1 Stop Properties (Glasgow) Limited GDPR Fair Processing Notice
(for external and 3rd parties) (How we use your personal information)
This notice explains what information we collect, when we collect it and how we use this. During the course of our activities we will process personal data (which may be held on paper, electronically, or otherwise) about you and we recognise the need to treat it in an appropriate and lawful manner. The purpose of this notice is to make you aware of how we will handle your information.
Who are we?
1 Stop Properties (Glasgow) Ltd, 491 Duke Street, Glasgow G31 1DL (“we” or “us”) take the issue of security and data protection very seriously and strictly adhere to guidelines published in the Data Protection Act of 1998 and the General Data Protection Regulation (EU) 2016/679 which is applicable from the 25 May 2018, together with any domestic laws subsequently enacted.
We are notified as a data controller with the Information Commissioner’s Office (ICO)
under registration number Z8978152 and we are the data controller of any personal data that
you provide to us.
Our point of contact is Wendy Gallagher (firstname.lastname@example.org).
Any questions relating to this notice and our privacy practices should be sent to Wendy Gallagher (email@example.com).
How we collect information from you and what information we collect
We collect information about you:
- when you apply for housing with us, become a tenant, request services/repairs, entering to a tenancy agreement with ourselves howsoever arising or otherwise provide us with your personal details;
- from your use of our online services, whether to report any tenancy related issues, make a complaint or otherwise;
from your arrangements to make payment to us (such as bank details, payment card numbers, employment details, benefit entitlement and any other income and expenditure related information).
We collect the following information about you:
- Date of Birth
- Telephone number
- E-mail address
- National Insurance number
- Past Addresses
- Names & DOB of Child(ren)
- Employment Details
- Non-employment income/savings
- Bank Details & Statements
- Driver’s License information
- Current payslip information
- Details confirming Student status
- UK Visa documentation
- Previous L/L or agent information and references
- Accountants details (if required)
- Pension Provider
- Next of kin
- Emergency Contact details (if different from next of kin).We receive the following information from third parties:
- benefits information, including awards of Housing Benefit/Universal Credit
- payments made by you to us;
- complaints or other communications regarding behaviour or other alleged breaches of the terms of your contract with us, including information obtained from Police Scotland;
- reports as to the conduct or condition of your tenancy, including references from
- previous tenancies, and complaints of anti-social behaviour.
We collect the following information about you:
- Home and Correspondence Address
- Rental Property Address(es),
- Landlord Registration Number(s)
- Telephone Contact Details
- Email address(es),
- Bank Details
- Joint Landlord Details,
- Photo I.D.
- Proof of UK Residency
- Mortgage Provider/Ownership Verification
- Overseas HMRC information Why we need this information about you and how it will be usedWe need your information and will use your information:
- to undertake and perform our obligations and duties to you in accordance with the terms of our contract with you;
- to enable us to supply you with the services and information which you have requested;
- to enable us to respond to your repair request, housing application and complaints made;
- to analyse the information we collect so that we can administer, support and improve and develop our business and the services we offer;
- to contact you in order to send you details of any changes to our services or supplies which may affect you;
- for all other purposes consistent with the proper performance of our operations and business; and
- to contact you for your views on our products and services.
Sharing of your information
The information you provide to us will be treated by us as confidential [and will be processed only by our employees within the UK/European Economic Area (EEA) We may disclose your information to other third parties who act for us for the purposes set out in this notice or for purposes approved by you, including the following:
- if we enter into a joint venture with or merge with another business entity, your information may be disclosed to our new business partners or owners;
- if we instruct repair or maintenance works, your information may be disclosed to any contractor;
- if we are investigating a complaint, information may be disclosed to Police Scotland, local authority departments, Scottish Fire & Rescue Service and others involved in any complaint, whether investigating the complaint or otherwise;
- if we are updating tenancy details, your information may be disclosed to third parties (such as utility companies, property factors and any local authority);
- if we are investigating payments made or otherwise, your information may be disclosed to payment processors, local authority and the Department for Work & Pensions;
- if we are conducting a survey of our products and/or service, your information may be disclosed to third parties assisting in the compilation and analysis of the survey results;
- if we are asked by HMRC in regard to taxation, your information may be accordingly disclosed; Unless required to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your consent.
Transfers outside the UK and Europe
Your information will only be stored within the UK and EEA.
When you give us information we take steps to make sure that your personal information is kept secure and safe.
How long we will keep your information
We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information), or as set out in any relevant contract we have with you.
Our full retention schedule is available on request from 1 Stop Properties, 491 Duke Street, Glasgow G31 1DL.
You have the right at any time to:
- ask for a copy of the information about you held by us in our records;
- require us to correct any inaccuracies in your information;
- make a request to us to delete what personal data we hold about you; and
- object to receiving any marketing communications from us.If you would like to exercise any of your rights above please contact us at firstname.lastname@example.org
Should you wish to complain about the use of your information, we would ask that you contact us to resolve this matter in the first instance. You also have the right to complain to the Information Commissioner’s Office (ICO) in relation to our use of your information. The ICO’s contact details are noted below:
The Information Commissioner’s Office – Scotland, Queen Elizabeth House, Sibbald Walk, Edinburgh EH8 8FT Telephone: 0303 123 1115 email:email@example.com
The accuracy of your information is important to us – please help us keep our records updated by informing us of any change.
DATA PROTECTION STATEMENT OF REQUIREMENTS FOR DATA PROCESSORS
We, 1 Stop Properties (Glasgow) Ltd, (“the Data Controller”) as the Data Controller require, pursuant to or in connection with the Principal Agreement/Contract, we have with you, (“the Data Processor”), that you are compliant with the General Data Protection Regulation 2016/679, and any subsequently enacted legislation in furtherance of Data Protection. Within this document, we state what we require of you as the Data Processor in order to be compliant. Should you have any questions regarding the contents of this document, you should contact Wendy Gallagher.
- 1.1. Applicable Laws shall mean (a) European Union or member state laws with respect to any Company Personal Data in respect of which any Company Group Member is subject to EU Data Protection laws; and (b) any other applicable law with respect to any Controller Personal Data in respect
- 1.2. Controller Personal Data shall mean any personal data processed by the Data Processor on behalf of the Data Controller pursuant to or in connection with the Principal Agreement or Contract;
- 1.3. Principal Agreement/ Contract shall mean the main contract or agreement of services or other activities existing between the Data Controller and Data Processor;
- 1.4. Subprocessor shall mean any person (including any third party, but excluding an employee of the Processor or any of its sub-contractors) appointed by or on behalf of Processor which is engaged in the processing of personal data on behalf of the Controller in connection with the Principal Agreement/Contract;
- Processor and Personnel
- 2.1. The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to the Controller Personal Data; and
- 2.2. The Processor must ensure that access to the Controller Personal Data is strictly limited to those individuals who need to know or need to access this data.
- Security3.1. The Processor must, when processing Controller Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk; and
3.2. In assessing the appropriate level of security, the Processor shall take into account, in particular, the risks that are presented by processing, in particular a Personal Data Breach.
4.1. The Controller authorises the Processor to appoint (and permit each Subprocessor appointed to appoint) Subprocessors;
4.1.1. This is only insofar as prior written notice is given of its intention to appoint a Subprocessor, including within this, the scope of processing that shall be undertaken by the Subprocessor, and that the Controller thereafter provides prior written consent of such appointment;
- 4.2. The Processor may continue to use those Subprocessors already engaged by the Processor as at 25 May 2018, so long as such Subprocessors are able to meet the obligations under section 4.5; and
- 4.3. The Processor must ensure that it undertakes adequate due diligence of the Subprocessor, and their systems, prior to their processing of Controller Personal Data to warrant that there is a level of protection as mandated in the Principal Agreement.
- Data Subject Rights
- 5.1. The Processor must ensure that have appropriate technical and organisational measures so as to assist in the fulfillment of the Controller’s obligations to respond to requests by any Data Subject under any Applicable Law;
- 5.2. The Processor must notify the Controller on receipt by them, or any Subprocessor, of a request from a Data Subject under any Applicable Law; and
- 5.3. The Processor must ensure that no response is given to any such request by the Processor or the Subprocessor, except on documented instructions of the Controller, or as required by the Applicable Laws to which the Processor is subject, in which latter case, the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the Contracted Processor responds to the request.
- Personal Data Breach
- 6.1. The Processor must notify the Controller without undue delay upon the Processor or any Subprocessor becoming aware of a Personal Data Breach affecting the Controller Personal Data, providing the Controller with sufficient information to allow them to meet any obligations under the Applicable Laws.
- 6.2. The Processor shall co-operate with the Controller, and at their own expense take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach.
7. Data Protection Impact Assessment and Prior Consultation
7.1. The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessment and Prior consultations with Supervising Authorities.
8. Deletion or return of Controller Personal Data
- 8.1. The Processor must promptly and in any event, within seven (7) days of the termination or conclusion of any Services involving the processing of Controller Personal Data (“Cessation Date”), delete and procure the deletion of all copies of any Controller Personal Data.
- 8.2. The Controller may also, at its own discretion, by providing seven days written notice of the Cessation Date, require the Processor, to:
8.2.1. Return a complete copy of all Controller Personal Data to the Controller by secure file transfer in such a format as is reasonably notified by the Controller to the Processor; and
8.2.2. Delete and procure the deletion of all other copies of Controller Personal Data that they, or any Subprocessor, have.
- 8.3. The Processor must only do what is required under Clause 8.1 and 8.2 to the extent that the Applicable Laws do not require them to retain such information. In such event, the Processor must ensure the confidentiality of all such Controller Personal Data, and that it is processed, for such periods as mandated, only insofar as said Applicable Laws require it to be processed.
- 8.4. The Processor must provide written certification, within 14 days of the Cessation Date, to the Controller that it has fully complied with their obligations under this Clause.
9. Audit Rights
- 9.1. The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Statement, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller Personal Data by the Processor;
- 9.2. The Controller shall give the Processor reasonable notice of any audit or inspection to be conducted, and shall make reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Processor’s premises, equipment, personnel and business while the Controller’s personnel are on those premises in the course of such an audit or inspection; or
- 9.3. The Processor need not give access to its premises for the purposes of an audit or inspection to any individual unless they produce reasonable evidence of identity and authority; or outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller has given notice that this will be the case.
Data retention periods
The table below sets out retention periods for personal data held and processed by us, as a letting agent. It is intended to be used as a guide only. We recognise that not all personal data can be processed and retained for the same duration, and retention will depend on the individual circumstances relative to the data subject whose personal data is stored.