Is WhatsApp suitable for sharing passport copies?

No. WhatsApp is a consumer messaging app. Documents persist in personal devices, gallery rolls and cloud backups beyond the control of the obliged subject. The AEPD has warned against its use for personal data in professional contexts.

Is email suitable for sharing passport copies?

Standard email is not appropriate. If unavoidable, send the document in an encrypted, password-protected container and deliver the password through a separate channel.

What security measures should be implemented for KYC documents?

Encryption at rest and in transit, role-based access, audit logs, MFA, vendor due diligence, secure backups and a documented incident response (Art. 32 GDPR).

What are the risks of unsecured document sharing?

Data breaches, AEPD sanctions, identity fraud, reputational harm and AML supervisory findings from SEPBLAC.

How should KYC files be stored?

In access-controlled, encrypted systems with audit logs and a documented retention schedule. Never on personal devices, USB drives or unmanaged cloud accounts.

What should happen when retention periods expire?

Documents must be securely destroyed, unless another legal obligation requires longer retention or blocking is justified by an active claim or investigation.

Industry analysis

AML vs GDPR in Spanish Real Estate

A cornerstone guide for real estate agents, lawyers, mortgage brokers, developers and compliance professionals on how AML and GDPR obligations interact in Spain.

Published 10 June 2026

Why AML and GDPR are often confused

AML (Law 10/2010) requires real estate professionals to identify customers and beneficial owners and to retain records for ten years. GDPR and LOPDGDD require minimisation, purpose limitation and strong security for personal data. The two regimes do not conflict — they apply at the same time, with AML providing the legal basis for processing and GDPR shaping how that processing must be done.

Legal basis for processing KYC data

For obliged subjects under Law 10/2010, the lawful basis is **legal obligation** (Article 6(1)(c) GDPR), not consent. Consent must not be requested for AML KYC, because withdrawing it would not stop the processing.

Can real estate agents collect passport copies?

Yes — when acting as obliged subjects under Law 10/2010, real estate agents must verify identity using a reliable document. A passport or DNI/NIE copy is acceptable. The processing must be necessary, proportionate, secured and retained only as long as the law requires.

Can passport copies be sent by email?

Standard email is not appropriate for sending passport copies. Email is unencrypted in transit between many providers, frequently archived in personal inboxes, and easily forwarded. If email must be used, the document should be sent in an encrypted, password-protected container with the password delivered through a separate channel.

Can passport copies be sent by WhatsApp?

WhatsApp should not be used to share KYC documents. End-to-end encryption protects message content in transit, but copies persist in personal devices, cloud backups, gallery rolls and chat exports outside the control of the obliged subject. The AEPD has repeatedly warned against using consumer messaging apps for personal data exchange in professional contexts.

How long may passport copies be retained?

Under Law 10/2010, KYC records must be retained for ten years from the end of the business relationship or completion of the occasional transaction. After that period the documents must be securely destroyed unless another legal obligation requires longer retention.

Who may access KYC documents?

Access must be limited to staff with a defined AML role. Access controls, audit logs and confidentiality undertakings are required by both Law 10/2010 and the GDPR security principle (Article 32).

Sharing KYC files between agents and lawyers

Where agents and lawyers act as joint or separate obliged subjects on the same transaction, KYC sharing must use a secure channel, a data sharing record, and clear roles (controller / processor / joint controllers as applicable). Each party must be able to justify its own legal basis.

Sharing KYC files with banks and notaries

Banks and notaries are independent obliged subjects and conduct their own CDD. KYC documents may be transferred to support a specific transaction, but each recipient must hold and protect the data under its own legal obligation, not as a courtesy copy.

Data retention requirements

The minimum AML retention is ten years. Personal data must be deleted at the end of that period unless tax, civil or sector-specific law requires longer. Blocking, rather than full deletion, is acceptable while ongoing investigations or claims are open.

Security requirements for KYC documents

GDPR Article 32 requires appropriate technical and organisational measures: encryption at rest and in transit, access controls, logging, secure backups, vendor due diligence, breach detection and a documented incident response.

Common GDPR mistakes in Spanish real estate

Asking customers to sign consent forms for AML processing.
Storing passport copies in shared drives accessible to the whole agency.
Forwarding KYC files by WhatsApp or personal email.
Keeping KYC records indefinitely after the transaction closes.
Failing to sign a data processing agreement with the CRM, e-signature or KYC vendor.

Best practices for secure KYC sharing

Use a dedicated, access-controlled KYC platform with audit logs.
Transfer documents over TLS-secured links with time-limited access.
Apply role-based permissions and remove access when a deal closes.
Document retention schedules and run periodic secure deletion.
Train every member of staff who touches KYC data.

Relevant Spanish authorities

**AEPD** — Spanish Data Protection Agency.
**SEPBLAC** — Spanish Financial Intelligence Unit (AML supervisor for real estate).
**Banco de España** — banking and payments supervisor.

Relevant European regulations

GDPR (Regulation 2016/679) and LOPDGDD (Organic Law 3/2018).
AMLA, the 6th AML Directive and the EU Single Rulebook.
eIDAS 2.0 and the European Digital Identity Wallet.
NIS2 Directive on cybersecurity.