section 4 violation.

Q2: Can I use a buyer’s site visit history and budget range to run targeted ads on Facebook, showing them similar properties, without asking for fresh consent?

A: Only if you have explicit, documented consent for retargeting under Section 4(2)(i). Retargeting is a separate commercial purpose—it is not a contractual necessity tied to a specific transaction. If you collected the site visit and budget data on a contractual or legitimate interest ground (for the original property inquiry), retargeting requires fresh, separate consent. Without it, Section 4 is violated. Additionally, comply with Facebook’s data use policies, Google’s consent requirements, and TRAI DND (Do Not Call) rules for SMS/phone ads in parallel.

Q3: A seller is refusing to provide PAN/Aadhaar for KYC, citing privacy concerns under DPDPA. Can I proceed to list their property under Section 4?

A: No. PAN and Aadhaar for KYC are a legal obligation under the RERA Act and anti-money laundering (PMLA) rules, not optional. Section 4(2)(iii) permits processing to comply with legal obligations. You cannot list without KYC because RERA mandates it—the seller’s privacy concern, while noted, does not override a statutory requirement. However, you must inform the seller that: (a) KYC is legally required and you cannot proceed without it, (b) you will store KYC securely and only use it for verification and legal compliance (not marketing or third-party sharing), (c) they have the right to erasure after the transaction and legal hold periods end (typically 7 years for income tax). Make this clear in writing so the seller consents to necessary KYC processing under Section 4(2)(iii).

Q4: I share buyer and seller data with a co-broker on a 50-50 commission basis. Does that require Section 4 consent from the data principals?

A: It depends on your ground and the co-broker’s role. If you collected buyer data on a contractual necessity ground for a specific transaction, and the co-broker is actively involved in that transaction (co-listing, co-closing), sharing is permitted under Section 4(2)(ii)—it remains within the original contractual purpose. No fresh consent needed. But if you’re sharing buyer data with a co-broker for speculative lead generation (e.g., the co-broker will call them 6 months later about unrelated properties), that is a new purpose requiring explicit consent under Section 4(2)(i). Document in your co-broker agreements which scenario applies and what grounds justify the data sharing. Violating this is a Section 4 breach.

Q5: What’s the practical difference between Section 4 (grounds for processing) and Section 6 (data principal rights) compliance? Do I need to satisfy both?

A: Yes, both are mandatory and work together. Section 4 establishes why you can legally process data (the lawful ground: consent, contract, legal obligation, or legitimate interest). Section 6 establishes what rights the data principal has after you process it: access to their data, correction of errors, erasure, and data portability. A breach of Section 4 = unlawful grounds (you processed without a valid ground). A breach of Section 6 = violation of rights (you processed lawfully but refused to delete when asked, or denied access). For example: You collected buyer data on a legitimate interest ground (Section 4 compliant) but refused to delete it after the transaction when the buyer requested erasure (Section 6 violation). That is two violations—one in grounds, one in rights. Both attract enforcement action and penalties up to ₹150 crore. Compliance requires documenting your ground (Section 4) and honoring deletion/access requests (Section 6).

DPDPA Section 4 grounds real estate agentsReal estate buyer data processing DPDPA complianceSeller KYC data Section 4 lawful basis IndiaReal estate property agent DPDPA consent requirementsReal estate data processor Section 4 obligations 2026Property dealer Section 4 processing grounds DPDP ActResidential agent DPDPA Section 4 compliance checklist
VERIFIED DPDPAReady Editorial Desk 15 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →