Fair and lawful processing
GDPR is intended not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is (in this case Outlook Property Limited) the purpose for which the data is to be processed, and the identities of anyone to whom the data may be disclosed or transferred.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases, the data subject’s explicit consent to the processing of such data will be required. The data subject is able to withdraw consent at any time from one or all areas where it has been given.
Electronic Mail Marketing
We can only carry out electronic marketing if the person we are targeting has given their permission. However, there is an exception to this rule. Known as ‘soft opt-in’ it applies if the following conditions are met;
(a) Where we have obtained a person’s details in the course of a sale/let or negotiations for a sale/let;
(b) Where the messages are only marketing similar products or services; and
(c) Where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.
Processing for limited purposes
Personal data will only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by GDPR.
We collect personal data in a number of ways, for example: in branch, over the phone, via email, via online submissions, via our terms of business and using application forms. We collect information for the purpose of assisting clients and customers with their property needs and identify other services that will assist them in property related matters.
Our terms of business and documents to Sellers, Buyers, Landlords and Tenants also make clear that we collect information for administration and marketing purposes.
These documents also set out that we disclose the information to our service providers and agents for these purposes from whom we may get commission or fees.
Adequate, relevant and non-excessive processing
Personal data will only be collected to the extent that it is required for the specific purpose notified to the data subject.
Personal data will be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards.
Personal data will not be kept longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required. Transaction of a sales is to be retained for seven years, after this period, data will be erased from our system, unless permission is given for us to keep in contact for marketing purposes.
Processing in line with data subjects’ rights
Data will be processed in line with data subjects’ rights. Data subjects have a right to:
(a) Request access to any data held about them by a data controller.
(b) Prevent the processing of their data for direct-marketing purposes.
(c) Ask to have inaccurate data amended.
(d) Prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else.
(e) Object to any decision that significantly affects them being taken solely by a computer or other automated process.
We will ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
GDPR requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
(a) Confidentiality means that only people who are authorised to use the data can access it.
(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorised users should be able to access the data if they need it for authorised purposes.
Personal data is therefore stored on our central computer system instead of individual PCs.
Security procedures include:
(a) Entry controls – Any stranger seen in entry-controlled areas should be reported.
(b) Clear desks policy and lockable cupboards – Desks are cleared of any personal information, cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
(c) Methods of disposal – Paper documents should be shredded. Online data should be deleted.
(d) Equipment - Data users should ensure that individual monitors do not show confidential information to passers-by and that they lock their PC and desk when it is left unattended.
Subject Access Requests
A formal request from a data subject for information that we hold about them must be made in writing. The initial request should be emailed to email@example.com. There is then a 20 working day window in which the data needs to be provided. Any member of staff who receives a written request should forward it to Head Office immediately and request ID for clarification purposes. .
Providing information to third parties
Any member of staff dealing with enquiries from third parties will not disclose any personal information held by us. Any enquiry made must be raised with Head Office or Branch Manager, who will:
(a) Check the identity of the person making the enquiry and whether they are legally entitled to receive the information they have requested;
(b) Suggest that the third party put their request in writing so the third party’s identity and entitlement to the information may be verified; and
(d) Where providing information to a third party, do so in accordance with the GDPR data protection principles.
Monitoring and review of the policy
This policy is reviewed annually by Outlook Property Limited to ensure it is achieving its stated objectives. Recommendations for any amendments are reported to firstname.lastname@example.org