PIGOTT and HALL PRIVACY POLICY
We understand that keeping your personal information safe is the foundation to building trust and confidence in our organisation.
This policy hopes to provide clear and concise information about what we do with your personal data.
1.1 Introduction
To comply with the General Data Protection Regulation (GDPR), Data Protection Act 2018 and all successive legislation, we are required to collect, store and process personal data about our clients, vendors, landlords, tenants, applicants, suppliers, contractors, employees, workers, and other third parties for whom we provide services or with whom we conduct business.
Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Pigott and Hall are responsible for, and must be able to demonstrate, compliance with the above principles.
1.2 Definition of terms used in this policy
An explanation of the terms that are used most frequently:-
Personal data means data relating to a data subject who can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal data can be factual (e.g. a name, address or date of birth) or it can be an opinion about that data subject, their actions and behaviour. It can also include an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic (e.g. DNA or RNA), mental, economic, cultural or social identity of that individual.
Data controller is a term used to describe the people who, or organisations which, determine the purpose and manner for which any personal data is processed.
Data subject means the individual about whom we hold personal data.
Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures.
Data processors means any person or organisation that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition but it could include suppliers who handle personal data on our behalf.
Processing is a term used to describe what we do with the data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring (or disclosing) personal data to third parties.
Special categories of personal data is a term used to describe sensitive personal data such as information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, genetic data and biometric data where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions.
1.3 Pigott and Hall’s responsibility for data protection
As a data controller, we are responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that we do more than just say that we are complying with data protection laws, but that we are also able to demonstrate compliance. We do this principally by:
· implementing processes and policies that enable us to comply with data protection laws, such as not collecting more personal data than we need, providing comprehensive, clear and transparent privacy notices, and creating and improving security features on an ongoing basis;
· undertaking data protection impact assessments, where appropriate, when using new technologies where the processing is likely to result in a high risk to the rights and freedoms of data subjects;
· undertaking periodic internal audits of personal data held by us; and
· training staff.
1.4 What data will we be collecting from you?
When you access our website and/or register your interest in the use of our services by phone, in person or on email, Pigott and Hall and any other third parties who host, maintain or support our delivery of services may collect personal information about you.
The personal information we collect from you will typically include but is not limited to the following:
· Full name and contact details (including contact number, email and postal address).
· Employment details, credit status, previous Landlord details and previous address details for referencing purposes
· Any phone number or email used to get in touch with our employees and/or offices.
· Information relating to your identity where we are required by law to collect this to comply with the Money Laundering Regulations 2017 and the Immigration Act (such as passport and/or driving licence).
· Information on your close connections where we are required to assess conflicts of interests under regulatory obligations.
· Your banking details where required such as where you are letting a property or, where renting, to set up an approved tenancy deposit account for you and arrange for rental payments.
· Details about your areas of interest where we wish to send you marketing information about similar products and/or services.
Where we need to collect personal data by law (eg. to meet our obligations under money laundering regulations or right to rent checks) or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to fulfil the existing contract and/or services as requested, or enter in a contract and/or services as requested. In this case, we may have to cancel a contract or service you have with us, but we will notify you if this is the case at the time.
1.5 How long will Pigott and Hall keep your data for
Pigott and Hall will keep information for a reasonable amount of time in order to perform the purposes listed in section 1.8 below. We only keep your information for as long as necessary. Pigott and Hall generally keep personal information for 7 years. However we reserve the right to keep information for longer if we feel that this is in the legitimate interests of Pigott and Hall or of course if the information is still relevant after 7 years, for instance if your tenancy is still current.
1.6 How will your personal data be processed?
Any personal data that Pigott and Hall process will:
· be processed fairly, lawfully and in a transparent manner;
· be processed ONLY for specified, explicit and legitimate purposes;
· be relevant and limited to what is necessary to collect and process;
· be accurate and kept up to date, ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;
· not be kept for any longer than is necessary to fulfil the purpose or purposes for which it was collected; and
· be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
· not be passed onto a Third Party without your express permission
1.7 Lawfulness, fairness and transparency
For personal data to be processed lawfully, it must be processed for one of the specific reasons set out in the GDPR.
The following are some of the reasons provided by the GDPR which Pigott and Hall will rely on as a business to process personal data:
Processing is necessary:
· for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract for us to provide products or services.
· You have given us explicit consent to the processing of your personal data for one or more specific purposes, namely where you have given us consent to receive electronic marketing by us or to provide you with our property services.
· for compliance with a legal obligation to which we are subject
· for the purposes of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In addition to the legal reasons set out above, we can also process a data subject’s personal data where they have given consent to the processing for one or more specified purposes, provided that the consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes. You have the right to withdraw any consent given.
1.8 How Pigott and Hall will use your data
· To fulfil our obligations to you when providing you with our property services;
· To comply with our statutory and regulatory obligations, including verifying your identity, prevention of fraud and money laundering and to assess your credit worthiness;
· To comply with our requirements to demonstrate suitability to a client landlord of ours of a prospective tenant
· To communicate with you during the course of providing our services, for example with your enquiries and requests;
· To provide you, or to enable third parties to provide you, with information about goods or services we feel may interest you: where you have provided permission for us to do so or, if you are an existing customer where we choose to contact you by electronic means (including newsletter and email) with information about our own goods and services similar to those which you have already obtained from us or negotiated to obtain from us (marketing emails can be unsubscribed from at any time with the link at the bottom of the email);
· To notify you about changes to our service.
1.9 Keeping personal data secure
When we process personal data, we will do our best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage.
We will do this by:
· Encrypting personal data where possible;
· Ensure ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;
· Ensure restoration and access to personal data in a timely manner in the event of a physical or technical incident; and
· Facilitating regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security, we shall of course take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
1.10 Rights of data subjects
You have the right to:
· request access to any data we hold about you;
· have any inaccurate personal data about you corrected and incomplete personal data completed;
· object to us processing your personal data for our legitimate interests. We can refuse this request if our legitimate interests outweigh those of the data subject or if we need to continue processing for the establishment or defence of legal claims;
· ask us to destroy personal data about yourself. We can refuse this request if the personal data is still necessary in relation to the purposes for which it was being processed and there is a legal ground for us to continue processing;
· ask us to restrict processing of your personal data to merely storing it. This can only be requested if the accuracy of personal data has been contested and this is being verified, or if we no longer require the personal data but the data subject needs it to establish or defend a legal claim, or if the data subject has objected to the processing of personal data and we are deciding whether our legitimate interest override theirs, or if our processing is unlawful.
If a data subject exercises these rights and we have disclosed the personal data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.
1.11 Subject access requests
You have the right to request a copy of the personal information we hold about you. You also have the right to request that information we hold about you which may be incorrect, or which has been changed since you first told us, is updated or removed. You must do so in writing either by emailing Mr T. Hall at Tim@pigottandhall.com or by post to Mr T. Hall, Pigott and Hall, 38 Westgate, Grantham, Lincolnshire, NG31 6LY
You can ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have:
· successfully exercised your right to object to processing
· where you have withdrawn consent for us to process it
· where we may have processed your information unlawfully
· where we are required to erase your personal data to comply with local law
Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you.
You have the right at any time to withdraw any consent you have given us to process your personal data. Please note if you withdraw your consent it will not affect the lawfulness of any processing of your personal data we have carried out before you withdrew your consent.
1.12 Complaints about the use of your personal data
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated by writing to Mr. T. Hall at Pigott and Hall, 38 Westgate, Grantham, Lincolnshire, NG31 6LY. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the UK data protection regulator, the Information Commissioner’s Office. Further details can be found at www.ico.org.uk or 0303 123 1113.