By using this website, you agree to our use of cookies to enhance your experience.


GDPR Weekly: Passing data to third parties

Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.

For a while, many estate and letting agents will have been working hard to prepare for the new rules. 

To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week. 


If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on press@estateagenttoday.co.uk.

Are agents still allowed to pass consumer information on to third parties? If so, do these organisations need to be named?

Annabel Kaye, managing director of KoffeeKlatch:

If you are passing personal data to an external supplier to process data for you, they are a ‘data processor’ and you are the ‘data controller’. 

You are required to have formal written agreements in place with your data processors and it’s your job to make sure that you are properly and enforceably contracting for GDPR-compliant processing of your data right down the chain of supply.

Make sure that platforms that you are using where ‘processing’ is taking place (either by you or your processors) are either storing data in the EEA, or in a jurisdiction that is EU-approved for its data security environment, or in an organisation that is covered by a relevant ‘Privacy Shield’.

Although you don’t necessarily need to name every app or every person to whom you are passing data, you certainly need to be explicit in your Privacy Policy about recipients, or categories of recipients, of personal data.  

If you are collecting sensitive data (‘special category’) or intend to use the information in an unexpected way (that is, unexpected by the consumer, not by you), then the need to actively provide more detailed information will be stronger.

Jon Baines, data protection advisor at Mishcon de Reya LLP:

There is no express bar on passing consumer information to third parties, now or under GDPR, but the general rule is that to do so one must inform the person whose information is being passed (normally they will be informed by way of a clear privacy notice). 

The person should also be told who the recipients will be, or at least the categories of recipients (for instance, third party storage services). 

However, there may be occasional exceptional circumstances when consumer information can (or even must) be passed to third parties, without informing the consumer (this might be the case with disclosures to the police if serious criminal investigations are involved).

If consumers’ details are passed to third parties who wish to send marketing, then the third parties themselves must comply with marketing rules, and only send direct electronic marketing to individuals if the individuals have expressly consented to receive it.

The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.

Bernard George, solicitor for Socrates Training Ltd:

Life would often be impossible if you could not pass information to third parties.

To take an example, say John gives you information about Jane, for the purposes of a transaction. Can you pass that on to other professionals working on the deal? Almost certainly yes.

GDPR Weekly: Passing data to third partiesJane has not consented, because you got the information from John. But still it will often be OK to use the information about her. This is because processing is necessary in relation to a contract which the individual has entered into or else because the processing comes under the ‘legitimate interest’ condition.

But the point is you need a justification. Just copying information to third parties when that is not necessary, or clients would not expect it, is certainly not OK.

Damon Bullimore, chief information officer at BriefYourMarket.com:

Yes, agents are still allowed to pass consumer information on to third parties. However, in the interests of transparency, it is essential that you inform both new and existing contacts who you intend to share their data with, and why.

The fundamental principle that agents need to remember is that they should no longer assume that a contact will ‘expect’ things to happen with their data to achieve a certain objective. Under GDPR, it becomes essential to inform them of why things happen with their data.

Agents must explicitly name all third-party controllers that will rely on the individual’s consent (if they are using consent as their lawful basis for processing data for marketing, for example). This information should be made readily available within their Privacy Policy.

Agents should also be conscious of the fact that they should be informing contacts that they can restrict the passing of data to third parties.

GDPR Weekly: Passing data to third partiesIf the agent is using legitimate interests, they may be able to pass data to third parties and process it for both individual and commercial interests. However, you need to carefully consider if and why the third party needs the information, and what they intend to do with it.

In this case, the agent will need to demonstrate that the disclosure of the information is justified, but it will be the third party’s responsibility to determine their own lawful basis for processing. Therefore, it is important that agents are confident in the compliance procedures of all the third party organisations that they work with.

Annemarie Proudfoot, head of customer relations at BestAgent:

If you are passing along leads to third parties (for commission or not), you absolutely must stop doing so unless you have:

GDPR Weekly: Passing data to third partiesa. Consent recorded: In order for this to be GDPR adequate, you must be specific about to whom you have passed their information; OR

b. A legitimate business interest for doing so (you sold their house and the third party supplier is legitimately involved in facilitating completion of that transaction). 

You need to record to the names of these third parties, because if/when someone asks to see how their data has been processed, they have a right to see to whom they have been passed to.

*If you would like to receive further guidance from any of our GDPR experts, please click here

Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.

Angels Media Ltd Legal Disclaimer: 

The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.

While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.

Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.


Please login to comment

MovePal MovePal MovePal
sign up