GDPR starter kit for real estate agents

Real estate agents process financial data (Dutch anti-ML), personal data of buyers + sellers, property photos sometimes with visible residents. Specific rules: (1) Dutch anti-ML (Wwft): mandatory ID verification + retain scan 5 years. But redact BSN! Wwft does not require BSN. (2) Viewings: applicants name + email + phone. Retention 1 year after transaction (NVM). (3) Mortgage documents: financial data → strict security. Use portal (HypotheekVisie, own secure portal) — no email. (4) Property photos: residents in photo = portrait rights. Ask consent or explain that publication beyond resident is allowed (e.g. via Funda). Belongings in photo = personal data if identifiable. (5) Funda data: Funda is your processor — DPA via Funda standard. But you remain responsible. (6) CRMs: Realworks, Skarabee, BlueIT — DPA required. (7) Expired listings: Funda archive removes after 1 year. Own site: also remove. WBTR impact: for larger agencies, directors personally liable on serious negligence. NVM protocols supplement GDPR with sector-specific code.