I would advise against using consent as a lawful basis for the processing of personal data especially considering the latest fine issued by the Greek Supervisory Authority. As a general rule, you should be avoiding consent when processing employee data.
2. Is processing of bank details for payments allowed by GDPR?
Yes, it is. The GDPR does not forbid certain data to be processed however you would need to set up additional security measures to protect bank details. You should also check if you need to be PCI compliant as well.
3. As a real estate company do I need to have a Data Protection Officer?
It is quite unlikely unless (a) the company has more than 250 employees, or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial o r ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.
4. Can I ask clients for a declaration that they are not alowed to contact the owner directly ?
This is not necessarily related to the GDPR so you should check this with a lawyer that knows your local laws.