Lawful basis for processing personal data

Lawful basis for processing personal data

At the heart of GDPR are the six bases for processing personal data. Here, we look at the ones that are likely to be most relevant to you as an estate agent and look at them in detail.

GDPR Video Series – What is Consent?
GDPR Video Series – Opt In Forms and Privacy Policy
GDPR Video Series – What’s next, what do I need to know?

At the heart of GDPR are the six bases for processing personal data. Here, we look at the ones that are likely to be most relevant to you as an estate agent and look at them in detail.

Now, we’ve tried to keep this article concise and relevant – but we’d always recommend looking at the ICO site on GDPR to ensure that you are familiar with the GDPR and how it relates to your business.

Legal process

So why do I need a lawful basis for processing personal data? What is a lawful basis?

At the heart of GDPR is the need to have a lawful basis, or a reason,  for processing the personal data of an individual. Its really important that the processing of data must be necessary in order for it to be lawful.

There are six lawful basis for processing personal data:

  • Contract
  • Consent
  • Legitimate interests
  • Legal obligation
  • Vital interests
  • Public task

We’ll focus on contract, consent, legitimate interests and legal obligation here – you’re unlikely to encounter the others or need to use them as a lawful basis for processing.

contract estate agent GDPR


This is the most straightforward basis for processing and covers a lot of what you do as an estate agency – sales, valuations, viewings, lettings, property management and so on. You can’t do any of that without personal data!

This is largely unchanged from the Data Protection Act 1998.

You can rely on this basis if you need to process where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

Remember – if you want to use that data to do something unrelated to the contract you cannot, i.e. the processing is not necessary for the performance of the contract.



If somebody consents to their personal data being processed, then you are able to process it. However, the standard for obtaining consent is very high, and if your current consent does not meet the required standard then you will need to re-consent those individuals.

For consent to be valid, there needs to be :

  • Positive opt-in – no pre-ticked boxes or assumed consent through inaction
  • Specific and granular – you need separate consent for separate things
  • An easy way to withdraw consent
  • Evidence of consent – who, when, how and what

In summary, consent must be freely given, and in the individual must have genuine choice and be in control over how their data is used.

The general consensus is that consent is the most onerous basis to rely on due to the steps required to obtain and prove that consent has been provided to the standards required.

The main reason for using consent as a basis for processing data is marketing – other legal basis can be used for performing your services. However, there are different approaches to marketing as discussed here.

Legitimate interests

Legitimate interests is the most flexible basis for processing personal data – mostly when you can prove that you are using data in a way that an individual would expect and which would have a minimal privacy impact.

In order to rely on the legitimate interests basis, you need to perform and document a three step test :

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

The legitimate interest can be in terms of your own interests or the interests of the individual – so these can include commercial interests.

Legitimate interests can be used as a basis for marketing in conjunction with the PECR – see our article here and the ICTO guide to PECR

The DMA have published guidance on using legitimate interests  it walks you through the three step test and provides documentation templates.


Legal obligations

As an estate agent, you have a number of legal obligations which are laid down in statute – these may include:

  • Passing data to HMRC to comply with payroll obligations for employees
  • Submitting a Suspicious Activity report to the National Crime Agency
  • Performing AML checks

In these instances, as your purpose of processing personal data is to comply with the law, then the legal obligation basis for processing is likely to be most appropriate in those instances.

documents GDPR


As with all the basis for processing personal data – you must document your decisions around what basis of processing you are relying on for each purpose, in both your internal and external-facing documentation – take a look at our article on documentation 

Disclaimer: This article is based upon our understanding of the General Data Protection Regulation (GDPR).  There are still some aspects of the GDPR which are undetermined or are awaiting guidance from the ICO.  This should not be relied upon as legal advice nor how GDPR may apply to your organisation.  We encourage you to work with a legally qualified professional to understand GDPR, how it applies specifically to your organisation, and how best to ensure compliance.