Data and Privacy Policies

Please follow the links below to read our full data and privacy policy, website and cookies policy and data retention policy.

 
mcm logo purple small.JPG

Website & Cookies Policy

MCM Estates and Lettings, version 24/04/2018

 
mcm logo purple small.JPG

Data & privacy policy

MCM Estates and Lettings, version 25/05/2018

 
mcm logo purple small.JPG

Data Retention Policy

MCM Estates and Lettings Version 24/04/2018

 
mcm logo purple small.JPG

Privacy Notice for Tenants, Residents and Guarantors given by Landlord/Landlord’s Agent Your Information

MCM Estates and Lettings Version 22/05/2018

 

Website & Cookies Policy

MCM Estates and Lettings

Version 24/04/18

Website & Cookies Policy

BACKGROUND:

MCM Estates & Lettings Ltd understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits this website, www.mcmestatesandlettings.com linked to www.mcmofjacksdale.co.uk  (Our Site”) and will only collect and use personal data in ways that are described here, and in a manner that is consistent with Our obligations and your rights under the law.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of Our Privacy Policy is deemed to occur upon your first use of Our Site. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.

1.            Definitions and Interpretation

In this Policy, the following terms shall have the following meanings: 

“personal data”

means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. In this case, it means personal data that you give to Us via Our Site. This definition shall, where applicable, incorporate the definitions provided in the Data Protection Act 1998 and EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”); and

“We/Us/Our”

means MCM Estates & Lettings Ltd, a limited company registered in England under company number 11144077, whose registered address is Lyndhurst, 1, Cranmer Street, Long Eaton, NG10 1NJ and whose main trading address is MCM Estates & Lettings, 25, Main Road, Jacksdale, Notts, NG16 5JU.

1.1         Our Site is owned and operated by MCM Estates & Lettings Ltd, a limited company registered in England under company number 11144077, whose registered address is Lyndhurst, 1, Cranmer Street, Long Eaton, NG10 1NJ and whose main trading address is MCM Estates & Lettings, 25, Main Road, Jacksdale, Notts, NG16 5JU.

1.2         Our VAT number is 285 9823 45.

1.3         Our Data Protection Officer is Mrs Carol Taylor-Cockayne, and can be contacted by email at mcmjd@care4free.net, by telephone on 01773 606195, or by post at MCM Estates & Lettings, 25, Main Road, Jacksdale, Notts, NG16 5JU.

1.4         We are regulated by The Property Ombudsman and HMRC Money Laundering Regulations and the Non- Resident Landlords Scheme

1.5         We are members of the National Association of Estate Agents and the Association of Residential Lettings Agents, holding client money protection, professional indemnity insurance and are Propertymark Protected.

2.            What Does This Policy Cover?

This Privacy Policy applies only to your use of Our Site. Our Site may contain links to other websites. Please note that We have no control over how your data is collected, stored, or used by other websites and We advise you to check the privacy policies of any such websites before providing any data to them.

3.            Your Rights

3.1         As a data subject, you have the following rights under the GDPR, which this Policy and Our use of personal data have been designed to uphold:

3.1.1     The right to be informed about Our collection and use of personal data;

3.1.2     The right of access to the personal data We hold about you (see section 12);

3.1.3     The right to rectification if any personal data We hold about you is inaccurate or incomplete (please contact Us using the details in section 13);

3.1.4     The right to be forgotten – i.e. the right to ask Us to delete any personal data We hold about you (We only hold your personal data for a limited time, as explained in section 6 but if you would like Us to delete it sooner, please contact Us using the details in section 13);

3.1.5     The right to restrict (i.e. prevent) the processing of your personal data;

3.1.6     The right to data portability (obtaining a copy of your personal data to re-use with another service or organisation);

3.1.7     The right to object to Us using your personal data for particular purposes; and

3.1.8     Rights with respect to automated decision making and profiling.

3.2         If you have any cause for complaint about Our use of your personal data, please contact Us using the details provided in section 13 and We will do Our best to solve the problem for you. If We are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.

3.3         For further information about your rights, please contact the Information Commissioner’s Office or your local Citizens Advice Bureau.

4.            What Data Do We Collect?

Depending upon your use of Our Site, We may collect some or all of the following personal and non-personal data:

4.1         name; but only if you provide this by population of Our ‘Contact Us’ Form

4.2         contact information such as email addresses and telephone numbers including the nature of your enquiry as provided by you using Our ‘Contact Form’;

4.3         demographic information such as post code, preferences, and interests; IP Address, web browser type and version, operating system, a list of URLs starting with a referring site, your activity on Our Site, and the site you exit to  to monitor site visits in summary form only;

5.            How Do We Use Your Data?

5.1         All personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with Our obligations and safeguard your rights under the Data Protection Act 1998 and the GDPR at all times. For more details on security see section 7, below.

5.2         Our use of your personal data will always have a lawful basis, either because it is necessary for Our performance of a contract with you, because you have consented to Our use of your personal data (e.g. by subscribing to emails), or because it is in Our legitimate interests. Specifically, We may use your data for the following purposes:

5.2.1     Supplying Our products AND/OR services to you (please note that We require your personal data in order to enter into a contract with you);

5.2.2     Personalising and tailoring Our products AND/OR services for you;

5.2.3     Replying to emails from you;

5.2.4     Supplying you with emails that you have opted into (you may unsubscribe or opt-out at any time by emailing us to request unsubscribe);

5.2.5     Market research;

5.3         With your permission and/or where permitted by law, We may also use your data for marketing purposes which may include contacting you by email AND/OR telephone AND/OR text message AND/OR post with information, news, and offers on Our products AND/OR services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that We fully protect your rights and comply with Our obligations under the Data Protection Act 1998 OR GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

5.4         You have the right to withdraw your consent to Us using your personal data at any time, and to request that We delete it.

5.5         We do not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Should you enter into a contract with us we have a legal requirement to hold the data for 6 years since our last point of contact with you.

6.            How and Where Do We Store Your Data?

6.1         We only keep your personal data for as long as We need to in order to use it as described above in section 6, and/or for as long as We have your permission to keep it.

6.2         Your data will only be stored in the UK. Or stored within the European Economic Area (“the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein).

Data security is very important to Us, and to protect your data We have taken suitable measures to safeguard and secure data collected through Our Site.

6.3         Steps We take to secure and protect your data include:

6.3.1     Restricted access, pass-wording, virus checking software, physical security measures, alarmed premises.

7.            Do We Share Your Data?

7.1         We will not usually share any of your data with any third parties for any purposes, unless we need to do so to fulfil our contract with you and/or you  given specific positive consent.

7.2         In certain circumstances, We may be legally required to share certain data held by Us, which may include your personal data, for example, where We are involved in legal proceedings, where We are complying with legal obligations, a court order, or a governmental authority.

7.3         We may sometimes contract with third parties to supply products and services to you on Our behalf. These may include payment processing, delivery of goods, search engine facilities, advertising, and marketing. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, We will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, Our obligations, and the obligations of the third party under the law.

7.4         We may compile statistics about the use of Our Site including data on traffic, usage patterns, user numbers, sales, and other information. All such data will be anonymised and will not include any personally identifying data, or any anonymised data that can be combined with other data and used to identify you. We may from time to time share such data with third parties such as prospective investors, affiliates, partners, and advertisers. Data will only be shared and used within the bounds of the law.

7.5         The third party data processors used by Us and listed below are located within  the European Economic Area (“the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein). Where We transfer any personal data outside the EEA, We will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under the Data Protection Act 1998 OR GDPR

8.            What Happens If Our Business Changes Hands?

8.1         We may, from time to time, expand or reduce Our business and this may involve the sale and/or the transfer of control of all or part of Our business. Any personal data that you have provided will, where it is relevant to any part of Our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use that data only for the same purposes for which it was originally collected by Us.

8.2         In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes. When contacted you may or may not  be given the choice to have your data deleted or withheld from the new owner or controller This will be dependent upon our purpose for holding the data for legal or contractual purposes or whether the data was provided by positive consent.

9.            How Can You Control Your Data?

9.1         In addition to your rights under the GDPR, set out in section 4, when you submit personal data via Our Site, you may be given options to restrict Our use of your data. In particular, We aim to give you strong controls on Our use of your data for direct marketing purposes (including the ability to opt-out of receiving emails from Us which you may do by unsubscribing using the links provided in Our emails and at the point of providing your details).

9.2         You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (“the TPS”), the Corporate Telephone Preference Service (“the CTPS”), and the Mailing Preference Service (“the MPS”). These may help to prevent you receiving unsolicited marketing. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receiving.

10.         Your Right to Withhold Information

You may access certain areas of Our Site without providing any data at all. However, to use all features and functions available on Our Site you may be required to submit or allow for the collection of certain data.

11.         How Can You Access Your Data?

You have the right to ask for a copy of any of your personal data held by Us (where such data is held). Under the Data Protection Act 1998, We require the payment of a small fee which will not exceed £10.00 OR Under the GDPR, no fee is payable and We will provide any and all information in response to your request free of charge.Or for a charge of £10 in the case of onerous requests and for data already provided by us. Please contact Us for more details at mcmjd@care4free.net, or by using the contact details below in section 13.

12.         Contacting Us

If you have any questions about Our Site or this Privacy Policy, please contact Us by email at mcmjd@care4free.net by telephone on 01773 606195, or by post at MCM Estates & Lettings, 25 Main Road, Jacksdale, Notts, NG16 5JU. Please ensure that your query is clear, particularly if it is a request for information about the data We hold about you.

13.         Changes to Our Privacy Policy

We may change this Privacy Policy from time to time (for example, if the law changes). Any changes will be immediately posted on Our Site and you will be deemed to have accepted the terms of the Privacy Policy on your first use of Our Site following the alterations. We recommend that you check this page regularly to keep up-to-date.


Data & Privacy Policy

MCM Estates and Lettings

Version 25/05/18

Data Retention Policy

1.        Introduction

This Policy sets out the obligations of MCM ESTATES & LETTINGS LTD, a company registered in the UNITED KINGDOM under number 11144077, whose registered office is at Lyndhurst, 1, Cranmer St, Long Eaton, NG10 1NJ

 (“the Company”) regarding data protection and the rights of our data subjects in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

2.            The Data Protection Principles

This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:

2.1          Processed lawfully, fairly, and in a transparent manner in relation to the data subject.

2.2          Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

2.3          Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

2.4          Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.

2.5          Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.

2.6          Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

3.            The Rights of Data Subjects

The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):

3.1          The right to be informed (Part 12).

3.2          The right of access (Part 13);

3.3          The right to rectification (Part 14);

3.4          The right to erasure (also known as the ‘right to be forgotten’) (Part 15);

3.5          The right to restrict processing (Part 16);

3.6          The right to data portability (Part 17);

3.7          The right to object (Part 18); and

3.8          Rights with respect to automated decision-making and profiling (Parts 19 and 20).

4.            Lawful, Fair, and Transparent Data Processing

4.1          The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

4.1.1     The data subject has given consent to the processing of their personal data for one or more specific purposes;

4.1.2     The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;

4.1.3     The processing is necessary for compliance with a legal obligation to which the data controller is subject;

4.1.4     The processing is necessary to protect the vital interests of the data subject or of another natural person;

4.1.5     The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or

4.1.6     The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

4.2          If the personal data in question is “special category data” (also known as “sensitive personal data”) (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), at least one of the following conditions must be met:

4.2.1     The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);

4.2.2     The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);

4.2.3     The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

4.2.4     The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;

4.2.5     The processing relates to personal data which is clearly made public by the data subject;

4.2.6     The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;

4.2.7     The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;

4.2.8     The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;

4.2.9     The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or

4.2.10  The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

5.            Specified, Explicit, and Legitimate Purposes

5.1          The Company collects and processes the personal data set out in Part 21 of this Policy. This includes:

5.1.1     Personal data collected directly from data subjects; and

5.1.2     Personal data obtained from third parties.

5.2          The Company only collects, processes, and holds personal data for the specific purposes set out in Part 21 of this Policy (or for other purposes expressly permitted by the GDPR).

5.3          Data subjects are kept informed at all times of the purpose or purposes for which the Company uses their personal data. Please refer to Part 12 for more information on keeping data subjects informed.

6.            Adequate, Relevant, and Limited Data Processing

The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed) as under Part 5, above, and as set out in Part 21, below.

7.            Accuracy of Data and Keeping Data Up-to-Date

7.1          The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject, as set out in Part 14, below.

7.2          The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

8.            Data Retention

8.1          The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.

8.2          When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

8.3          For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.

9.            Secure Processing

The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which shall be taken are provided in Parts 22 to 27 of this Policy.

10.         Accountability and Record-Keeping

10.1       The Company’s Data Protection Officer is Mrs Carol Taylor-Cockayne of MCM Estates & Lettings Ltd, 25, Main Road, Jacksdale, Notts, NG16 5JU.

10.2       The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.

10.3       The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

10.3.1  The name and details of the Company, its Data Protection Officer, and any applicable third-party data processors;

10.3.2  The purposes for which the Company collects, holds, and processes personal data;

10.3.3  Details of the categories of personal data collected, held, and processed by the Company, and the categories of data subject to which that personal data relates;

10.3.4  Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards;

10.3.5  Details of how long personal data will be retained by the Company (please refer to the Company’s Data Retention Policy); and

10.3.6  Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.

11.         Data Protection Impact Assessments

11.1       The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.

11.2       Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:

11.2.1  The type(s) of personal data that will be collected, held, and processed;

11.2.2  The purpose(s) for which personal data is to be used;

11.2.3  The Company’s objectives;

11.2.4  How personal data is to be used;

11.2.5  The parties (internal and/or external) who are to be consulted;

11.2.6  The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

11.2.7  Risks posed to data subjects;

11.2.8  Risks posed both within and to the Company; and

11.2.9  Proposed measures to minimise and handle identified risks.

12.         Keeping Data Subjects Informed

12.1       The Company shall provide the information set out in Part 12.2 to every data subject:

12.1.1  Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and

12.1.2  Where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:

a)            if the personal data is used to communicate with the data subject, when the first communication is made; or

b)            if the personal data is to be transferred to another party, before that transfer is made; or

c)            as soon as reasonably possible and in any event not more than one month after the personal data is obtained.

12.2       The following information shall be provided:

12.2.1  Details of the Company including, but not limited to, the identity of its Data Protection Officer;

12.2.2  The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 21 of this Policy) and the legal basis justifying that collection and processing;

12.2.3  Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;

12.2.4  Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;

12.2.5  Where the personal data is to be transferred to one or more third parties, details of those parties;

12.2.6  Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Part 28 of this Policy for further details);

12.2.7  Details of data retention;

12.2.8  Details of the data subject’s rights under the GDPR;

12.2.9  Details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time;

12.2.10Details of the data subject’s right to complain to the Information Commissioner’s Office (the “supervisory authority” under the GDPR);

12.2.11Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and

12.2.12Details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.

13.         Data Subject Access

13.1       Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

13.2       Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer  Mrs Carol Taylor-Cockayne of MCM Estates & Lettings Ltd, 25, Main Road, Jacksdale, Notts, NG16 5JU.

13.3       Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

13.4       All SARs received shall be handled by the Company’s Data Protection Officer.

13.5       The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

14.         Rectification of Personal Data

14.1       Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.

14.2       The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

14.3       In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

15.         Erasure of Personal Data

15.1       Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:

15.1.1  It is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;

15.1.2  The data subject wishes to withdraw their consent to the Company holding and processing their personal data;

15.1.3  The data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);

15.1.4  The personal data has been processed unlawfully;

15.1.5  The personal data needs to be erased in order for the Company to comply with a particular legal obligation.

15.2       Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

15.3       In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

16.         Restriction of Personal Data Processing

16.1       Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.

16.2       In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

17.         Data Portability

17.1       The Company processes personal data using automated means..

17.2       Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).

17.3       To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects in the following formats:

17.3.1  Hard copy photocopies or pdf scans.;

17.3.2  Electronic statements or xls logs. Photographic images where available.

17.4       Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.

17.5       All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.

18.         Objections to Personal Data Processing

18.1       Data subjects have the right to object to the Company processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.

18.2       Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

18.3       Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.

18.4       Where a data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

19.         Automated Decision-Making

19.1       The Company does not use personal data in automated decision-making processes.

19.2       Where such decisions have a legal (or similarly significant effect) on data subjects, those data subjects have the right to challenge to such decisions under the GDPR, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.

19.3       The right described in Part 19.2 does not apply in the following circumstances:

19.3.1  The decision is necessary for the entry into, or performance of, a contract between the Company and the data subject;

19.3.2  The decision is authorised by law; or

19.3.3  The data subject has given their explicit consent.

20.         Profiling

20.1       The Company does not use personal data for profiling purposes.

20.2       When personal data is used for profiling purposes, the following shall apply:

20.2.1  Clear information explaining the profiling shall be provided to data subjects, including the significance and likely consequences of the profiling;

20.2.2  Appropriate mathematical or statistical procedures shall be used;

20.2.3  Technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected; and

20.2.4  All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling (see Parts 22 to 26 of this Policy for more details on data security).

21.         Personal Data Collected, Held, and Processed

The following personal data is collected, held, and processed by the Company (for details of data retention, please refer to the Company’s Data Retention Policy):

For All Data Subjects:-

Title, Full Name, Home Address, Telephone/Mobile Numbers, Email address. Primary ID and Proof of Address.

In addition for Vendors:-  Property to be Marketed Address, Proof of Property Ownership, Proof of Legal Right to act as Power of Attorney/Executor for another, Chain above details, Solicitors details. Property information relevant to the sale e.g known boundary disputes, known property defects, supporting servicing or installation/ building certificates, guarantees and permissions.

In addition for Purchasers:- Proof of Financial Ability to Proceed with Purchase. Mortgage in Principle. Proof of Deposit. Mortgage Lender/Brokers Contact Details. Chain below details. Estate Agency acting details.

In addition for Landlords:-  Usual Place of Abode. Property to be rented address. Proof of Property Ownership. Proof of Legal Right to Act for another as Power of Attorney or Executor. Safety certificates e.g PAT Testing, gas safes, electrical safety certificates.

In addition for Tenants:-  Date of birth, Nationality, Work Visas and Right to Reside in the UK. Proof of bank account. Proof of earnings & employment.  Rental references, previous landlords' details. Rent book or account.

Purposes:-

a. The processing is necessary for compliance with a LEGAL obligation.e.g. To observe the Estate Agents Act, The Right to Rent Act, Money Laundering Regulations, to observe the legal obligations of tenancy deposit registration and the codes of practice laid down by The Property Ombudsman, the NAEA and ARLA, to advise HMRC on request regarding a landlord's residency and information relating to rents collected.

b. The processing is necessary for the performance of a CONTRACT e.g To sell a property for a vendor, to let a property for a landlord, to advise landlords of essential safety informations and new legislation applying to their duty of care as a landlord, to apply due dilligence in the referencing of tenants. To credit search and obtain references for tenants.

c. When we have the CONSENT of the data subject to subscribe to marketing information.

22.  Data Security - Transferring Personal Data and Communications

The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:

22.1       All emails containing personal data must be encrypted;

22.2       All emails containing personal data must be marked “confidential”;

22.3       Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;

22.4       Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;

22.5       Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted.;

22.6       Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

22.7       Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using first class post. Sensitive documents such as ID will be hand delivered or sent ‘Signed For’.

22.8       All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.

23.  Data Security - Storage

The Company shall ensure that the following measures are taken with respect to the storage of personal data:

23.1       All electronic copies of personal data should be stored securely using passwords.

23.2       All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;

23.3       All personal data stored electronically should be backed up and stored securely.;

23.4       No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the data protection officer and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary; and

23.5       No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).

24.  Data Security - Disposal

When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.

25.  Data Security - Use of Personal Data

The Company shall ensure that the following measures are taken with respect to the use of personal data:

25.1       No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from the data protection officer.;

25.2       No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of the data protection officer;

25.3       Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;

25.4       If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and

25.5       Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of the data protection officer to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.

26.  Data Security - IT Security

The Company shall ensure that the following measures are taken with respect to IT and information security:

26.1       All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords.;

26.2       Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;

26.3       All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates as soon as the updates are made available by the publisher or manufacturer or as soon as reasonably and practically possible, unless there are valid technical reasons not to do so; and

26.4       No software may be installed on any Company-owned computer or device and no usbs or discs owned by third parties may be inserted in company computers or devices without the prior approval of the data protection officer..

27.         Organisational Measures

The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

27.1       All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;

27.2       Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;

27.3       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so;

27.4       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;

27.5       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;

27.6       Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;

27.7       All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy;

27.8       The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;

27.9       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;

27.10    All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR; and

27.11    Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

28.         Transferring Personal Data to a Country Outside the EEA

28.1       The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.

28.2       The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

28.2.1  The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;

28.2.2  The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;

28.2.3  The transfer is made with the informed consent of the relevant data subject(s);

28.2.4  The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);

28.2.5  The transfer is necessary for important public interest reasons;

28.2.6  The transfer is necessary for the conduct of legal claims;

28.2.7  The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or

28.2.8  The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

29.         Data Breach Notification

29.1       All personal data breaches must be reported immediately to the Company’s Data Protection Officer.

29.2       If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

29.3       In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

29.4       Data breach notifications shall include the following information:

29.4.1  The categories and approximate number of data subjects concerned;

29.4.2  The categories and approximate number of personal data records concerned;

29.4.3  The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);

29.4.4  The likely consequences of the breach;

29.4.5  Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

30.         Implementation of Policy

This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

 

This Policy has been approved and authorised by:

Name:

Mrs Carol Taylor-Cockayne

Position:

Data Protection Officer

Date:

25th May 2018


Data & Privacy Policy

MCM Estates and Lettings

Version 25/05/18

Data Retention Policy

1.        Introduction

This Policy sets out the obligations of MCM ESTATES & LETTINGS LTD, a company registered in the UNITED KINGDOM under number 11144077, whose registered office is at Lyndhurst, 1, Cranmer St, Long Eaton, NG10 1NJ

 (“the Company”) regarding data protection and the rights of our data subjects in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

2.            The Data Protection Principles

This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:

2.1          Processed lawfully, fairly, and in a transparent manner in relation to the data subject.

2.2          Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

2.3          Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

2.4          Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.

2.5          Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.

2.6          Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

3.            The Rights of Data Subjects

The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):

3.1          The right to be informed (Part 12).

3.2          The right of access (Part 13);

3.3          The right to rectification (Part 14);

3.4          The right to erasure (also known as the ‘right to be forgotten’) (Part 15);

3.5          The right to restrict processing (Part 16);

3.6          The right to data portability (Part 17);

3.7          The right to object (Part 18); and

3.8          Rights with respect to automated decision-making and profiling (Parts 19 and 20).

4.            Lawful, Fair, and Transparent Data Processing

4.1          The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:

4.1.1     The data subject has given consent to the processing of their personal data for one or more specific purposes;

4.1.2     The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;

4.1.3     The processing is necessary for compliance with a legal obligation to which the data controller is subject;

4.1.4     The processing is necessary to protect the vital interests of the data subject or of another natural person;

4.1.5     The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or

4.1.6     The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

4.2          If the personal data in question is “special category data” (also known as “sensitive personal data”) (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), at least one of the following conditions must be met:

4.2.1     The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);

4.2.2     The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);

4.2.3     The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

4.2.4     The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;

4.2.5     The processing relates to personal data which is clearly made public by the data subject;

4.2.6     The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;

4.2.7     The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;

4.2.8     The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;

4.2.9     The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or

4.2.10  The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

5.            Specified, Explicit, and Legitimate Purposes

5.1          The Company collects and processes the personal data set out in Part 21 of this Policy. This includes:

5.1.1     Personal data collected directly from data subjects; and

5.1.2     Personal data obtained from third parties.

5.2          The Company only collects, processes, and holds personal data for the specific purposes set out in Part 21 of this Policy (or for other purposes expressly permitted by the GDPR).

5.3          Data subjects are kept informed at all times of the purpose or purposes for which the Company uses their personal data. Please refer to Part 12 for more information on keeping data subjects informed.

6.            Adequate, Relevant, and Limited Data Processing

The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed) as under Part 5, above, and as set out in Part 21, below.

7.            Accuracy of Data and Keeping Data Up-to-Date

7.1          The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject, as set out in Part 14, below.

7.2          The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

8.            Data Retention

8.1          The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.

8.2          When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

8.3          For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.

9.            Secure Processing

The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which shall be taken are provided in Parts 22 to 27 of this Policy.

10.         Accountability and Record-Keeping

10.1       The Company’s Data Protection Officer is Mrs Carol Taylor-Cockayne of MCM Estates & Lettings Ltd, 25, Main Road, Jacksdale, Notts, NG16 5JU.

10.2       The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.

10.3       The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:

10.3.1  The name and details of the Company, its Data Protection Officer, and any applicable third-party data processors;

10.3.2  The purposes for which the Company collects, holds, and processes personal data;

10.3.3  Details of the categories of personal data collected, held, and processed by the Company, and the categories of data subject to which that personal data relates;

10.3.4  Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards;

10.3.5  Details of how long personal data will be retained by the Company (please refer to the Company’s Data Retention Policy); and

10.3.6  Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.

11.         Data Protection Impact Assessments

11.1       The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.

11.2       Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:

11.2.1  The type(s) of personal data that will be collected, held, and processed;

11.2.2  The purpose(s) for which personal data is to be used;

11.2.3  The Company’s objectives;

11.2.4  How personal data is to be used;

11.2.5  The parties (internal and/or external) who are to be consulted;

11.2.6  The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;

11.2.7  Risks posed to data subjects;

11.2.8  Risks posed both within and to the Company; and

11.2.9  Proposed measures to minimise and handle identified risks.

12.         Keeping Data Subjects Informed

12.1       The Company shall provide the information set out in Part 12.2 to every data subject:

12.1.1  Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and

12.1.2  Where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:

a)            if the personal data is used to communicate with the data subject, when the first communication is made; or

b)            if the personal data is to be transferred to another party, before that transfer is made; or

c)            as soon as reasonably possible and in any event not more than one month after the personal data is obtained.

12.2       The following information shall be provided:

12.2.1  Details of the Company including, but not limited to, the identity of its Data Protection Officer;

12.2.2  The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 21 of this Policy) and the legal basis justifying that collection and processing;

12.2.3  Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;

12.2.4  Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;

12.2.5  Where the personal data is to be transferred to one or more third parties, details of those parties;

12.2.6  Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Part 28 of this Policy for further details);

12.2.7  Details of data retention;

12.2.8  Details of the data subject’s rights under the GDPR;

12.2.9  Details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time;

12.2.10Details of the data subject’s right to complain to the Information Commissioner’s Office (the “supervisory authority” under the GDPR);

12.2.11Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and

12.2.12Details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.

13.         Data Subject Access

13.1       Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.

13.2       Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer  Mrs Carol Taylor-Cockayne of MCM Estates & Lettings Ltd, 25, Main Road, Jacksdale, Notts, NG16 5JU.

13.3       Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.

13.4       All SARs received shall be handled by the Company’s Data Protection Officer.

13.5       The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

14.         Rectification of Personal Data

14.1       Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.

14.2       The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

14.3       In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

15.         Erasure of Personal Data

15.1       Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:

15.1.1  It is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;

15.1.2  The data subject wishes to withdraw their consent to the Company holding and processing their personal data;

15.1.3  The data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);

15.1.4  The personal data has been processed unlawfully;

15.1.5  The personal data needs to be erased in order for the Company to comply with a particular legal obligation.

15.2       Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.

15.3       In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

16.         Restriction of Personal Data Processing

16.1       Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.

16.2       In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

17.         Data Portability

17.1       The Company processes personal data using automated means..

17.2       Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).

17.3       To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects in the following formats:

17.3.1  Hard copy photocopies or pdf scans.;

17.3.2  Electronic statements or xls logs. Photographic images where available.

17.4       Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.

17.5       All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.

18.         Objections to Personal Data Processing

18.1       Data subjects have the right to object to the Company processing their personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.

18.2       Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

18.3       Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.

18.4       Where a data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.

19.         Automated Decision-Making

19.1       The Company does not use personal data in automated decision-making processes.

19.2       Where such decisions have a legal (or similarly significant effect) on data subjects, those data subjects have the right to challenge to such decisions under the GDPR, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.

19.3       The right described in Part 19.2 does not apply in the following circumstances:

19.3.1  The decision is necessary for the entry into, or performance of, a contract between the Company and the data subject;

19.3.2  The decision is authorised by law; or

19.3.3  The data subject has given their explicit consent.

20.         Profiling

20.1       The Company does not use personal data for profiling purposes.

20.2       When personal data is used for profiling purposes, the following shall apply:

20.2.1  Clear information explaining the profiling shall be provided to data subjects, including the significance and likely consequences of the profiling;

20.2.2  Appropriate mathematical or statistical procedures shall be used;

20.2.3  Technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected; and

20.2.4  All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling (see Parts 22 to 26 of this Policy for more details on data security).

21.         Personal Data Collected, Held, and Processed

The following personal data is collected, held, and processed by the Company (for details of data retention, please refer to the Company’s Data Retention Policy):

For All Data Subjects:-

Title, Full Name, Home Address, Telephone/Mobile Numbers, Email address. Primary ID and Proof of Address.

In addition for Vendors:-  Property to be Marketed Address, Proof of Property Ownership, Proof of Legal Right to act as Power of Attorney/Executor for another, Chain above details, Solicitors details. Property information relevant to the sale e.g known boundary disputes, known property defects, supporting servicing or installation/ building certificates, guarantees and permissions.

In addition for Purchasers:- Proof of Financial Ability to Proceed with Purchase. Mortgage in Principle. Proof of Deposit. Mortgage Lender/Brokers Contact Details. Chain below details. Estate Agency acting details.

In addition for Landlords:-  Usual Place of Abode. Property to be rented address. Proof of Property Ownership. Proof of Legal Right to Act for another as Power of Attorney or Executor. Safety certificates e.g PAT Testing, gas safes, electrical safety certificates.

In addition for Tenants:-  Date of birth, Nationality, Work Visas and Right to Reside in the UK. Proof of bank account. Proof of earnings & employment.  Rental references, previous landlords' details. Rent book or account.

Purposes:-

a. The processing is necessary for compliance with a LEGAL obligation.e.g. To observe the Estate Agents Act, The Right to Rent Act, Money Laundering Regulations, to observe the legal obligations of tenancy deposit registration and the codes of practice laid down by The Property Ombudsman, the NAEA and ARLA, to advise HMRC on request regarding a landlord's residency and information relating to rents collected.

b. The processing is necessary for the performance of a CONTRACT e.g To sell a property for a vendor, to let a property for a landlord, to advise landlords of essential safety informations and new legislation applying to their duty of care as a landlord, to apply due dilligence in the referencing of tenants. To credit search and obtain references for tenants.

c. When we have the CONSENT of the data subject to subscribe to marketing information.

22.  Data Security - Transferring Personal Data and Communications

The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:

22.1       All emails containing personal data must be encrypted;

22.2       All emails containing personal data must be marked “confidential”;

22.3       Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;

22.4       Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;

22.5       Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted.;

22.6       Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;

22.7       Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent using first class post. Sensitive documents such as ID will be hand delivered or sent ‘Signed For’.

22.8       All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.

23.  Data Security - Storage

The Company shall ensure that the following measures are taken with respect to the storage of personal data:

23.1       All electronic copies of personal data should be stored securely using passwords.

23.2       All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;

23.3       All personal data stored electronically should be backed up and stored securely.;

23.4       No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the data protection officer and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary; and

23.5       No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).

24.  Data Security - Disposal

When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.

25.  Data Security - Use of Personal Data

The Company shall ensure that the following measures are taken with respect to the use of personal data:

25.1       No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from the data protection officer.;

25.2       No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of the data protection officer;

25.3       Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;

25.4       If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and

25.5       Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of the data protection officer to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.

26.  Data Security - IT Security

The Company shall ensure that the following measures are taken with respect to IT and information security:

26.1       All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords.;

26.2       Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;

26.3       All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates as soon as the updates are made available by the publisher or manufacturer or as soon as reasonably and practically possible, unless there are valid technical reasons not to do so; and

26.4       No software may be installed on any Company-owned computer or device and no usbs or discs owned by third parties may be inserted in company computers or devices without the prior approval of the data protection officer..

27.         Organisational Measures

The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

27.1       All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;

27.2       Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;

27.3       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so;

27.4       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;

27.5       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;

27.6       Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;

27.7       All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy;

27.8       The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;

27.9       All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;

27.10    All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR; and

27.11    Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

28.         Transferring Personal Data to a Country Outside the EEA

28.1       The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.

28.2       The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:

28.2.1  The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;

28.2.2  The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;

28.2.3  The transfer is made with the informed consent of the relevant data subject(s);

28.2.4  The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);

28.2.5  The transfer is necessary for important public interest reasons;

28.2.6  The transfer is necessary for the conduct of legal claims;

28.2.7  The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or

28.2.8  The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

29.         Data Breach Notification

29.1       All personal data breaches must be reported immediately to the Company’s Data Protection Officer.

29.2       If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

29.3       In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

29.4       Data breach notifications shall include the following information:

29.4.1  The categories and approximate number of data subjects concerned;

29.4.2  The categories and approximate number of personal data records concerned;

29.4.3  The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);

29.4.4  The likely consequences of the breach;

29.4.5  Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

30.         Implementation of Policy

This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

 

This Policy has been approved and authorised by:

Name:

Mrs Carol Taylor-Cockayne

Position:

Data Protection Officer

Date:

25th May 2018


Privacy Notice for Tenants, Residents and Guarantors given by Landlord/Landlord’s Agent Your Information

MCM Estates and Lettings

Version 22/05/18

Privacy Notice for Tenants, Residents and Guarantors given by Landlord/Landlord’s Agent Your Information

IMPORTANT

1.            When you complete the privacy notice you must fill in the boxes with the required information.

2.            Due to EU legal requirements the privacy notice is a lengthy document.  To help you, it can be distributed electronically, e.g. by an email attachment or a link to your website (if you operate one), or by handing over a hard copy if you prefer.

3.            The Residential Landlords Association Ltd (RLA) owns the copyright in this document.  It can only be used by an RLA member who may add to or change the privacy notice to meet their own requirements.

Data Controller

Name:  MCM Estates & Lettings Ltd (Agents

Address of Landlord/Agent: 25, Main Road, Jacksdale, Notts, NG16 5JU

Telephone Number: 01773 606195 option 2

Email address: lettings@mcmestatesandlettings.com

www.mcmestatesandlettings.com

A company registered in England No. 11144077

Registered address, Lyndhurst, 1, Cranmer Street, Long Eaton, Nottingham, NG10 1NJ

What this Notice is about

This Privacy Notice tells you what information we obtain and hold about you whether you are initially applying to us for a tenancy or if you become a tenant, resident or guarantor, it explains what information we collect, why we collect it, and what we do with it, as well as who we share it with.  We collect and handle personal information about our tenants and residents and prospective tenants and residents along with any guarantors to enable us to provide residential accommodation.  This includes dealing with applications for tenancies, checking the suitability of tenants, residents along with any guarantors (including credit, immigration and similar referencing checks), arranging lettings, property management (including dealing with repairs), rent collection, dealing with any complaints, maintaining our accounts and records, tenancy terminations and administering tenancy deposits.  

We call this information “your information”.  It is also referred to as “data”. 

Where this notice is given to more than one person it is given to each of you separately.

If there is no guarantor, please disregard any reference in this notice to guarantor or guarantee.

You should read this notice when you give us information so you are aware of how and why we are using this.  Please update us if any information supplied by you changes.

Why we are giving you this notice

We are required by data protection law to give you this notice.  We must be open with you about why information is collected about you and then what is done with it.  We must act fairly in relation to this information.  You have various legal rights relating to this information which are spelt out in more detail in this notice.   

If you are already a tenant, resident or guarantor some of the items in this notice may not be relevant to you.  Different information will be involved depending on whether you are a tenant, resident or guarantor.

In order that we can collect or use information about you there must be a legal basis or gateway for doing so.  This notice identifies the relevant gateway for the various types of information we collect and hold about you. A detailed explanation of these gateways is given in this notice. 

Under data protection legislation we can only process data “as necessary” and only to the extent that it is needed.  For example, we can use your bank details regarding payments and other limited purposes only.  However, in certain instances, as necessary, we can share any of your data, e.g. with our own professional advisers or letting and managing agents.  We may also share any of your data, as necessary, with the police/law enforcement agencies or regulatory authorities. 

References to a tenant in this notice also include a guarantor if there is one.  This is because a guarantor underwrites a tenant’s obligations so references to your tenancy are to include your guarantee.

The data we collect/hold about you

We use different ways to collect data about you including the information you supply to us when applying for a tenancy/residency.  If you fail to provide this information we may not be able to proceed. 

As necessary personal data is processed by us (or by any letting/managing agent we retain relating to tenants/prospective tenants/residents/prospective residents/guarantors consisting of the following as applicable: -

·         Identity and contact details including car registration

·         Personal/background information including occupation/status

·         Bank details

·         Verification and credit status

·         Deposit (if any) including return on tenancy termination

·         Tenancy details including renewals, joint tenants, other residents and guarantors

·         Immigration/right to rent checks (England only)

·         Rent and other payments

·         Recovery of arrears, claims or possession proceedings

·         Repairs/health and safety/housing conditions

·         Breach of tenancy terms/nuisance/anti social behaviour

·         Council Tax liability

·         Water charges payable

·         Utilities and services provided

·         Welfare Benefits

·         Termination of tenancy

·         Audio and CCTV recordings (if any)

·         Complaints

·         Insurance

·         Health or disability

·         Emails texts and other communications and via our website where we operate one.

·         Website and online portal information.

We also generate and use data internally, e.g. our rent records.

We also collect and receive data about you from third parties.  This may be information given to us by other tenants or residents or neighbours.  It can include information from a guarantor where there is a guarantor for your tenancy or from a joint tenant or other residents.  Public bodies such as local authorities or the police, or other law enforcement agencies may give us information about you.  This can include the Department for Work and Pensions or the local authority where you are receiving Universal Credit or housing benefit.  Information may be given to us relevant to Council Tax by the local authority.  Utility companies or service providers may also give us personal information about you.  Where the property is let or managed on our behalf by an agent the agent will supply us with information about you.  We obtain information about you when we carry out credit checks or take up references.  We may also receive information from you via websites or from online rental portals such as Openrent, Gumtree or Rightmove.  Any information which we receive in this way is set out in the Table to this privacy notice which gives you more details about information which we can receive from third parties.

Sharing data with others

We will share information we hold with others, where this is necessary.  When we do this, we must comply with data protection legislation.  Information can be shared with other landlords including where you apply to another landlord for a tenancy; contractors/ suppliers; utilities and service providers; tradespeople; financial organisations (including banks and insurance companies); debt collection and tracing agents; public and government bodies (including those who administer benefits, such as the Department for Work and Pensions or the local authority); courts; police and law enforcement agencies; taxation authorities; local authorities in relation to Council Tax and regulatory functions; letting and managing agents; and any future owner of the property. We may need to share information with your next of kin etc., e.g. in an emergency.  It may be necessary for us to share information with a future owner of the property if we are selling.  We also may share information with professional advisers such as lawyers and accountants or an advice agency which involves sharing information about you with them.  If you live in a flat we give information to the freeholder, managing agent etc., for the block of flats.  We also send notifications to and have correspondence with any tenancy deposit scheme protecting any tenancy deposit which has been paid. In some cases, we may be under a legal obligation to provide information either because of the law or because of a contractual obligating binding on us.  What we share will depend on what is necessary in the circumstances and more details are given in the Table in respect of different kinds of information which we hold about you. 

Joint tenants and guarantors

Where you have a tenancy jointly with someone else or there is a guarantor for your tenancy, as necessary, we will share information either with the joint tenant or the guarantor (or both).  This relates to your performance of your responsibilities under the tenancy agreement including information about any rent arrears or other breach of the tenancy terms.  It can also relate to issues around the termination of the tenancy and any claims we may have as a result. 

Immigration/right to rent checks

By law, in England, we are required to check your immigration status before we rent a property to you.  This means that you are legally obliged to produce certain documentation (e.g. a passport or driving licence) to us.  This applies whether or not you are a UK or EU citizen.  Not only are we required to see original documentation but we must take and keep copies of it.  We also check this documentation as part of our process to verify your identity at the outset of the tenancy.  Prospective tenants and all adult residents who will live at the property must be checked. 

Search engines, websites, etc

As necessary, we obtain information about you which is publically available via search engines such as Google or Facebook and websites.  This will include information about you which you yourself made public.  Further details are set out in the Table.  However, when doing so we make sure that we comply with applicable guidelines under data protection legislation.

Special categories of data/sensitive personal data

In limited situations we will process information about your health or any disability.  This data is given special protection under data protection law.  Normally we would expect to ask you for your explicit consent before we collect or use this kind of data. 

Children

In cases where you rent a property where a child resides, information will be given to us about resident children; usually by an adult such as a parent on their behalf.  Data protection law requires us to give such information additional protection where we collect or use it.  In particular, where the rented property is located in England, we need to check on the age of any residents to see whether or not an immigration/right to rent check must be carried out.

Obligation to process data

Private renting is highly regulated so we are under various legal obligations.  These include an obligation to carry out gas safety checks under gas safety legislation.  We may need to handle data for this purpose, e.g. to give the contracted gas safety engineer access to the property.  If the property is located within the area served by Welsh Water then we are legally obliged to pass over details of your occupancy of the property to enable them to collect water charges.  In other areas, in line with Information Commissioner advice, we will pass over details of your occupancy to the relevant Water Company to enable them to collect water charges as it is in their legitimate interests to receive this information. 

Legally we must also hold and process information relating to any tenancy deposit which you pay to us including sharing your information with a deposit scheme by which any deposit is protected. 

Under any statutory licensing schemes applicable to the property we may be required to give information to the local housing authority relating to your occupation of the property.  Similarly, there are various regulatory requirements which may mean that we need to give information about you to public or local authorities or other regulatory authorities. 

Utilities

Again, in line with advice from the Information Commissioner we consider that it is in the legitimate interests of utility companies to receive information about occupants of the property to enable them to bill you for utilities (unless these are included within your rent).

Council Tax

Likewise, we notify local authorities of your occupancy relevant to the collection of Council Tax.  In any event they are entitled to serve notice upon us requiring this information if they choose to do so.

Why we collect data and the legal basis for processing your personal data

We must tell you why we collect and hold information about you.

We must also have a legal basis before we are allowed to collect or process your personal data.  Processing personal data includes recording, storing, altering, using, sharing or deleting data.  We only need one of these “gateways” and for our purposes they are –

·         You consent.  Consent may be requested in certain cases, e.g. to obtain a reference but generally we do not rely on your consent to process your personal data.

·         To perform our contract so that we can carry out our responsibilities under the tenancy agreement with you, including anything you request us to do with a view to you becoming a tenant (or resident).

·         Compliance by us with a statutory or other legal obligation.

·         Where this is in your vital interests, e.g. if there is a life-threatening situation.

·         Where we are pursuing our own legitimate interests or those of a third party.  This will not apply if our interests are overridden by your interests or your fundamental rights and freedoms.  We must carry out a balancing exercise therefore to decide whether we can rely on this gateway to ensure that it applies.  In each case we have done this and we do not consider your interests, rights or freedoms outweigh our own or those of the third party concerned. 

This notice identifies the relevant gateway applicable in each case.  In some cases, we will rely on more than one gateway depending on the particular purpose for which we are using your data.

Additionally, any data must be processed by us fairly and openly. 

Why we process your data

The various purposes for which it may be necessary for us to process various categories of your information include: -

·         In our legitimate interests for deciding on the suitability of a proposed tenant/resident

·         In our legitimate interests for verifying the credit worthiness/suitability of tenants/residents

·         Our legal obligation to check immigration status/right to rent.  This is also to verify identities.;

·         To perform our tenancy contract to deal with joint tenants and residents who are linked to the tenancy

·         To perform our contract to complete the tenancy agreement

·         In our legitimate interests to secure rental payments/performance of tenant obligations, e.g. deposits and guarantors

·         For contractual performance for rent collection and collection of other payments including banking details

·         For contractual performance for managing the tenancy and the property

·         For contractual performance and/or in our legitimate interests for record keeping

·         For contractual performance for arranging repairs and maintaining the condition of the property and keeping it in a safe condition.

·         For contractual performance for monitoring and enforcement of tenant responsibilities

·         For contractual performance or in our legitimate interests for recovering debts and other payments due, including any possession proceedings

·         In our legitimate interests for administering liability for Council Tax

·         Our legal obligation (in the Welsh Water area) or otherwise in our legitimate interests and those of the Water company for the payment of water charges

·         In our legitimate interests and those of the provider relating to arranging and paying for utilities and services

·         In our legitimate interests for dealing with welfare benefits (including Universal Credit and housing benefit) where payable in respect of the rent

·         In our legitimate interests in relation to tenancy termination including the return of any deposit

·         In our legitimate interests for processing complaints

·         For contractual performance or in our legitimate interests for dealing with health and disability issues relating to tenants/residents

·         In our legitimate interests for obtaining and holding audio and cctv recordings

·         To perform our legal obligations to provide information to public or local authorities who are legally entitled to require this information

·         In your vital interests for contacting next of kin etc., in an emergency

·         In our legitimate interests for the storage of emails, records of calls and other communications

·         In accordance with our legal obligations if you exercise your rights under data protection law

·         To perform our legal obligations for compliance with legal and regulatory requirements

·         In our legitimate interests for the establishment and defence of legal rights

·         In our legitimate interests for prevention, detection and investigation of crime and anti social behaviour and the security of any website or other means of electronic communication

We may change the purposes where this is compatible for the purpose for which we obtained the data originally.  If we need to use your data for a non-compatible purpose we will notify you and explain the legal gateway that allows us to do so.  We may process your information without your knowledge where this is required or permitted by law.   

More information about what we do with data and why, along with the relevant legal gateway is given in the Table.  This also tells you who we share data with and receive it from. 

Retaining Communications

We will monitor, record and retain your calls, emails, text messages, social media messages and other communications.  This is in our legitimate interests to maintain an accurate record of these.  This may be necessary to manage your tenancy or the property or to deal with your application for a tenancy or to deal with tenants/residents or prospective tenants/residents/guarantors.  We need these records for our ongoing dealings with you, including our data protection obligations.

Length of storage of data

Data can only be stored on a time limited basis and not indefinitely.  We will hold personal data about you for the duration of your tenancy and for seven years after your tenancy has ended.   This is the statutory limitation period six years plus a further year to allow for service of proceedings should proceedings commence later.  We are also required to retain information for up to six years for tax purposes.  If your tenancy application does not go ahead then we retain data for one year. 

Storage and security of data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.  They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

All our information is stored securely electronically on servers or devices.  Certain information is also retained on a secure basis in hard copy format. 

Telephone calls

To protect our legitimate interests telephone conversations may be recorded electronically for monitoring and to ensure that we have a record of what is said.  You or others may leave messages when calling.

CCTV

When we install CCTV, this is for security purposes in cases where we consider that it is in our legitimate interests to carry out such monitoring which must be done in accordance with legal requirements.  We may also use CCTV to detect breaches of the tenancy terms, e.g. in the common parts or outside the building.   Recordings will be kept for these purposes.

Information legally required under your tenancy agreement

Your tenancy agreement provides that in certain situations you must give us information when asked.  This is a legal obligation because it is a contractual requirement.  You should refer to the relevant clauses in your tenancy agreement which tell you the situations in which such information must be given.

Holding data outside the European Union

Our email account and web provider (if any) is the provider specified in the Table.  Our email account is web based.  Providers store related data internationally and not necessarily within the European Union.  The recipient of this data is the provider concerned.  You need to refer to the provider concerned to determine if they have the required clearance (adequacy decision) from the EU authorities or whether or not, instead, there is an agreement containing appropriate and suitable safeguards and to obtain a copy of this agreement. 

Your rights

Where we hold personal data about you, you are the data subject.  Data protection legislation gives you a number of rights.  To exercise any of these rights you should contact us.  You can do so by email at the address given above or you can telephone us on the number given above.  You can also write to us at our address given at the top of this notice.   Normally no fee is payable. 

In particular you have a right to object to the processing of your information where we are processing this in our own legitimate interests or those of someone else.  This applies if you feel that this impacts on your own interests or your fundamental rights or freedoms. 

These rights are as follows –

·         Access – you have the right to make a request to be told what personal data we hold about you. This is a right to obtain confirmation that data has been processed and to have access to your personal data and the right to information details which should be provided with the privacy notice.

·         Correction/Rectification – if you consider any data we hold about you is inaccurate you can tell us so that where appropriate this can be corrected.  Where a mistake is made in data processing then you can ask to have it rectified.  Any third parties who have received the data from us should then be told of the rectification and you should be informed by us of any such third parties.   

·         Erasure – you have a right to ask us in certain circumstances to erase any data we hold about you (the so called right to be forgotten). Individuals can request the right to have personal data erased to prevent processing in specific circumstances, i.e. it is no longer necessary, consent has been withdrawn, there is an objection and where applicable your rights etc., override the legitimate interests to continue our processing, or data has been unlawfully processed.

·         You can object to our processing of data – this allows you to object to our processing of data about you.  We must then stop processing data unless we can establish legitimate reason for continuing.  In particular this applies where we are relying on our own legitimate interests or those of a third party to process data but it can also apply in other situations.

·         Restricting processing – you can ask us to suspend processing of your personal data and we must then restrict processing of data.  This includes where you are contesting the accuracy of a statement or the lawfulness of the processing.

·         Data portability – this allows individuals to reuse their personal data for their own purposes across different services allowing them to move, copy or transfer personal data more easily.

Withdrawal of consent

Where your consent provides us with the legal gateway to process data about you you can withdraw this at any time by telling us by email or post using the telephone/addresses given above.  

Complaints

We operate our own internal complaints policy and if you have any concerns about the way in which we collect or handle data please contact us.

Additionally, you have the right to lodge a complaint with the Supervisory Authority who is –

Information Commissioner
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

www.ico.org.uk

TABLE

Introduction

About this Table

As necessary, we collect, use and otherwise process different categories of information (data) about you relying on the various legal gateways available to us.  This relates to your application for a tenancy/residency and, if this goes ahead, so that we can manage the tenancy and the property along with associated matters.   This part of this notice gives you a general description of these processing activities for the different categories of information and the purposes for which we process your information.  If you consider that we have not given sufficient details of what we do then you can make an access request for more information.

Background

Renting out residential accommodation and managing tenancies and rental properties is a multi faceted.  As tenants and residents are at the centre of this service, we must process your data for a large number of different purposes.  Data protection law requires us to give you information about these processing activities as concisely as possible.  To do so we have split information about you into different categories, which is in line with requirements in the legislation.  We also have to tell you the extent for which your information can be used and shared.  Due to the nature of our business information falling into one category will be combined with information in other categories to be handled by us as permitted for the stated purposes under the relevant legal gateway which we have to identify.  For example, information about your identity/contact details will be combined with other categories of information to correctly identify you, e.g. when we compile our accounts or pass information about a repair over to a contractor so that they can deal with the problem at the property you rent.  However, we only do this to the extent that it is necessary in the circumstances.

Expressions used

To make this Table as concise as possible we employ a number of expressions –

Handle information – collecting, compiling, using or storing information (data).

Use information – when we use information this means we consult it, compile it, refer to it to make a decision, or act on it, or combine it with other data.  When using it in this way we may have to alter it. 

Share data – this includes transferring data to someone else where this is necessary, or receive it from a third party.

Collect data – this is where we receive information either from you, e.g. when you sign a tenancy application form or from a third party, e.g. a reference about you.

Compile data – this is where we use information about you which we have collected to generate information about you, e.g. our rent payment records or repair records.

Next of kin etc. – this includes close relatives.

Altering Data

We are required by data protection legislation to keep your information up to date and it is of course in our own legitimate interests to do so for us to ensure that we have accurate records.  For example, we keep our record of your rent payments up to date as they are received. 

Storing Data

We keep information both electronically and in a manual filing system to maintain our records.  We do this because we need to use it from time to time.  Normally the legal gateway permitting us to do so which will apply will be the same as applies when we use the data.  Additionally, however, there are legal obligations to retain data under data protection law, taxation legislation and housing law.  We also need to do so to fulfil our contract with you.  In our own legitimate interests, we also need to retain information to deal with enquiries or disputes and for audit purposes.

Destruction of Data

We delete/destroy data once it is no longer needed.  This is a requirement of data protection law.  This notice tells you the period for which we normally store data. 

What this Table tells you

Information is handled as necessary from time to time.  As already stated, information falling under one category can be amalgamated with or added to information in another category in order to carry out the stated purposes. 

Part 1 of this Table tells you, depending on the relevant category of your information, what our processing activities are and what is the legal gateway permitting processing as well as the purpose for which we carry out these processing activities.

Where the legal gateway in question is our own legitimate interests (or those of a third party) we identify the relevant legitimate interests. 

Details about sharing data are set out in Part 2, whether we transfer it to someone else or receive from a third party. 

Part 1 – Collecting, compiling, using and storing your information

In this Part we list out the different categories of your information, briefly explain them where needed, explain what we do with the information and why, as well as specifying the relevant legal gateway we rely on to do so.

We use the word “handle” to cover collecting, compiling, using or storing this information. 

Identity and contact details

  1. This includes name, contact details, date of birth and national insurance number
  2. We handle this information in order to enter into the tenancy agreement and subsequently to manage the tenancy and the property.  This is done to perform the contract.

Personal and background information

  1. This includes details of the tenant’s present residence and their current landlord (if any), current occupation and status, employed, student etc., employer or educational institution, state benefits received, details of other residents, any bankruptcy or county court judgments, next of kin etc., pets and any photographs of yourself.
  2. This information is handled to evaluate your suitability as a tenant.  This is done for our own legitimate interests.  These are to ensure that any let is to reliable tenants and residents with suitable guarantors where applicable.
  3. We also handle this information which relates to next of kin etc., to contact them in the event of an emergency.  This is to protect your vital interests.
  4. This information will also be handled if we need to trace you to contact you in connection with the tenancy or the property or to pursue a claim against you, e.g. for rent arrears.  This is in our own legitimate interests.  These are to enforce your obligations, deal with property left behind at the property or to recover property. 

Bank details

  1. This includes details of your bank, building society or other paying organisation, including those operating digitally/online.
  2. We handle this information in order to receive payments from you or on occasion to make payments to you.  This is done to perform our contract. 
  3. We also handle this information if we seek to make recovery from you of unpaid debt.  This is in our own legitimate interests.   These are to recover what is due to us.
  4. We also handle this information as part of our verification of your suitability as a tenant, including to protect against money laundering.  This is in our own legitimate interests to ensure that we let to suitable tenants/residents and do not receive proceeds of crime. 

Tenancy details

  1. This includes renewals of the tenancy.  Information within this category includes the address of the property, start date for the tenancy, period of occupancy, rent and other payments.
  2. We handle this information to prepare and complete the tenancy agreement and then to manage the tenancy and the property.  This is done to perform our contract.
  3. Tenancies are renewed by agreement.  This will involve a request from you.  We handle information about the renewal of tenancies.  This is done for contractual performance.
  4. Where you are a joint tenant or there are residents living with you details of any other joint tenant or resident are linked with the tenancy/property.
  5. We handle this information to prepare and complete the tenancy agreement and thereafter to manage the tenancy and the property.  This is done so that we can form a contract.
  6. Where there is a guarantee, e.g. from a parent, we collect information about the identity and contact details of the guarantor, background information about the guarantor and details of property owned.  This is then linked to your tenancy and the property. 
  7. We handle this information to protect our own legitimate interests.  This is to provide security for the payment of the rent and to ensure compliance with tenancy obligations.  

Deposits (if any)

  1. This includes the amount of a deposit, who pays it and in what shares and the steps taken to protect the deposit. 
  2. We handle this information to deal with the deposit received and to administer the deposit.  This includes handling information about persons who contribute towards the deposit who are not a tenant.  This is done both for contractual performance and to ensure compliance with legal obligations relating to handling deposits under the Deposit Protection Legislation.   This is to secure payment of the rent and compliance with tenancy obligations.
  3. We also handle deposits at tenancy termination and this is dealt with under that section. 

Immigration/right to rent checks (England only)/verifying tenant’s identity

  1. Under immigration legislation we check that each tenant and adult resident in the property has the right to rent.  This includes retaining copies of passports, driving licences and other specified documentation.  We must retain this for inspection if required by the Home Office.
  2. We handle this information in accordance with the requirements of immigration legislation in order to carry out our legal obligations.
  3. We also handle this information in order to verify the identity of tenants and residents along with guarantors in order to protect our legitimate interests.  These are to ensure that we are dealing with the correct person.  This is done in Wales as well as in England for this purpose.

Rent and payment collection

  1. This includes records we compile to record receipt of rent and other payments from you and associated documentation relating to such payments.  This also includes any documentation where we need to issue reminders for payment, including levying charges for interest or fees for late payment.
  2. We keep this information in order to compile correct and up to date records.  This is done for contract performance.

Recovery of arrears, claims and possession proceedings

  1. In the event of non-payment of rent or other payments due, or if there is non-performance of the contract (including allegations against ourselves) then we record this and enter into relevant communications.  This includes information and documentation related to any proceedings which may be commenced or brought against us in relation to these matters, including proceedings to recover possession of the property.
  2. We handle this information in order to pursue recovery of what is owing to us and to enforce our rights, to defend claims, and to recover possession of the property.  This is done in our own legitimate interests.  These are to protect our property interests, to enforce our rights and to ensure payment due to us is made, as well as to defend any claims brought against us.

Repairs/housing standards/health and safety

  1. This includes condition surveys, inspection reports, reports of repairs required and information about actions taken.  This extends to conditions and standards generally at the property including health and safety, e.g. gas safety. 
  2. We handle this information to ensure that the property and its contents are properly maintained.  This is done both for the purposes of contractual performance and, where applicable, to comply with our legal obligations.

Breach of tenancy agreement/nuisance etc.

  1. This includes complaints which we receive or information which we hold relating to alleged breaches by a tenant or resident (which could include a child) including nuisance and anti social behaviour.  This includes records and related communications.   This includes complaints about these matters made by neighbours or other tenants or residents.
  2. We handle this information so as to ensure that tenancy obligations are complied with and that tenants and residents live harmoniously with neighbours.   This is to protect our own legitimate interests and the legitimate interests of affected third parties.  These legitimate interests are ensuring the tenancy obligations are complied with as well as the prevention and detection of crime and anti-social behaviour. 
  3. We also handle this information under a legal obligation where there is a selective licensing area in force or where the property is a licensed house in multiple occupation (HMO) or under the licensing scheme operating in Wales.

Council Tax liability

  1. Notification is given to the local authority in relation to tenant/resident liability for Council Tax.  This can include information about the period of occupancy as well as former and subsequent addresses.
  2. We handle this information in order to ensure that the liability for Council Tax is dealt with correctly.  This is done to protect our own legitimate interests and those of the local authority.  These are for the correct billing and collection of Council Tax and to ensure that we do not have to meet Council Tax liability ourselves where this is not appropriate. 
  3. In the event of the local authority serving a statutory notice we then we must supply this information to comply with our legal obligations. 
  4. Where appropriate the tenant may be entitled to a reduction in Council Tax (formerly called Council Tax benefit).  Information is handled relevant to claims made by tenants.  This is in the interests of the local authority administering the scheme to see that benefits are properly calculated and paid. 

Water charge payments

  1. This relates to notification to a water company of the tenants/residents who are living at the property their periods of occupancy and it can include previous and subsequent addresses.  It also relates to communications between ourselves and the water company concerned.
  2. In the area covered by Welsh Water this information is handled pursuant to a legal obligation. 
  3. Outside the Welsh Water area we handle this information to establish liability for water charges in our own legitimate interests and those of the water company concerned.  This is to ensure that legal liability for payment of water charges is correctly established and discharged.

Utilities and other service providers

  1. We arrange and establish liability for payment of gas and electricity consumed at the property and any services which are provided, e.g. Broadband or cable tv.  These services may be provided as a requirement under the tenancy agreement.   It includes communications about changes of tenants, interruptions and disconnection of supply and work to be carried out in connection with utilities and services such as the installation of smart meters/replacement meters.
  2. We handle this information in order to arrange provision of utilities and services and ensure that the correct liability for relevant charges is established and that these are paid for.  This is done in our own legitimate interests and those of the utility company/provider concerned.  These are to ensure utilities and services are provided and that liabilities are paid.
  3. We also handle this information in order to deal with breakdowns, interruptions and disconnections and to ensure that the appropriate quality of service is provided.  This is done in our own legitimate interests.  These are to ensure that requisite utilities and services are available and are provided at the property.

Universal Credit/Housing Benefit/Local Housing Allowances

  1. Where eligible a tenant will be entitled to the appropriate welfare benefits to assist them to pay rent.  Information may be required by the Department for Work and Pensions (DWP) or local authority to verify entitlement.  Normally, payment of benefit is made direct to the tenant; however, if the tenant is vulnerable or there are arrears, payment of benefit can be made direct to us.  This extends to Council Tax reductions (the old Council Tax benefit).
  2. We handle tenancy details and rent payment records, including information about arrears of rent, and the tenant’s personal circumstances, relevant to the processing of claims and the administration of benefits.  This is done for contractual performance.  It is also carried out in our own legitimate interests to secure payment of rent due to us.
  3. We handle information relevant to applications for benefit and in particular applications for direct payment to ourselves including reasons for non-payment of rent.  This is for contractual performance.
  4. On occasion where direct payment has been made to us there may be claims by the benefit authority for recovery of overpayments.  We handle information relevant to such claims.  This is done for our own legitimate interests.  These are to ensure that we can collect and retain rent due to us.

Tenancy termination

  1. A tenancy may run out and the tenant leaves.  Tenants can leave early while the tenancy is still running on.  We may serve notice requiring the tenant to vacate and, if need be, enforce this by court possession proceedings.
  2. Tenancy terminations of whatever kind also involve the return of any deposit paid, possible claims against guarantors, claims on rent insurance or property insurance, arrangements for tenants/residents to vacate the property, tenants/resident’s property being left behind.  They also give rise to issues around the state and condition in which the property has been left, e.g. cleanliness.
  3. We handle information relevant to these matters concerning tenancy termination.  This is done in our own legitimate interests.  These are to ensure that the property is returned to us in a proper state with vacant possession and that all appropriate financial claims by either party against the other are correctly dealt with.  These include our obligations in relation to the refund of deposits, to comply with our contractual obligations between us and the tenancy deposit scheme with whom the deposit is protected.

Complaints

  1. We operate a complaints procedure which may be informal.  Although we will do all we can unfortunately sometimes things go wrong so complaints may arise. 
  2. Information handled concerns complaints which you may make or which may be made on your behalf.   These will give rise to communications and records being compiled by us. 
  3. We handle complaints with a view to resolving these, although this might involve external intervention, e.g. by the courts. 
  4. We handle complaints for contract performance.  This is also done in our own legitimate interests.  These are to protect ourselves against claims and to ensure that the complaints are properly resolved.  

Health/disability

  1. Importantly, this is sensitive personal information to which additional protections apply.  We may be given information about your health (whether mental or physical) or disabilities.   
  2. Health information may be given to us to explain your absence from the property or as a reason why rent has not been paid.  You may wish us to have information about your health so that we are aware of how you may need assistance on occasion.   This could also be information about health or disabilities affecting someone else which impacts on you.
  3. We may be given information about your disabilities so that we can make particular arrangements for you, including any adaptations which may be required to make under disability discrimination legislation. 
  4. We handle information about your health or disability, and the health of others depending upon the circumstances to assist us in the management of the tenancy and the property.  This may be to protect your vital interests.  It may alternatively be for contractual performance where it affects your ability to perform your contractual obligations under the tenancy agreement.  It will be in our own legitimate interests if we are told of any medical condition which affects you.  This is so we are aware of possible impacts on you.
  5. In regards to information concerning any disability, we handle this information to assist in the management of the tenancy and the property.  This may also be under a legal obligation where we are obliged by law to make provision to deal with your disability. 
  6. In addition, as this is special category data, additional legal requirements are imposed upon us about your health and/or disability and we may request your consent to handle this information.

CCTV and Audio

  1. If we operate cctv you will be given information about this.  We may operate cctv to cover common parts or the exterior of the premises. 
  2. We may also hold audio recordings, e.g. messages from you on telephone answering machine or mobile phone.
  3. Where cctv is operated this is for the safety and security of the premises in question and for the prevention and detection of crime and anti social behaviour, as well as monitoring tenancy obligations.  This is done in our own legitimate interests.  These include the protection of our property and ensuring compliance with tenancy obligations as well as the safety and security of tenants, residents and neighbours.
  4. We handle audio recordings to assist with accurate record keeping.  This is done for contract performance or in our own legitimate interests.  These are to ensure that we have reliable records of communications. 

Correspondence etc

  1. Correspondence includes all ways in which we receive communications from whatever source.  This includes emails, text messages, social messaging and messages, letters and documentation.  This can include photographs and other visual recordings.
  2. We handle these communications initially relating to entering into the tenancy agreement and then for the management of the tenancy and the property, as well as associated matters arising under the various categories of information referred to in this Table.  This is done for contractual performance where applicable, to carry out any applicable legal obligations imposed on us, to protect your vital interests, or in our legitimate interests.  These legitimate interests are to ensure that we have the necessary information relating to these matters and for accurate record keeping.

Websites and online platforms

  1. Information about you is available in the public domain, often put there by you.  This can be accessed by appropriate searches which allow for access to the websites which hold this information.
  2. Information about you is also made available when you access online platforms, e.g. to enquire about properties which are available for renting. 
  3. We handle this information to assess your suitability for tenancies/residency and for the management of the tenancy and the property.  This is in our own legitimate interests to ensure that tenants/residents are suitable and that the tenancy and the property are effectively managed.  This can include ensuring that tenancy obligations are performed.  These legitimate interests are to ensure that our property interests are protected and our rights are enforced. 
  4. We handle information received via our online platforms for contract performance, including arranging lettings and entering into tenancy agreements.

Insurance

  1. We insure the buildings and may insure contents belonging to us.   We may also insure against public liability, including liability to yourself for injuries and rental insurance, in the event of rent arrears or other tenancy default.
  2. We handle information about you which may be relevant to our insurances to arrange cover, to administer insurance contracts, to renew insurances and to make claims.  Contractually we are under certain duties, e.g. to disclose information to the insurers.  We handle this information to protect our legitimate interests.  These are to ensure that appropriate risks are adequately insured against and to recover any sums due to us under the policy as a result of claims.
  3. It is your responsibility to insure your own contents/belongings.  You may seek information from us relevant to arranging such insurance or making claims.  We handle this information and will do so with your consent which is provided as part of your request for any assistance or information.

Flat management

  1. This applies in particular where the property is a flat.  This flat will be held by us under a lease or subject to other contractual arrangements which will set out various responsibilities for the upkeep, insurance etc., of the block including common areas.  The lease or other arrangements place contractual obligations on us which in turn may be passed on to you under the terms of the tenancy.
  2. We handle information about you in order to carry out our responsibilities under these leases/arrangements.  This is done in our own legitimate interests and in the interests of the freeholder etc., of the block so as to ensure that respective obligations are properly performed.

Car registration

  1. We hold records of car registrations for vehicles which you keep at or in the vicinity of the property.
  2. We handle this information to manage the property for contract performance.
  3. We also handle this information in our own legitimate interests and those of others such as neighbours in order to monitor and regulate parking.  This is to protect our own property interests and rights and those of others such as neighbours who may be affected by parking issues.

Other

Please list out any additional information/data/categories of information or data and describe them appropriately: n/a

 

 

Part 2 – Sharing Information

Introduction

We share your information with various persons, organisations and public authorities as necessary.  This involves us either transferring your information to others or collecting it from them, depending upon the circumstances.  This Part of the Table gives you details about this.  It can be a two-way traffic between ourselves and others.  In some instances, we may collect information about you from someone else following a request by us to them to provide this information.

Where we collect information from others (third parties) we have to tell you the source of this information, whether or not it is publically accessible, the nature of the source (i.e. whether it is publically or privately held) and the types of organisation from whom the information is obtained.  Where possible we need to name the source as well but often this cannot be done.  The required details appear in this Part of the Table.

Where information is received from a private person/body or a public authority, this information will not normally be publicly accessible, however in some instances it will be.  Information which will be publically accessible will be information such as Council Tax bandings and information available in public registers, e.g. registers of births and other available public registers. 

We share identity and contact details with all persons, organisations/authorities referred to below.  This category of information is linked with the other information in every category for the purposes and under the legal gateway specified under each of the other categories of information.  This is to ensure that you are correctly identified and, if need be, can be contacted.

A – Sharing of certain categories of your information

We share certain categories of your information (both transferring it to them and collecting it from them as necessary) with private persons/organisations and public authorities as necessary. 

In Section B we go onto explain that, as necessary, certain private persons/organisations and public authorities can share any of your information (irrespective of its category).

 Table 1 below identifies the different categories of your information and specifies the private persons/organisations/public authorities with whom these different categories of your information are shared as necessary.  This Table should be read in conjunction with Table 2 (private persons/organisations) and Table 3 (public authorities). Tables 2 and 3 explain why we share your information with these   persons/organisations/public authorities and the legal gateway which allows this to happen.

Depending on the category of data concerned you should also refer to that category under Part 1 above because the purposes set out for which we handle data and the legal gateway for doing so also usually apply when we share data with others. 

Table 1 – Data categories and who they are shared with

Table 2 – Private persons/organisations

Table 3 – Public Authorities

B – Private persons/organisations/public authorities with whom any information is shared

As necessary, we share all of your information (irrespective of its category) with certain private bodies/organisations/public authorities.  This includes transferring your information to them and receiving it from them.  These are

* These are public authorities

Names of persons/organisations/public authorities with whom information is shared

Where we are able we have to provide you with the identity of the persons/organisations/authorities which are referred to in Tables 1, 2 and 3 above.

·         Email provider:      Plusnet.com  & FastHosts

·         Website provider/host (if any):  FastHosts

·         Accountant:  GP&S Long Eaton

·         Landlord’s bank:  TSB Bank

·         Landlord’s insurance (rent insurance and/or public liability): Coversure Insurance

·         Other professionals: NAEA & ARLA & TPO

·         Local authority for the property: Depending upon location and postcode, usually Ashfield District Council, Amber Valley Borough Council, Bolsover District Council and Broxtowe Council

·         Letting/managing agent (if any): MCM Estates & Lettings

·         Contractors etc., regularly employed to maintain the property: Tradesmen approved and qualified by MCM Estates & Lettings

·         Guarantor (if any): As named on your tenancy or guarantor agreements (if applicable)

·         Joint tenants (if any):

·         Water Company: Severn Trent and/or Watermark

·         Deposit protected with: TDS, DPS or My Deposits

·         Freeholder/flat managing agent (where the property is a flat): n/a

·         Service providers (e.g. Broadband): Usually Virgin & BT or as advised by the tenants

·         Gas and electric company (where the landlord organises the supply): As advised by the tenants