TrustYourWebsite
GDPR & Privacy

GDPR for estate agents in the UK: Propertymark & AML

Steven | TrustYourWebsite · 17 May 2026

UK estate agents process unusually rich personal data — financial information from vendors and buyers, identity documents collected for anti-money laundering, tenant references, viewing logs, photographs of occupied homes — and they operate under several overlapping regulators. Getting GDPR right means understanding the interactions between the UK GDPR, the Data Protection Act 2018, the Money Laundering Regulations 2017, and the new Digital Markets, Competition and Consumers Act 2024.

This guide covers the data protection obligations specific to UK sales and lettings agents, what to display on your website, and how to reconcile AML retention with the right to erasure.

The regulatory landscape

UK estate agents sit under several supervisors at once:

  • ICO (Information Commissioner's Office) — supervises data protection
  • HMRC Money Laundering Supervision — default AML supervisor unless you are a member of a Professional Body Supervisor (PBS)
  • Propertymark (incorporating NAEA Propertymark for sales and ARLA Propertymark for lettings) — Propertymark members are supervised through Propertymark and follow its Conduct & Membership Rules
  • National Trading Standards Estate and Letting Agency Team (NTSEAT) — enforces the Estate Agents Act 1979 and the redress scheme requirement
  • CMA (Competition and Markets Authority) — direct enforcement under the Digital Markets, Competition and Consumers Act 2024 (DMCC), in force since 6 April 2025

Unlike Ireland (PSRA-licensed), the UK does not have a single licensing authority for estate agents. Anyone offering estate agency work must register with HMRC for AML supervision (or join a PBS that supervises in HMRC's place), must register with an approved redress scheme (The Property Ombudsman or PRS), and must display required disclosures on their advertising and listings.

Vendor and landlord data

When you take on a property, you collect:

  • Full name, address, contact details
  • Financial information (mortgage status, asking price, motivation to sell)
  • Property details (often photographed, often including identifying interior items)
  • AML customer due diligence (CDD): government-issued ID, proof of address, source of funds for high-value transactions

Vendors and landlords are data subjects with full UK GDPR rights — access, rectification, erasure (subject to MLR retention), portability, and the right to object. The lawful basis is usually Article 6(1)(b) (contract) for the agency relationship and Article 6(1)(c) (legal obligation) for AML records.

Provide a privacy notice at the start of any engagement, covering what you collect, why, who else will see it (solicitors, mortgage brokers, other agents in a multi-listing arrangement), and how long you retain it.

Buyer and tenant applicant data

Applicant data — especially for lettings — is often the most sensitive part of an agent's data flows. References, employment letters, payslips, bank statements, and previous-landlord contacts together amount to a detailed personal profile.

  • Collect only what is needed for the specific tenancy assessment (data minimisation, UK GDPR Article 5(1)(c))
  • Retain unsuccessful applicant data for the minimum period — typically 6 months — unless you can justify longer
  • Do not roll failed applicants into a mailing list without a separate marketing opt-in
  • Encrypt or use a secure portal to share documents with landlords; plain-text email of bank statements is a breach risk
  • Do not request criminal-record information unless you have a specific lawful basis under DPA 2018 Schedule 1

Anti-money laundering retention vs the right to erasure

This is the GDPR-AML tension that catches agents out most often:

Under Regulation 40 of the Money Laundering Regulations 2017, you must retain customer due diligence records for 5 years from the end of the business relationship or completion of the transaction. After that period:

  • Personal data obtained specifically for MLR purposes must be deleted, unless another legal basis applies (e.g. consent, ongoing legal proceedings)
  • You must not retain MLR records for more than 10 years in total (Reg 40(5))

The right to erasure under UK GDPR Article 17 is therefore overridden during the 5-year MLR window. A client who completes a sale and then asks you to delete everything cannot have their CDD file deleted before the 5-year period elapses. Document this carve-out clearly in your privacy notice.

For Propertymark members, the Propertymark Conduct Rules and AML Guidance reinforce the 5-year minimum.

Property photography and virtual tours

Photography of occupied properties involves personal data risks the IE/EU rules also share, but UK-specific points:

  • Photos that show identifiable individuals, family possessions, or items revealing health/political/religious information (medication, religious symbols, party flags) are personal data — sometimes special category
  • Obtain the owner/occupant's written consent before publishing photographs or 360° virtual tours
  • Be explicit that property interiors will be marketed online via Rightmove, Zoopla, OnTheMarket, social media, your own site
  • For tenanted lettings, get the tenant's consent separately — the landlord cannot consent on the tenant's behalf

The DMCC Act 2024 also requires that listing photographs are not misleading. Composite or heavily edited images that misrepresent the property risk an enforcement action from the CMA, which now has direct fining powers (no court process required).

Material information under the DMCC Act 2024

Since 6 April 2025 the DMCC Act has replaced the Consumer Protection from Unfair Trading Regulations 2008 (CPRs) as the framework for material-information disclosures in property listings. Practical points:

  • The CMA has direct enforcement powers under the DMCC, including unlimited fines
  • "Material information" is whatever the average consumer needs to make an informed decision — agents must self-assess for each listing
  • Drip pricing is prohibited: include all mandatory fees (admin charges, referral fees) in the headline figure
  • NTSEAT-published sector guidance was withdrawn pending the DMCC consultation (28 September – 21 December 2025); new sector guidance is being drafted

This is a consumer-protection regime rather than a data-protection one, but it interacts: misleading information about a property or its occupants can also constitute a UK GDPR breach if it concerns identifiable individuals.

Your agency website

Required on the site:

  • Company details under the Companies (Trading Disclosures) Regulations 2008 — company name, registered office, country of registration, company number — see company website trading disclosures
  • AML supervisor name — HMRC or your PBS (Propertymark / RICS / Law Society etc.)
  • Approved redress scheme — The Property Ombudsman or Property Redress Scheme
  • Privacy notice explaining vendor, applicant, AML and website-visitor data flows, lawful bases, retention periods, and how to complain to the ICO
  • Cookie banner compliant with PECR and the ICO's 2025 enforcement standard — accept and reject must be equally prominent on the first layer; see cookie banner rules under the ICO
  • ICO data protection fee paid (display is not legally required, but the registration is)

Common gap on agency sites: embedded Rightmove / Zoopla / OnTheMarket portal widgets, Google Maps, Meta-pixel retargeting, and "favourite property" cookies often fire before consent. A free website compliance check will surface this.

Practical checklist for UK estate agents

ItemRequired?
ICO data protection fee paid (Tier 1 or 2)Yes
HMRC AML registration (unless PBS-supervised)Yes
Approved redress scheme membership displayedYes (Estate Agents Act 1979)
Companies House details in footerYes, if incorporated
Propertymark/PBS membership clearly statedIf a member
MLR 2017 CDD records retained for 5 yearsYes (statutory)
MLR personal data deleted after retention windowYes (Reg 40(5))
Privacy notice on website covering MLR carve-outYes
Cookie banner with equally prominent accept/rejectYes, if using non-essential cookies
Written consent from occupants for property photographyYes
DMCC-compliant material information in listingsYes (since 6 April 2025)
Data processing agreement with property-management softwareYes
Staff trained on data protection + AMLYes

Check your agency website

Free website compliance check →

A TYW scan checks your privacy notice, cookie banner configuration, Companies House disclosures, embedded portals, and trackers loaded before consent — in 60 seconds, no signup. For broader UK GDPR context see GDPR compliance for UK businesses.

Sources

This is technical analysis, not legal advice. Consult Propertymark or your Professional Body Supervisor, your AML compliance adviser, and a data protection specialist for advice specific to your agency.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

AI-Built Website Liability Under UK Law

ICO enforces UK GDPR, PECR and Equality Act against the site owner, not Cursor, Lovable or the developer. EU PLD doesn't apply post-Brexit.

GDPR for UK Restaurant Websites: Data, Bookings, and Consent

UK GDPR and PECR for restaurant websites: bookings, email signups, cookies, payment data. ICO guidance with examples.

ICO investigation process: what UK firms can expect

ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.

Contact Form GDPR Requirements: Article 13 Compliance

What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.