ValuQ
Data & Identity7 min read· Updated 20 April 2026

Your personal data is not the agent's to keep forever

UK GDPR and the Data Protection Act 2018 give you strong, enforceable rights over the information any business holds about you — including estate agents, mortgage brokers, and valuation services.

Written and reviewed by the ValuQ editorial team. This guide is a plain-English summary of UK law — not legal advice. For specific situations, consult a qualified solicitor.

What this law is

UK GDPR (the UK version of the EU's General Data Protection Regulation) and the Data Protection Act 2018 (DPA 2018) are the two pieces of legislation that govern personal data in the UK. They work together as a single framework.

Any business that processes your personal information — name, address, phone, income, identity documents, financial details — must comply with these laws. Estate agents, valuation platforms, mortgage brokers, and conveyancers are all firmly inside scope.

The Information Commissioner's Office (ICO) is the UK regulator. It can fine businesses up to 4% of global turnover or £17.5m, whichever is higher.

Why it exists

Data about you is used to make decisions that affect your life — whether you get a mortgage, how much an insurer charges you, who markets products to you. UK GDPR gives you visibility and control over that flow.

What it means for you

  • Right to be informed: the agent must give you a clear privacy notice saying what data they collect, why, how long they keep it, and who they share it with. This should be easy to find on their website.
  • Right of access: you can ask any business for a copy of all the personal data they hold on you, within one calendar month, free of charge. This is a Subject Access Request (SAR).
  • Right to rectification: if any information is wrong, you can demand it is corrected.
  • Right to erasure ("right to be forgotten"): you can ask the business to delete your data once it is no longer needed — though legal retention rules (for example, 5-year AML records) can override this for specific files.
  • Right to object to marketing: you can tell any business to stop sending you marketing — forever, with no explanation needed.
  • Right to data portability: you can ask for your data in a machine-readable format so you can take it elsewhere.

Red flags to watch for

  • An agent or valuation service without a visible privacy notice.
  • Being told "we share your details with our trusted partners" without a list of who those partners are.
  • Continued marketing after you have unsubscribed.
  • A service that sells or passes on your contact details without explicit consent.
  • Refusal to comply with a Subject Access Request, or a demand for payment before complying.

How to use it

  1. 1Read every privacy notice before submitting personal details. If you cannot find one, do not proceed.
  2. 2To exercise a right, email the business's Data Protection Officer or support team in writing. Cite UK GDPR. Give them one calendar month.
  3. 3If they refuse or ignore you, complain to the ICO at ico.org.uk. The complaint is free and ICO staff handle it from there.
  4. 4Use a separate email address for property enquiries so you can see who shares your data.

Key terms, translated

Personal data
Any information that identifies you — name, email, phone, address, ID number, even your IP address in some cases.
Data controller
The business that decides why and how your data is used. For a valuation, ValuQ is the controller.
Data processor
A business that handles your data on behalf of a controller — for example, an email delivery service working for an agent.
Subject Access Request (SAR)
A formal request to see everything a business holds about you. Free, one calendar month response time.
Lawful basis
The legal reason a business is allowed to process your data. Must be one of: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Official source

This guide is a plain-English summary, not legal advice. For the original text, always go to the official source.

Information Commissioner's Office (ICO)

Frequently asked questions

Can a valuation service share my details with estate agents without my permission?

Only if they have a lawful basis. Most services use consent — meaning you have to tick a clear box. A pre-ticked box or hidden consent is invalid under UK GDPR.

How long can an agent keep my data after a sale?

Only as long as needed. AML records have to be kept for 5 years. Marketing data should be deleted when you withdraw consent or the relationship ends.

What is a reasonable response time for a data request?

One calendar month. The business can extend to three months for complex requests but must tell you within the first month.

Can I get compensation if my data is mishandled?

Yes, both through the ICO (fines paid to the regulator) and through the courts (damages paid to you). Breaches that cause real harm or distress are compensable.

Related guides

Data & Identity

Anti-Money Laundering (MLR 2017)

The Money Laundering Regulations 2017 make estate agents responsible for checking the identity of buyers and sellers, spotting suspicious transactions, and reporting them.

Redress

How to Complain About an Estate Agent

Every estate agent in the UK must belong to a redress scheme. Here is the exact sequence for getting a result without a lawyer.

Redress

Property Redress Schemes (TPO / PRS)

Since 2014, every UK estate agent is required by law to belong to a government-approved redress scheme. It is your no-fee route to a binding decision if things go wrong.

Get an honest valuation — your details stay private

ValuQ lets local agents compete for your business anonymously. You see what each one thinks your home is worth and how fast they can sell it — before you hand over a single contact detail.

Get a free valuationBrowse all guides