GDBR

Also, see Data Privacy and Security FAQs

Last updated: 05/07/2019

Introduction

This Policy sets out the obligations of Arthur Online Limited (“the Company”) regarding data protection and the rights of the users of the Company’s software, website (https://www.arthuronline.co.uk), and mobile application and employees, independent contractors, agency workers, clients, customers, business contacts, suppliers and individuals for a variety of business purposes (“Data Subjects”) in respect of their Personal Data under the General Data Protection Regulation (EU) 2016/679 (“the Regulation”).

This policy sets out the collection, use, retention, transfer, disclosure and destruction of Personal Data regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject. The Policy seeks to protect Personal Data and ensure that staff understand the rules governing their use of Personal Data to which they have access in the course of their work.

The Company’s applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.

The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

This Policy is an internal document and cannot be shared with third parties, clients or regulators without prior authorisation from the DPO.

Please contact the DPO with any questions about the operation of this Policy or the GDPR or if you have any concerns that this Policy is not being or has not been followed.

Key Details

Policy prepared by:

Mr Daniel Allan

Approved by the board/management on:

09/05/2018

Policy effective as of:

25/05/2018

Last review date:

04/07/2019

Next review date:

04/01/2020

Data Protection Officer:

Mr Marc Trup who may be contacted via email at marc.trup@arthuronline.co.uk and by telephone on +44(0)207 112 4860

Definitions

For the purposes of this Policy and as provided for by the GDPR:

Agent

Means a User of the Software who has registered as a letting agent.

Automated Decision Making

Means when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing

Means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

Binding Corporate Rules

Means Personal Data protection policies which are adhered to by a Controller or Processor established on the territory of a Member State for transfers or a set of transfers of Personal Data to a Controller or Processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

Board

Means the Board of Directors of the Company from time to time.

Business Purposes

Means the purposes for which Personal Data may be used by the Company, e.g. service provision, personnel, administrative, financial, regulatory, payroll and business development purposes.

Company’s Computer Systems

Means all computer and other technological systems used by the Company during the normal course of its business and for the purpose of controlling and purposing the Personal Data of the Data Subject. The Company’s Computer Systems shall contain up-to-date anti-virus and anti-malware software at all times and shall be fully secure and encrypted, The Company’s Computer Systems shall be

Consent of the Data Subject

Means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

Contractor

Means a User of the Software who has registered as a contractor.

Cross Border Processing

Means Either: (a) processing of Personal Data which takes place in the context of the activities of establishments in more than one Member State of a Controller or Processor in the Union where the Controller or Processor is established in more than one Member State; or (b) processing of Personal Data which takes place in the context of the activities of a single establishment of a Controller or Processor in the Union but which substantially affects or is likely to substantially affect Data Subjects in more than one Member State.

Data Controller

Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Processor

Means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

EEA

Means the European Economic Area which currently includes the 28 countries in the EU, and Iceland, Liechtenstein and Norway.

Enterprise

Means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

Filing System

Means any structured set of Personal Data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

GDPR

Means the General Data Protection Regulation ((EU) 2016/679).

Group of Undertakings

Means a controlling undertaking and its controlled undertakings.

Information Security Service

Means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.

International Organisation

Means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Landlord

Means a User of the Software who has registered as a landlord.

Main Establishment

Means: (a) as regards a Controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of Personal Data are taken in another establishment of the Controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; and (b)(b) as regards a Processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the Processor has no central administration in the Union, the establishment of the Processor in the Union where the main processing activities in the context of the activities of an establishment of the Processor take place to the extent that the Processor is subject to specific obligations under this Regulation.

Owner

Means a User of the Software who has registered as an owner.

Personal Data

Means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the purposes of this Policy, Personal Data shall also include Sensitive Personal Data as defined in this Policy.

Personal Data Breach

Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Property

Means the property in question that has been registered on the Software.

Property Manager

Means a User of the Software who has registered as a property manager.

Processing

Means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling

Means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

Means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

Recipient

Means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Relevant and Reasoned Objection

Means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the Controller or Processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of Data Subjects and, where applicable, the free flow of Personal Data within the Union.

Representative

Means a natural or legal person established in the Union who, designated by the Controller or Processor in writing pursuant to Article 27, represents the Controller or Processor with regard to their respective obligations under this Regulation.

Restriction of processing

Means the marking of stored Personal Data with the aim of limiting their processing in the future.

Software

Means the website or mobile application of the Company.

Supervisory Authority

Means an independent public authority which is established by a Member State pursuant to Article 51. For the purposes of Companies incorporated in England and Wales the Supervisory Authority is the Information Commissioner’s Office (‘ICO’).

Supervisory Authority Concerned

Means a supervisory authority which is concerned by the processing of Personal Data because: (a) the Controller or Processor is established on the territory of the Member State of that supervisory authority; (b) Data Subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority.

Third Party

Means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.

User

Means a user of the Software whether they have registered as a Landlord, Tenant, Property Manager, Owner or Agent.

1. Data Covered by the GDPR

1.1 The GDPR defines Personal Data as including:

1.1.1 Personal details;
1.1.2 Family and lifestyle details;
1.1.3 Education and training;
1.1.4 Medical details including biometric data;
1.1.5 Employment details;
1.1.6 Financial details;
1.1.7 Contractual details (for example, goods and services provided to a Data Subject);
1.1.8 Location data; and
1.1.9 Online identifiers e.g. IP addresses, cookie IDs, device identifiers etc.

1.2 The GDPR defines Sensitive Personal Data as personal data revealing:

1.2.1 Racial or ethnic origin;
1.2.2 Political opinions;
1.2.3 Religious and philosophical beliefs;
1.2.4 Trade- union membership;
1.2.5 Data concerning health or sex life and sexual orientation; and
1.2.6 Genetic data or biometric data.

For the purposes of this policy, Sensitive Personal Data is to be included within the definition of ‘Personal Data’.

2. The Data Protection Principles

2.1 This Policy aims to ensure compliance with the Regulation. This Policy aims to set out the best practice of the Company in relation to complying with the Regulation and ensuring that Personal Data is protected. The Regulation sets out the following principles with which the Company shall comply. All Personal Data shall be:

2.1.1 processed lawfully, fairly, and in a transparent manner in relation to the Data Subject;
2.1.2 collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
2.1.3 adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
2.1.4 accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
2.1.5 kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the Data Subject; and
2.1.6 processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

3. Lawful, Fair and Transparent Data Processing

3.1 The Regulation seeks to ensure that Personal Data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the Data Subject. The Regulation states that processing of Personal Data shall be lawful if at least one of the following applies:

3.1.1 the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
3.1.2 processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
3.1.3 processing is necessary for compliance with a legal obligation to which the Controller is subject;
3.1.4 processing is necessary to protect the vital interests of the Data Subject or of another natural person;
3.1.5 processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; and
3.1.6 processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.

4. Processed for Specified, Explicit and Legitimate Purpose

4.1 The Company collects and processes the Personal Data set out in Schedule 1 of this Policy. This may include Personal Data received directly from Data Subjects (for example, contact details used when a Data Subject communicates with us) [and data received from third parties (for example, managing agents of the landlord, estate agents acting on behalf of the landlord, solicitors of the landlord and/ or tenant and accountants of the landlord and/ or tenant).

4.2 The Company only processes Personal Data for the specific purposes set out in Schedule 4 of this Policy (or for other purposes expressly permitted by the Regulation). The purposes for which we process Personal Data will be informed to Data Subjects at the time that their Personal Data is collected, where it is collected directly from them, or as soon as possible (not more than one calendar month) after collection where it is obtained from a third party.

5. Accountability

5.1 The Company’s Data Protection Officer is Mr Marc Trup who may be contacted by telephone on +44(0)207 112 4860 and/or e-mail at marc.trup@arthuronline.co.uk.

5.2 The Data Protection Officer is responsible for:

5.2.1 Informing and advising the Company and our employees about their obligations to comply with the GDPR and other data protection laws;
5.2.2 Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
5.2.3 Acting as the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc);
5.2.4 Completing internal audits of processing activities;
5.2.5 Providing training for all staff members who handle Personal Data and ensure access to further guidance and support;
5.2.6 Providing clear lines of report and supervision for compliance with data protection;
5.2.7 Carrying out regular checks to monitor and assess new processing of Personal Data and to ensure that any notification to the ICO is updated to take account of any changes in processing of Personal Data;
5.2.8 Developing and maintaining GDPR procedures;

5.3 The Data Protection Officer shall report to the Board.

5.4 The Company confirms that the Data Protection Officer operates independently, and adequate resources have been provided to enable DPOs to meet their GDPR obligations.

5.5 All employees will, through appropriate training and responsible management:

5.5.1 Observe all forms of guidance, codes of practice and procedures about the collection and use of Personal Data;
5.5.2 Understand fully the purposes for which the Company uses Personal Data;
5.5.3 Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the Company to meet its service needs or legal requirements;
5.5.4 Ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required;
5.5.5 On receipt of a request by or on behalf of an individual for information held about them will immediately notify their line manager; and
5.5.6 Not send any Personal Data outside of the United Kingdom without the authority of the Data Protection Officer.

5.6 The Company reserves its right to outsource the role of the Data Protection Officer to a third party that has thorough knowledge of the GDPR.

5.7 The Company shall keep written internal records of all Personal Data collection, holding, and processing, which shall incorporate the following information:

5.7.1 The name and details of the Company, its Data Protection Officer, and any applicable third- party data Controllers;
5.7.2 The purposes for which the Company processes Personal Data;
5.7.3 Details of the categories of Personal Data collected, held, and processed by the Company; and the categories of Data Subject to which that Personal Data relates;
5.7.4 Details (and categories) of any third parties that will receive Personal Data from the Company;
5.7.5 Details of any transfers of Personal Data to non-EEA countries including all mechanisms and security safeguards;
5.7.6 Details of how long Personal Data will be retained by the Company; and
5.7.7 Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of Personal Data.

5.8 The Company shall also implement measures that meet the principles of data protection by design and data protection by default. Measures could include:

5.8.1 Data minimisation;
5.8.2 Ensuring transparency to Data Subjects and any relevant third parties follows consent obtained from Data Subjects;
5.8.3 Allowing Data Subjects to monitor processing;
5.8.4 Creating and improving security features on an ongoing basis; and
5.8.5 Use Data Protection Impact Assessments where appropriate as defined under paragraphs 11 and 16 of this Policy.

6. Consent

6.1 Consent obtained from a Data Subject shall not be valid unless separate consents are obtained for different processing activities. Forced, or ‘omnibus’, consent mechanisms will not be valid.

6.2 The Company recognises that the Data Subject has the right to withdraw consent at any time.

6.3 We will also ensure that if we intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented we shall obtain separate and specific consent for the additional purposes.

6.4 When obtaining consent from a Data Subject the Company shall ensure:

6.4.1 The Data Subject has genuine choice and control – consent may not be valid if there is a clear imbalance of power;
6.4.2 Consent is not tied to a contract;
6.4.3 The Data Subject provides a positive opt-in. The company does not use pre-ticked boxes or any other method of consent by default; and
6.4.4 Explicit consent is acquired from the Data Subject for the use of Personal Data and the Data Subject is required to provide a very clear and specific statement that they consent to such use.

6.5 We provide the Data Subject with specific and granular options to consent to the different types of processing where appropriate. We do not provide the option for Data Subjects to provide blanket consent.

6.6 To ensure that the Data Subject’s consent is properly and clearly obtained, we have ensured that our consent requests are kept separate from all other terms and conditions.

6.7 All requests for consent are in an intelligible and accessible form in clear and plain language.

6.8 The Company shall:

6.8.1 Name any third parties who will rely on the consent;
6.8.2 Make it easy for people to withdraw consent and tell them how;
6.8.3 Keep records and evidence of consent: who, when, how, and what you told people;
6.8.4 Keep consent under review, and refresh it if anything changes; and
6.8.5 Avoid making consent a precondition of a service.

7. Sensitive Personal Data

7.1 If the personal data in question is “special category data” (also known as “sensitive personal data”) (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), at least one of the following conditions must be met:

7.1.1 The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);
7.1.2 The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);
7.1.3 The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
7.1.4 The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;
7.1.5 The processing relates to personal data which is clearly made public by the data subject;
7.1.6 The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
7.1.7 The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
7.1.8 The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;
7.1.9 The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or
7.1.10 The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

8. Specified, Explicit and Legitimate Purposes

8.1 The Company collects and processes the personal data set out in Schedule 1 of this Policy. This includes:

8.1.1 Personal data collected directly from data; and
8.1.2 Personal data obtained from third parties.

8.2 The Company only collects, processes, and holds personal data for the specific purposes set out in Schedule 1 of this Policy (or for other purposes expressly permitted by the GDPR).

8.3 Data subjects are kept informed at all times of the purpose or purposes for which the Company uses their personal data. Please refer to Part 18 for more information on keeping data subjects informed.

9. Children

9.1 The Company notes that children under the age of 13 can never, themselves, give consent to the processing of their Personal Data in relation to online services.

9.2 Except in the cases of preventative or counselling services to a child, we shall obtain parental consent before seeking to process Personal Data relating to children between the ages of 13 and 15 (inclusive). The Company shall use reasonable efforts to verify such parental consent, making use of available technology.

9.3 Children aged 16 or older may give consent for the processing of their Personal Data themselves.

10. Privacy Notices

10.1 The Company will always inform a Data Subject about what we are doing with their Personal Data. This is to ensure that the Data Subject validly consents to our use of their Personal Data, to ensure the individual exercises their rights or, decide whether or not to provide us with their Personal Data.

10.2 The Company shall provide the Data Subject with a summary of unusual or important use of their Personal Data.

10.3 If requested by the Data Subject, the company shall provide a full privacy policy to the Data Subject within a reasonable time of the request including details of:

10.3.1 Sufficient information to identify our Company including our registered company name, company number and registered address as at Companies House;
10.3.2 Our contact details;
10.3.3 The contact details of any representative;
10.3.4 The contact details of Data Protection Officer;
10.3.5 The purpose and legal basis of any processing;
10.3.6 Details relating to the Data Subject’s right to withdraw consent;
10.3.7 Categories of Personal Data processed;
10.3.8 Receipts or categories of recipients of Personal Data;
10.3.9 Source of Personal Data;
10.3.10 Details of any intended transfer outside of the EU and details of any safeguards relied upon;
10.3.11 The period for which data will be stored;
10.3.12 A list of the Data Subject’s rights, including the right to object to direct marketing, make a Subject Access Request pursuant to paragraph 19 of this Policy and to be forgotten;
10.3.13 Details of any automated decision making as defined under paragraph 23 and consequences for the individual;
10.3.14 Whether provision of Personal Data is a statutory or contractual requirement, whether disclosure is mandatory and the consequences of not doing so; and
10.3.15 The individual’s right to complain to a supervisory authority.

10.4 Where the data has been obtained directly from the Data Subject, the information stated under paragraph 8.3 shall be provided by the Company to the Data Subject at the time the data is obtained.

10.5 Where the data has not been obtained directly from the Data Subject, the information stated under paragraph 8.3 shall be provided by the Company to the Data Subject:

10.5.1 Within a reasonable period of the Company obtaining the data and, in any case, no later than one month after obtaining the data; or
10.5.2 If the data are used to communicate with the individual, at the latest, when the first communication takes place; or
10.5.3 If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

11. Pseudonymisation

11.1 The Company shall ensure that Personal Data shall be processed in such a way that it can no longer be attributed to a specific Data Subject without the use of additional information.

11.2 Any identifying information shall be kept separately and be subject to technical and organisational measures to ensure non-attribution and to prevent inadvertent re-identification of the coded data such as hashing, encryption and coded data.

11.3 All Personal Data collected, processed and transferred by the Company shall be in a pseudonymised form.

11.4 We shall perform a Data Protection Impact Assessment (PIA) before carrying out any processing that uses new technologies (taking into account the nature, scope, context and purpose of the processing) that is likely to result in a high risk to Data Subjects. The purpose of the PIA is to act as an assessment to identify and minimise non-compliance risks.

11.5 A PIA shall be completed where there are:

11.5.1 systematic and extensive processing activities, including profiling and where decisions have legal effects – or similarly significant effects – on individuals;
11.5.2 large scale processing of sensitive data or criminal convictions or offence details; or
11.5.3 large scale, systematic monitoring of public areas (CCTV).

11.6 If a PIA is necessary, the Company shall consult with the Supervisory Authority prior to any processing taking place.

11.7 The Company has an ongoing requirement to keep all measures up to date including in the event of any new technology, product or service that involves the processing of Personal Data.

12. Adequate, Relevant and Limited Data Processing

12.1 The Company will only collect and process Personal Data for and to the extent necessary for the specific purpose(s) informed to Data Subjects as under paragraph 5.7.2, above.

12.2 The Company shall not retain any data which, in the Company’s reasonable opinion, is irrelevant or excessive to the purposes for which the data was collected.

12.3 The Company shall ensure that the Personal Data shall be confidential by ensuring that only those who are required to have access to the Personal Data and who are authorised to use the Personal Data have access to it.

13. Accuracy of Data and Keeping Data Up to Date

13.1 The Company shall ensure and take reasonable steps to ensure that Personal Data collected and processed or that information provided by the individual concerned, or by another individual or organisation has been recorded correctly by the Company.

13.2 The Company shall also ensure that all Personal Data collected and processed is kept up- to- date where appropriate and as required under the GDPR.

13.3 The accuracy of data shall be checked when it is collected and at regular intervals thereafter.

13.4 Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

13.5 However, the Company shall keep a record of the inaccuracy for transparency and clarity purposes provided these records are clear on the facts.

13.6 The Company shall ensure that the source of any Personal Data collected is clear and that clear records of such sources are maintained at all times.

13.7 Pursuant to the GDPR, accurate data means data which is correct and not misleading.

14. Timely Processing

14.1 The Company shall not keep Personal Data for any longer than is necessary in light of the purposes for which that data was originally collected and processed.

14.2 The Company shall store any hard copies of any Personal Data at its offices at Kendale 99 Winnington Road N2 0TT for no longer than is necessary. If any transportation of hard copies of Personal Data is required it shall be arranged by the Company by tracked DX, Royal Mail tracked delivery, Parcel Force tracked services or personal courier service to the Analysts. Once hard copies of data are no longer required (pursuant to the Data Retention policy stated in Schedule 5 of this Policy), it shall be shredded and disposed of securely. Original copies of any Personal Data in hard copy format shall be transported securely back to the Data Subject when no longer required by the Company.

14.3 Electronic copies of any Personal Data held by the Company shall be downloaded by the Company using a secure server. The Company shall immediately delete any electronically downloaded folders and files when they are no longer required by the Company. When the data is no longer required, all reasonable steps will be taken to securely erase it without delay.

14.4 When the data is no longer required, all reasonable steps will be taken to securely erase it without delay.

14.5 The Company shall regularly review the Personal Data we hold and delete anything we no longer need.

14.6 If, in the Company’s reasonable opinion the data will be required at a later date, the Company may achieve the data (rather than delete it).

14.7 Any scanned copies of the personal data shall only be retained on the Company’s computer systems for the purposes and duration for which they are required by the Company and in any event, shall be deleted from the Company’s computer systems within three weeks from the date of scan.

15. Secure Processing

15.1 The Company shall ensure that all Personal Data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Further details of the data protection and organisational measures which shall be taken are provided in Parts 22 and 23 of this Policy.

15.2 The Company shall obtain an appropriate cyber security insurance policy in the event that there is an issue relating to a data breach.

15.3 Any electronic copies, including scanned copies, of any Personal Data will be held on the Company’s computer systems. The Company’s computer systems will have a username and password system for access. The passwords for the Company’s computer systems will be changed every 3 months. The Company will ensure that it has up-to-date anti-virus and anti-malware software on its computer systems. Any electronic copies of any Personal Data that is held on the Company’s computer systems will be encrypted and password protected, in addition to this Personal Data being pseudonymised.

15.4 If the Company keeps a guest sign in book when visitors visit the Company’s premises, the Company shall ensure that appropriate measures are taken to keep the visitors details confidential and not disclose this to other visitors who are signing in.

16. Data Privacy Impact Assessments

16.1 The Company shall carry out Privacy Impact Assessments when and as required under the Regulation. Privacy Impact Assessments shall be overseen by the Company’s Data Protection Officer and shall address the following areas of importance:

16.1.1 purpose(s) for which Personal Data is being processed and the processing operations to be carried out on that data;
16.1.2 Details of the legitimate interests being pursued by the Company;
16.1.3 An assessment of the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
16.1.4 An assessment of the risks posed to individual Data Subjects; and
16.1.5 Details of the measures in place to minimise and handle risks including safeguards, data security, and other measures and mechanisms to ensure the protection of Personal Data, sufficient to demonstrate compliance with the Regulation.

17. The Rights of Data Subjects

17.1 The Regulation sets out the following rights applicable to Data Subjects:

17.1.1 The right to be informed;
17.1.2 The right of access;
17.1.3 The right to rectification;
17.1.4 The right to erasure (also known as the ‘right to be forgotten’);
17.1.5 The right to restrict processing;
17.1.6 The right to data portability;
17.1.7 The right to object; and
17.1.8 Rights with respect to automated decision-making and profiling.

18. Keeping Data Subjects Informed

18.1 The Company shall ensure that the following information is provided to every Data Subject when Personal Data is collected:

18.1.1 Details of the Company including, but not limited to, the identity of Mr Marc Trup, its Data Protection Officer;
18.1.2 The purpose(s) for which the Personal Data is being collected and will be processed (as detailed in Schedule 1 of this Policy) and the legal basis justifying that collection and processing;
18.1.3 Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the Personal Data;
18.1.4 Where the Personal Data is not obtained directly from the Data Subject, the categories of Personal Data collected and processed;
18.1.5 Where the Personal Data is to be transferred to one or more third parties, details of those parties;
18.1.6 Where the Personal Data is to be transferred to one or more third parties, details of those parties;
18.1.7 Where the Personal Data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Schedule 3 of this Policy for further details concerning such third country data transfers);
18.1.8 Details of the length of time the Personal Data will be held by the Company (or, where there is no predetermined period, details of how that length of time will be determined);
18.1.9 Details of the Data Subject’s rights under the Regulation;
18.1.10 Details of the Data Subject’s right to withdraw their consent to the Company’s processing of their Personal Data at any time;
18.1.11 Details of the Data Subject’s right to complain to the ICO Office (the ‘Supervisory Authority’ under the Regulation);
18.1.12 Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the Personal Data and details of any consequences of failing to provide it;
18.1.13 Details of any automated decision-making that will take place using the Personal Data (including but not limited to profiling), including information on how decisions will be made, the significance of those decisions and any consequences.
18.1.14 The information set out above in paragraph 18.1 shall be provided to the Data Subject at the following applicable time: Where the Personal Data is obtained from the Data Subject directly, at the time of collection; Where the Personal Data is not obtained from the Data Subject directly (i.e. from another party): If the Personal Data is used to communicate with the Data Subject, at the time of the first communication; or if the Personal Data is to be disclosed to another party, before the Personal Data is disclosed; or in any event, not more than one month after the time at which the Company obtains the Personal Data.

19. Data Subject Access

19.1 A Data Subject may make a Subject Access Request (“SAR”) at any time to find out more about the Personal Data which the Company holds about them. The Company is normally required to respond to SARs within one month of receipt (this can be extended by up to two months in the case of complex and/or numerous requests, and in such cases the Data Subject shall be informed of the need for the extension).

19.1.1 All subject access requests received must be forwarded to the Company’s Data Protection Officer.
19.1.2 The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a Data Subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

20. Rectification of Personal Data

20.1 If a Data Subject informs the Company that Personal Data held by the Company is inaccurate or incomplete, requesting that it be rectified, the Personal Data in question shall be rectified, and the Data Subject informed of that rectification, within one month of receipt the Data Subject’s notice (this can be extended by up to two months in the case of complex requests, and in such cases the Data Subject shall be informed of the need for the extension).

20.2 In the event that any affected Personal Data has been disclosed to third parties, those parties shall be informed of any rectification of that Personal Data.

21. Erasure of Personal Data

21.1 Data Subjects may request that the Company erases the Personal Data it holds about them in the following circumstances:

21.1.1 It is no longer necessary for the Company to hold that Personal Data with respect to the purpose for which it was originally collected or processed;
21.1.2 The Data Subject wishes to withdraw their consent to the Company holding and processing their Personal Data;
21.1.3 The Data Subject objects to the Company holding and processing their Personal Data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 24 of this Policy for further details concerning Data Subjects’ rights to object);
21.1.4 The Personal Data has been processed unlawfully;
21.1.5 The Personal Data needs to be erased in order for the Company to comply with a particular legal obligation;
21.1.6 The Personal Data is being held and processed for the purpose of providing information society services to a child.

21.2 Unless the Company has reasonable grounds to refuse to erase Personal Data, all requests for erasure shall be complied with, and the Data Subject informed of the erasure, within one month of receipt of the Data Subject’s request (this can be extended by up to two months in the case of complex requests, and in such cases the Data Subject shall be informed of the need for the extension).

21.3 In the event that any Personal Data that is to be erased in response to a Data Subject request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

22. Restriction of Personal Data Processing

22.1 Data Subjects may request that the Company ceases processing the Personal Data it holds about them. If a Data Subject makes such a request, the Company shall retain only the amount of Personal Data pertaining to that Data Subject that is necessary to ensure that no further processing of their Personal Data takes place.

22.2 In the event that any affected Personal Data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

23. Automated Decision Making

23.1 The Company may process Personal Data using automated means. An automated decision is a decision which is made following processing of personal data solely by automatic means, where no humans are involved in the decision-making process (‘Automated Decision Making’). If Automated Decision Making is to be adopted as a process by the Company, the Company shall first ensure that it obtains explicit written consent from the Data Subject in accordance with paragraph 6 of this Policy.

23.2 Where the Company uses Personal Data for the purposes of automated decision-making and those decisions have a legal (or similarly significant effect) on Data Subjects, Data Subjects have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.

23.3 The right described in Part 23.1 does not apply in the following circumstances:

23.3.1 The decision is necessary for the entry into, or performance of, a contract between the Company and the Data Subject;
23.3.2 The decision is authorised by law; or
23.3.3 The Data Subject has given their explicit consent.

23.4 Data Subjects have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.

23.5 Where Data Subjects have given their consent to the Company to process their Personal Data in such a manner or the processing is otherwise required for the performance of a contract between the Company and the Data Subject, Data Subjects have the legal right under the Regulation to receive a copy of their Personal Data and to use it for other purposes (namely transmitting it to other data Controllers, e.g. other organisations).

23.6 Where technically feasible, if requested by a Data Subject, Personal Data shall be sent directly to another data Controller.

23.7 All requests for copies of Personal Data shall be complied with within one month of the Data Subject’s request (this can be extended by up to two months in the case of complex requests in the case of complex or numerous requests, and in such cases the Data Subject shall be informed of the need for the extension).

23.8 Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).

23.9 Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.

23.10 All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.

24. Objections to Personal Data Processing

24.1 Data Subjects have the right to object to the Company processing their Personal Data based on legitimate interests (including profiling), direct marketing (including profiling).

24.2 Where a Data Subject objects to the Company processing their Personal Data based on its legitimate interests, the Company shall cease such processing forthwith, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the Data Subject’s interests, rights and freedoms; or the processing is necessary for the conduct of legal claims.

24.3 Where a Data Subject objects to the Company processing their Personal Data for direct marketing purposes, the Company shall cease such processing forthwith.

24.4 Where a Data Subject objects to the Company processing their Personal Data for scientific and/or historical research and statistics purposes, the Data Subject must, under the Regulation, ‘demonstrate grounds relating to his or her particular situation’. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

25. Profiling

25.1 Where the Company uses Personal Data for profiling purposes, the following shall apply:

25.1.1 Clear information explaining the profiling will be provided, including its significance and the likely consequences;
25.1.2 Appropriate mathematical or statistical procedures will be used;
25.1.3 Technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected shall be implemented; and
25.1.4 All Personal Data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling (see Parts 21 and 22 of this Policy for more details on data security).

26. Personal Data

26.1 The following Personal Data that is apparently collected and that may be collected, held, and processed by the Company is outlined under Schedule 1 to this Policy.

26.2 Schedule 1 will be regularly updated by the Company from time to time and shall be regularly reviewed by the DPO.

27. Data Protection Measures

27.1 The Company collects, processes and transfers Personal Data in both electronic copy form and hard copy form in accordance with this Policy.

27.2 The Company shall ensure that all its employees, agents, contractors, or other parties working on its behalf comply with the following when working with Personal Data:

27.2.1 emails containing Personal Data must be encrypted using RSA Asymmetric Encryption Algorithm

27.2.2 emails containing Personal Data must contain a confidential information discloser at the end of the email which states that if the email has been sent in error the recipient must immediately cease reading the email or downloading any attachments and must not disclose its contents. In addition, the email and any attachments must be deleted irretrievably;

27.2.3 where any Personal Data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be secretly deleted and disposed of. Hardcopies should be shredded, and electronic copies should be deleted securely using RSA Asymmetric Encryption Algorithm
27.2.4 Personal Data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
27.2.5 Personal Data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
27.2.6 Personal Data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
27.2.7 where Personal Data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
27.2.8 where Personal Data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using a) Tracked DX; b) Royal Mail Tracked Delivery; c) Parcel Force tracked services; or d) Personal courier;
27.2.9 where Personal Data is to be transferred in an electronic copy form it should be passed directly in a password protected and encrypted PDF document to the Company;
27.2.10 no Personal Data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any Personal Data that they do not already have access to, such access should be formally requested from Mr Marc Trup;
27.2.11 all hardcopies of Personal Data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar;
27.2.12 No Personal Data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Mr Marc Trup;
27.2.13 Personal Data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time;
27.2.14 If Personal Data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;
27.2.15 No Personal Data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of Mr Marc Trup and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary;
27.2.16 No Personal Data should be transferred to any device personally belonging to an employee and Personal Data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Regulation (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken);
27.2.17 All Personal Data stored electronically should be backed up every three months with backups stored onsite. All backups should be encrypted using symmetric encryption; LUKS Volume” for the encryption (https://gitlab.com/cryptsetup/cryptsetup
27.2.18 All electronic copies of Personal Data should be stored securely using passwords and symmetric e data encryption; ‘mcrypt’ AES-256
27.2.19 All passwords used to protect Personal Data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords;
27.2.20 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff and contractors do not have access to passwords;

27.3 Where Personal Data held by the Company is used for marketing purposes, it shall be the responsibility of Mr Marc Trup to ensure that no Data Subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service. Such details should be checked at least every three months. The Company shall obtain the prior express written consent of the Data Subject for each individual specific marketing material that may be sent to the Data Subject prior to distribution, including but not limited to e-mail marketing. A copy of such consent will be retained by the Company in accordance with this policy.

27.3.1 For the purposes of Direct Marketing, we may retain the email addresses of data subjects who we have had business with, unless they have opted out.

27.3.2 We will clearly record any telephone marketing calls made by us. We will note when the call was made, the duration of the call and what was discussed.

27.3.3 Additionally, we will keep track of whether the person contacted was agreeable to being contacted again.

27.4 Where marketing e-mails are sent out by the Company, the Company shall ensure all recipients are blind carbon copied (Bcc) into the email so that the other recipients are unable to identify or receive Personal Data of the other recipients.

27.5 All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates not more than as soon as reasonably and practically possible, unless there are valid technical reasons not to do so; and

27.6 No software may be installed on any Company-owned computer or device without the prior approval of the Mr Marc Trup.

28. Organisational Measures

28.1 The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of Personal Data:

28.1.1 All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the Regulation and under this Policy, and shall be provided with a copy of this Policy;
28.1.2 Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, Personal Data in order to carry out their assigned duties correctly shall have access to Personal Data held by the Company;
28.1.3 All employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data will be appropriately trained to do so;
28.1.4 All employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data will be appropriately supervised;
28.1.5 Methods of collecting, holding and processing Personal Data shall be regularly evaluated and reviewed;
28.1.6 The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data shall be regularly evaluated and reviewed;
28.1.7 All employees, agents, contractors, or other parties working on behalf of the Company handling Personal Data will be bound to do so in accordance with the principles of the Regulation and this Policy by contract;
28.1.8 All agents, contractors, other parties working on behalf of the Company handling Personal Data must ensure that any and all of their employees who are involved in the processing of Personal Data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the Regulation; and
28.1.9 Where any agent, contractor or other party working on behalf of the Company handling Personal Data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

Transferring Data to a Country outside the EEA

29.1 The Company may from time to time transfer (‘transfer’ includes making available remotely) Personal Data to countries outside of the EEA.

29.2 The transfer of Personal Data to a country outside of the EEA shall take place only if one or more of the following applies:

29.2.1 The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for Personal Data;
29.2.2 The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the Regulation); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
29.2.3 The transfer is made with the informed consent of the relevant Data Subject(s);
29.2.4 The transfer is necessary for the performance of a contract between the Data Subject and the Company (or for pre-contractual steps taken at the request of the Data Subject);
29.2.5 The transfer is necessary for important public interest reasons;
29.2.6 The transfer is necessary for the conduct of legal claims;
29.2.7 The transfer is necessary to protect the vital interests of the Data Subject or other individuals where the Data Subject is physically or legally unable to give their consent; or
29.2.8 The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

Data Breach Notification

30.1 All Personal Data breaches must be reported immediately to the Company’s Data Protection Officer.

30.2 If a Personal Data breach occurs and that breach is likely to result in a risk to the rights and freedoms of Data Subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

30.3 In the event that a Personal Data breach is likely to result in a high risk (that is, a higher risk than that described under Part 30.2) to the rights and freedoms of Data Subjects, the Data Protection Officer must ensure that all affected Data Subjects are informed of the breach directly and without undue delay.

30.4 Data breach notifications shall include the following information:

30.4.1 The categories and approximate number of Data Subjects concerned;
30.4.2 The categories and approximate number of Personal Data records concerned;
30.4.3 The name and contact details of the Company’s Data Protection Officer (or other contact point where more information can be obtained);
30.4.4 The likely consequences of the breach; and Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

31. Implementation of Policy

31.1 This Policy shall be deemed effective as of 25 May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

31.2 We reserve our right to change this Policy and any Schedules at any time without notice to you so please check back regularly to obtain the latest copy of this GDPR policy.


SCHEDULE 1: Personal Data

Below is an example of the type of Personal Data the Company controls and processes:

Category of Personal Data heldPurpose for which the data is collected, held and processed
Landlord’s personal details: Including but not limited to contact details, names, addresses, telephone numbers, e-mail addresses, date of birth, place of birth, and nationality. To identify the Data Subject
Tenant’s Personal details: Including but not limited to contact details, names, addresses, telephone numbers, e-mail addresses, date of birth, place of birth, and nationality. To identify the Data Subject
The Contractors Personal details: Including but not limited to contact details, names, addresses, telephone numbers, e-mail addresses, date of birth, place of birth, and nationality. To identify the Data Subject
The Owners Personal details: Including but not limited to contact details, names, addresses, telephone numbers, e-mail addresses, date of birth, place of birth, and nationality. To identify the Data Subject
The Property Managers Personal details: Including but not limited to contact details, names, addresses, telephone numbers, e-mail addresses, date of birth, place of birth, and nationality. To identify the Data Subject
Family and lifestyle details: Including but not limited to the contact details, names, addresses, telephone numbers and e-mail addresses of family members. Lifestyle details could include (but is not limited to) whether or not the Data Subject: is a smoker or non-smoker. To identify any other persons that are subject to the Tenancy Agreement and who are residing or occupying the Property. Lifestyle details may also be collected, held and processed so that the Landlord may determine whether the Data Subject is a smoker for insurance purposes or purposes relating to the Tenancy Agreement.
Contractual Details: Including but not limited to the contract and details including but not limited to the contractual Tenancy Agreement between the Landlord and Tenant, the contract between the Company and its Employees, and the contract with the Data Subject. In order to for the Landlord and Tenant to access the Tenancy Agreement.
Financial Details: Including but not limited to bank account details (sort code, account number), relevant tax codes, national insurance numbers, credit history, credit checks, and loans/mortgages. These financial details are likely to be held for the Company’s Employees, the Landlords, Tenants, Managing Agents, Letting Agents and Owners of the Property. In order for the Tenant to make payment to the Landlord for any rent that is due and owed.
Employee’s Personal Data: Including but not limited to contact details, names, addresses, telephone numbers, e-mail addresses, date of birth, nationality, trade union membership, sexual orientation, previous places of work and experience, training, qualifications, and curriculum vitae To identify the Employee and to enable the employment of the Employee with the Company.

SCHEDULE 2: The Company and Third-Party Controllers

1. Arthur Online Limited a company registered in England and Wales with company number 07912886 and registered address at Palladium House, 1-4 Argyll Street, London, W1F 7LD.

2. The Company provides software for Tenants, Landlords, Contractors, Property Managers and Owners to connect and consolidate property management matters.

2.1 The Company’s Data Protection Officer is Mr Marc Trup who may be contacted by email at marc.trup@arthuronline.co.uk.

Third-Party Controllers

In order for the Company to integrate certain services with the Software, it may be required to transfer the User’s Personal Data to the Third Party Controllers listed below. Prior to transferring any Personal Data, the Company will obtain the express and explicit consent of the Data Subject and inform the Data Subject of what Personal Data it intended to be transferred and for what purpose as below.

Xero

1. Xero.
2. If a User selects the Company’s Accountancy Package option when registering with the Software, following the Users express and explicit consent, their Personal data including, contact name, address and financial data including account number, sort code and bank details may be shared with Xero. Alternatively, the User may expressly share these details with Xero through the Company’s Software.
3. The categories of Personal Data shared to Xero includes personal details and financial details.

QuickBooks

1. QuickBooks.
2. If a User selects the Company’s Accountancy Package option when registering with the Software, following the Users express and explicit consent, their Personal data including, contact name, address and financial data including account number, sort code and bank details may be shared with QuickBooks. Alternatively, the User may expressly share these details with QuickBooks through the Company’s Software.
3. The categories of Personal Data shared to QuickBooks includes personal details and financial details.

Zapier

1. Zapier.
2. If a User selects the Company’s App Integration Package option when registering with the Software, following the Users express and explicit consent, their Personal data including, contact name, address and financial data may be shared with Zapier. Alternatively, the User may expressly share these details with Zapier through the Company’s Software.
3. The categories of Personal Data shared to Zapier includes personal details and financial details.

Intercom

1. Intercom.
2. The Company’s Software provides an in- app messaging service between different users and also between the user and the Company.
3. The categories of Personal Data shared to Intercom may include the transfer of personal details and financial details.

Amplitude

  1. Amplitude.
  2. The Company’s Software provides a tracking system that shows the behaviour of visitors to the Company website.
  3. The categories of Personal Data shared to Amplitude may include transfer of personal details and financials details.

Advanced Tenant Referencing

1. Advanced Rent.
2. If a User selects the Company’s tenant referencing option when using the Software, following the Users express and explicit consent, Personal data including, contact name, address and financial data including account number, sort code and bank details may be shared Advanced Rent. Alternatively, the User may expressly share these details with Advanced Rent through the Company’s Software.
3. The categories of Personal Data shared to Advanced Rent includes personal details and financial details.

Signable

1. Signable.
2. If a User selects to send a contract for signature using the Software, following the Users express and explicit consent, Personal data including, contact name, address, email, contact number.
3. The categories of Personal Data shared to signable includes personal details and financial information.

Experian

1. Experian.
2. If a User selects the Company’s credit check option when using the Software, following the Users express and explicit consent, Personal data including, contact name, address and financial data including account number, sort code and bank details may be shared Advanced Rent. Alternatively, the User may expressly share these details with Experian through the Company’s Software.
3. The categories of Personal Data shared to Experian includes personal details and financial details.

This Schedule 2 will be regularly updated by the Company from time to time and shall be regularly reviewed by the DPO.

The Company shall ensure that when it transfers data or receives data from a Third Party Controller it shall carry out an appropriate level of due diligence to ensure that the Third Party complies with its GDPR obligations including but not limited to carrying out an Audit of the Third Party Controllers processes (where appropriate) and/ or ensuring the Company’s contract with the Third Party Controller outlines the Third Party Controllers obligations under the GDPR in relation to the transferred Personal Data. The Company shall not accept data from Third Party Controllers which does not comply with the GDPR.


SCHEDULE 3: Data Processing in EEA

In order for the Company to integrate certain services with the Software, it may be required to transfer the User’s Personal Data to the Third Party Controllers which are based outside the European Economic Area (the ‘EEA’). Prior to transferring any Personal Data, the Company will obtain the express and explicit consent of the Data Subject to transfer the Personal Data outside of the EEA, inform the Data Subject of what Personal Data it intended to be transferred and for what purpose as below.

The Company may transfer Personal Data as above to the following non- EEA countries:

1. Firecreek Web Developers – this is where the Company’s web developers are located. They may have access to the User’s Personal Data including the User’s contact details, name and financial details. Before such data is transferred, the Company shall obtain the express, written consent of the User to do so including informing the User what data is to be transferred, the location of the web developer, the fact that the web developer is located outside the EEA and for what reason the data is transferred in accordance with Clause 27 of this Policy.

Lawfulness of Processing Personal Data outside the EEA

We shall only transfer Personal Data outside the EEA if one of the following conditions applies:

(a) the European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms;
(b) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;
(c) the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
(d) the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.

This Schedule 3 will be regularly updated by the Company from time to time and shall be regularly reviewed by the DPO.


SCHEDULE 4: Purpose for which Data is Processed

The Company controls and processes Personal Data in an electronic format.

The Company shall obtain full and explicit consent from the Data Subject pursuant to paragraph 6 of the Policy for the control and processing of the Subject Data. The Company shall inform the Data Subject of the intention to securely deliver the Personal Data to a third party listed in Schedule 2 of this Policy. The Company shall also obtain consent in accordance with paragraph 6 of this Policy before any such Personal Data is transferred for the Purpose.

The Data Subject’s Personal Data must be sent to the Company by the Client in a pseudonymised format. The Company shall not accept, control or process any Personal Data which is not sent in a secure pseudonymised format.

The Company shall ensure that they have seen (either in physical hard copy form or electronic form) written explicit consent obtained by the Client from the Data Subjects, showing that the Client is duly authorised (by receiving this written consent) to process and control the Data Subject’s Personal Data.

Electronic Copies of Personal Data

Users of the Company’s Software register to the Software by providing Personal Data including their name, phone number and email address via the Company’s website or mobile application. Once User’s have submitted this Personal Data, the Company sends a welcome email to the User at the email address that they provided on registration. Once the Personal Data has been received, it shall be downloaded by the Company on to the Company’s computer systems and saved in a password protected and encrypted spreadsheet which is saved on a cloud based system, including but not limited to, MS SharePoint. All computers at the Company’s offices are password protected and may only be accessed by relevant personnel including employees of the Company. The Company does not keep a hard copy format of any Personal Data relating to the User.

In order to log in to the Software either via the mobile application or the website, Users must create a secure and safe password which they are required to input each time the User wishes to access the Software. The User is prompted that they must not share or disclose the password to any other person and must keep their log in details private at all times.

The Company shall ensure that it maintains effective computer anti- malware and anti- viral software to ensure the security of the Personal Data contained on its Company computer software. The company shall also ensure that it maintains effective cyber security insurance at all relevant times.

The Company does not process any data which is considered to be a high risk to the rights and freedoms of any User Data Subjects.

Recorded Telephone Calls

The Company may record calls for training and quality purposes. However, prior to recording any calls the Company has an operator system which requires the caller to provide their consent to the recording of the calls – the caller is also informed that the calls are recorded for training and quality purposes. This consent will be logged by the Company. If the caller selects an option which states that they do not consent to their calls being recorded, then the calls will not under any circumstances be recorded. If the caller selects the option to indicate that they do consent to the calls being recorded then we shall specify what the recording is used for i.e. training purposes and how long we will retain the recording for. The recordings will not be transferred to any third parties.

Technical Data Security Measures

  • All emails containing Personal Data must be encrypted;
  • All emails containing Personal Data must be marked ‘confidential’;
  • Personal Data may only be transmitted over secure networks;
  • Personal Data may not be transmitted over a wireless network if there is a reasonable wired alternative;
  • Personal Data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself and associated temporary files should be deleted;
  • Where personal Data is to be sent by facsimile transmission the recipient should be informed in advance and should be waiting to receive it;
  • Where Personal Data is to be transferred in hard-copy form, it should be passed directly to the recipient in accordance with this Policy;
  • All Personal Data transferred physically should be transferred in a suitable container marked “confidential”;
  • No Personal Data may be shared informally and if access is required to any Personal Data, such access should be formally requested from the DPO;
  • All hard-copies of Personal Data, along with any electronic copies stored on physical media should be stored securely;
  • No Personal Data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without authorisation;
  • Personal Data must be handled with care at all times and should not be left unattended or on view;
  • Computers used to view Personal Data must always be locked before being left unattended;
  • No Personal Data should be stored on any mobile device, whether such device belongs to the Company or otherwise without the formal written approval of the DPO and then strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary;
  • No Personal Data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the Company’s Data Protection Policy and the GDPR;
  • All Personal Data stored electronically should be backed up regularly with backups stored onsite. All backups should be encrypted;
  • All electronic copies of Personal Data should be stored securely using passwords and encryption;
  • All passwords used to protect Personal Data should be changed regularly and should must be secure;
  • Under no circumstances should any passwords be written down or shared. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
  • All software should be kept up-to-date. Security-related updates should be installed as soon as reasonably possible after becoming available;
  • No software may be installed on any Company-owned computer or device without approval; and
  • Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of the DPO to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.

Organisational Data Security Measures

The following organisational measures are in place within the Company to protect the security of personal data:

  • All employees and other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under the Company’s GDPR Policy;
  • Only employees and other parties working on behalf of the Company that need access to, and use of, personal data in order to perform their work shall have access to personal data held by the Company;
  • All employees and other parties working on behalf of the Company handling Personal Data will be appropriately trained to do so;
  • All employees and other parties working on behalf of the Company handling Personal Data will be appropriately supervised;
  • All employees and other parties working on behalf of the Company handling Personal Data should exercise care and caution when discussing any work relating to Personal Data at all times;
  • Methods of collecting, holding, and processing Personal Data shall be regularly evaluated and reviewed;
  • The performance of those employees and other parties working on behalf of the Company handling Personal Data shall be regularly evaluated and reviewed;
  • All employees and other parties working on behalf of the Company handling Personal Data will be bound by contract to comply with the GDPR and the Company’s GDPR Policy;
  • All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all relevant employees are held to the same conditions as those relevant employees of the Company arising out of the GDPR and the Company’s GDPR Policy;
  • Where any agent, contractor or other party working on behalf of the Company handling Personal Data fails in their obligations under the GDPR and/ or the Company GDPR Policy, that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

SCHEDULE 5: Data Retention Policy

Introduction

This schedule sets out the obligations of the Company regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

Aims and Objectives

The primary aim of this Schedule is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Schedule aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.

In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by the Company, this Schedule also aims to improve the speed and efficiency of managing data.

Data Disposal

Upon the expiry of the data retention periods set out in the table below of this Schedule, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:

  • Personal data stored electronically (including any and all backups thereof) shall be deleted securely;
  • Special category personal data stored electronically (including any and all backups thereof) shall be deleted securely;
  • Personal data stored in hard-copy form shall be shredded;
  • Special category personal data stored in hardcopy form shall be shredded.

Data Retention

  • As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.
  • Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.
  • When establishing and/or reviewing retention periods, the following shall be taken into account:
    • The objectives and requirements of the Company;
    • The type of personal data in question;
    • The purpose(s) for which the data in question is collected, held, and processed;
    • The Company’s legal basis for collecting, holding, and processing that data; and
    • The category or categories of data subject to whom the data relates.
  • If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.
  • Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise).
  • In limited circumstances, it may also be necessary to retain personal data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR.
Data Ref. Type of DataPurpose of DataReview PeriodRetention Period or CriteriaComments
Property Manager Information Name, Contact Details, Email, Bank Details Project Management NAIf there is no action on account for 6 months or more its deletedFor active, accounts data can be removed if the main contact Property Manager requests removal
Tenant InformationName, Contact Details, Email, Property Information, Employment History, Student Details, Housing Benefit Details, Guarantor Details, Next of Kin Details, Bank Details Project Management NATenant information is retained for the period the Property Manager account is activeFor active accounts data can be removed if the main contact Property Manager requests removal
Contractor Information Name, Contact Details, Email, Bank Details Project Management NA For a public account: if there is no action on account for 6 months or more its deleted. For a private account: for the period the Property Manager account is active For active accounts data can be removed if the main contact Property Manager requests removal
Owner Information Name, Contact Details, Email, Bank Details Project Management NA If there is no action on account for 6 months or more its deleted For active accounts data can be removed if the main contact Property Manager requests removal
Agent Information Name, Contact Details, Email Project Management NA Agent information is retained for the period the Property Manager account is active For active accounts data can be removed if the main contact Property Manager requests removal

Last Updated: 09/05/2018

Are You Looking For A Property?

FIND Property