Three massive sectors — millions of businesses — almost zero DPDP awareness. Freelancers collecting client briefs and payment details, real estate agents holding buyer financial documents and Aadhaar copies, travel agents storing passport numbers and visa details — all are processing personal data under DPDP and independently liable for compliance.
This guide covers all three: freelancers & consultants, real estate agents & brokers, and travel agencies & hospitality.
Part 1: DPDP for Freelancers & Consultants
15+ million freelancers in India • "I work alone" is not an exemption
Does DPDP Apply to Individual Freelancers?
Yes — and this surprises almost every freelancer. The law does not care whether you're a solo copywriter, a freelance developer, a graphic designer, or a management consultant working from home. If you collect client data, DPDP applies.
You're processing personal data when you:
- Store a client's name, phone number, or email in your contacts or project files
- Receive and save client briefs containing their personal or business information
- Collect payment details (UPI, bank account, PAN for invoicing)
- Sign an NDA that includes the client's personal information
- Access client's systems or databases as part of your work
- Keep a client database or CRM with contact history
💼 Reality Check: A freelance web developer maintaining a Google Sheet with 50 clients (names, phone numbers, emails, project details, payment amounts) is a Data Fiduciary processing personal data. DPDP applies. Penalties can reach ₹50 crore for violations.
What Freelancers Must Do
1. Publish a Privacy Policy
- Even if you don't have a full website: create a simple Notion page or Google Sites page
- Explain what client data you collect (name, email, phone, payment details)
- State why (project management, invoicing, communication)
- State how long you keep it (e.g., "7 years for tax records, deleted after project otherwise")
- Share the link when onboarding new clients
2. Secure Your Client Data
- Password-protect files containing client personal information
- Enable 2FA on Google Drive, Dropbox, Notion — wherever client data lives
- Don't store client data on unprotected public cloud links
- If you use a shared laptop/computer: use a separate user account with password
- Encrypt sensitive project files (NDAs, financial documents, personal briefs)
3. Delete Client Data After Project
- Set a retention policy: Keep project files for duration of project + 1 year (for disputes)
- Keep financial records (invoices, payment receipts) for 7 years (GST/tax)
- Delete personal client data (contacts, briefs, chats) after retention period
- Clear old WhatsApp/Slack conversations with client data after project closes
4. Handle Client Data You Access During Projects
Many freelancers access their client's customer data as part of the work — a developer building an e-commerce site, a data analyst working with a client's database, a marketer accessing CRM records.
- You become a Data Processor when accessing your client's customer data
- Sign a Data Processing Agreement (DPA) with clients who share their customers' data with you
- Never use client customer data for your own purposes
- Delete client customer data immediately after project ends
- Report any breach of client customer data to your client immediately
Top Freelancer DPDP Violations
Scenario: Freelance marketer's Google Sheet with 200 clients (names, emails, phone numbers, project budgets) is set to "Anyone with the link can view."
Fix: Change sharing to "Restricted." Enable 2FA on Google account. Encrypt the file.
Scenario: Freelance designer has project files, email chains, and payment details from clients going back to 2015. No deletion policy.
Fix: Annual cleanup. Delete project files after 1 year post-project. Keep only invoices for 7 years.
Scenario: Freelancer shares client's name and project details on LinkedIn as a "case study" without getting explicit client consent.
Fix: Get written consent before publishing any client name, logo, or project details publicly.
Freelancer DPDP Checklist
| Compliance Item | Status |
|---|---|
| Privacy policy published (Notion/Google Sites link shared with new clients) | ☐ |
| Client database secured (not publicly accessible, 2FA enabled) | ☐ |
| Data retention policy set (delete after project + 1 year) | ☐ |
| Tax records kept separately (7 years, invoices only) | ☐ |
| DPA signed with clients before accessing their customer data | ☐ |
| No client case studies published without written consent | ☐ |
| Old WhatsApp/Slack chats cleaned after project ends | ☐ |
| Privacy email set up ([email protected]) for data requests | ☐ |
Part 2: DPDP for Real Estate Agents & Brokers
500,000+ agents in India • Property transactions = maximum personal data exposure
Why Real Estate Is High-Risk for DPDP
No other sector (outside healthcare and finance) routinely collects as much sensitive personal data as real estate. A single property transaction generates:
- Full name, date of birth, marital status
- Aadhaar card copies (identity + biometric ID)
- PAN card copies
- Income proof (salary slips, ITRs — revealing exact earnings)
- Bank statements (revealing financial behaviour)
- Employment details
- Family composition (spouse, children, dependents)
- Loan eligibility and credit history
- Full property address and ownership history
⚠️ Aadhaar = Biometric Data: Aadhaar cards contain biometric identifiers. Collecting and storing Aadhaar copies without following proper protocols is not just a DPDP violation — it may also violate the Aadhaar Act. Real estate agents routinely photocopy Aadhaar for KYC. Every such copy is sensitive personal data that must be secured and deleted.
Platform vs Agent Responsibility
Like marketplace sellers, real estate agents using platforms (MagicBricks, 99acres, Housing.com, NoBroker) are independently responsible for DPDP compliance:
| Data / Action | Platform Handles | Agent Handles |
|---|---|---|
| Lead enquiry data on platform | ✅ Platform's responsibility | ⚠️ Your responsibility once you download/contact the lead |
| KYC documents collected offline | Not applicable | ❌ Entirely your responsibility |
| Client income and financial docs | Not applicable | ❌ Entirely your responsibility |
| WhatsApp communication with clients | Not applicable | ❌ Entirely your responsibility |
| Cold calling from lead lists | Not applicable | ❌ Your responsibility — and likely a consent violation |
What Real Estate Agents Must Do
1. Secure KYC Documents
- Never keep loose Aadhaar/PAN photocopies in open files or folders
- Scan and store digitally in encrypted, password-protected folders
- Shred physical copies once digitised
- Restrict access: only the agent handling the transaction should have access
- Delete KYC copies after transaction is completed and documentation period expires
2. Stop Cold Calling from Purchased Lead Lists
This is the most common DPDP violation in real estate:
- Purchasing lead lists (phone numbers of people who "might want to buy property") = using data without consent
- Calling someone who never gave you their number = processing without consent = ₹50 crore violation
- Build leads organically (website forms with consent, referrals with consent, platform leads)
- If using platforms: Only contact leads who have explicitly shown interest in your listings
3. Publish a Privacy Policy
- If you have a website or app: Full privacy policy explaining what documents you collect and why
- If you work offline: Provide a written privacy notice when clients hand you KYC documents
- State clearly: "Your documents are used for property transaction processing only. Retained for [X] years, then destroyed."
4. WhatsApp Communication
- Don't forward client's financial documents on WhatsApp without their knowledge
- Don't add multiple clients to a group where they can see each other's details
- Delete old client chats after transaction completes + 30 days
- Enable disappearing messages for chats containing financial documents
Top Real Estate DPDP Violations
Scenario: Agent keeps a physical folder with 50 clients' Aadhaar, PAN, and income proof documents in an unlocked office drawer. A break-in exposes all client data.
Fix: Lock cabinets. Digitise and encrypt. Delete physical copies.
Scenario: Agent buys a database of 10,000 phone numbers from a data vendor and calls them all with property offers. None of these people consented.
Fix: Stop using purchased lists. Build consent-based leads only.
Scenario: Agent shares client's income proof and bank statements with a builder/developer to "speed up the process" without telling the client.
Fix: Always inform client before sharing their documents with any third party. Get verbal or written agreement.
Real Estate DPDP Checklist
| Compliance Item | Status |
|---|---|
| Privacy policy/notice provided to clients when collecting KYC | ☐ |
| KYC documents stored in locked/encrypted storage only | ☐ |
| Physical Aadhaar/PAN copies shredded after digitising | ☐ |
| No cold calling from purchased lead lists | ☐ |
| Client consent obtained before sharing documents with builders/banks | ☐ |
| Old client data deleted after transaction + retention period | ☐ |
| WhatsApp chats with financial documents cleaned regularly | ☐ |
| Team access controls (only assigned agent sees client data) | ☐ |
Part 3: DPDP for Travel Agencies & Hospitality
200,000+ travel businesses • Passport data = highly sensitive personal data
What Data Travel Businesses Collect
Travel businesses are uniquely data-intensive. A single international holiday booking generates:
- Passport number, expiry date, nationality
- Visa application details
- Full name (as on passport), date of birth
- Travel dates, itinerary, accommodation details
- Payment information (credit cards, UPI, bank transfers)
- Dietary requirements and special assistance needs
- Travel insurance details
- Emergency contact information
- For group tours: family members' data including children's details
✈️ Passport Data is Sensitive: Passport numbers, combined with name and date of birth, are a complete identity document. In the wrong hands, this data enables identity fraud. DPDP treats identity document data as highly sensitive — handle it with the same care as financial data.
Applies to All Travel Businesses
- Travel agencies (offline and online)
- Tour operators and package holidays
- Hotels and homestays (including Airbnb hosts)
- OTA-listed properties (MakeMyTrip, Goibibo, Booking.com)
- Visa assistance services
- Corporate travel management companies
- Adventure tourism operators
- Pilgrimage tour operators
What Travel Businesses Must Do
1. Secure Passport and Travel Document Storage
- Never store passport scans in unprotected email attachments or Google Drive folders
- Use encrypted folders or document management systems
- Restrict access: only staff processing the specific booking sees the passport
- Delete passport copies immediately after visa/booking is processed
- Never send passport copies via unencrypted WhatsApp to third parties (airlines, hotels, embassies) without client knowledge
2. OTA Platform vs Your Responsibility
If listed on MakeMyTrip, Goibibo, or Booking.com:
- Platform handles customer consent for booking data on their end
- YOU are responsible for any data you download, print, or store independently
- Don't use OTA booking data for your own email/SMS marketing campaigns without separate consent
- Guest data shared by OTAs is for booking fulfillment only
3. Hotels and Homestays
- Guest register = personal data record (must be secured, not left at open reception desk)
- CCTV footage retention: 30 days maximum, then delete
- Guest ID copies collected for check-in: use for check-in only, delete after checkout + 30 days
- Airbnb hosts: Guest data shared by Airbnb is for hosting only — don't export for marketing
- Loyalty programme: Full privacy policy and opt-in consent required
4. Children Travelling
- Children's travel documents (passport, emergency contacts) are particularly sensitive
- Handle with extra care — restrict access to minimum necessary staff
- Delete after tour completion
- Never share children's data with third parties without explicit parental consent
Top Travel DPDP Violations
Scenario: Travel agent keeps hundreds of passport scans in a shared Google Drive folder accessible to all staff. A former employee's account is hacked, exposing all passports.
Fix: Encrypted storage. Access controls. Delete after booking is processed.
Scenario: Hotel downloads guest list from Booking.com and sends promotional emails to all past guests without asking if they want to receive marketing.
Fix: Only email guests who explicitly opted in to your marketing at check-in or on your website.
Scenario: Travel agent forwards client passport scans to a hotel in Dubai via a WhatsApp group also containing other clients. Multiple people now have the passport scans.
Fix: Use direct, individual channels. Never include multiple clients in groups where they share document access.
Travel Business DPDP Checklist
| Compliance Item | Status |
|---|---|
| Privacy policy published (website, booking confirmation emails) | ☐ |
| Passport/travel documents in encrypted, access-controlled storage | ☐ |
| Documents deleted after booking processed + 30 days | ☐ |
| No OTA guest data used for independent marketing | ☐ |
| Guest register secured (not left open at reception) | ☐ |
| CCTV footage deleted after 30 days | ☐ |
| Marketing emails only to explicit opt-ins | ☐ |
| Children's travel data handled with extra care | ☐ |
Quick FAQs
Does DPDP apply to freelancers working from home?
Yes. There is no exemption for home-based freelancers. If you collect client data — names, emails, payment details — DPDP compliance is mandatory.
Do real estate agents need to comply even if they work through a broker firm?
Yes. Individual agents who independently collect, store, or process client data are independently liable. The firm has obligations too — but your personal data handling is your responsibility.
What about small travel agents in Tier 2/3 cities?
DPDP applies everywhere in India equally. A travel agent in Jaipur handling passport copies has the same obligations as an MNC travel company in Mumbai.
When do I need to delete passport copies?
After the booking purpose is fulfilled. Once the visa is processed or the hotel check-in is complete, delete the passport scan. You have no legal basis to keep it longer.
As a freelancer, what is a DPA and do I need one?
A Data Processing Agreement is a contract between you (Data Processor) and your client (Data Fiduciary) when you access their customers' personal data. If a client gives you access to their user database or CRM to do work, you need a DPA. Many enterprise clients will now require one.