1. Our policy
This Policy outlines how PR Lettings & Management Limited (“we”, “our”, “us”, “the Company”), whose registered office is at 6 Cross Street, Preston, PR1 3L handle the Personal Data of our tenants, prospective tenants, landlords, employees and other third parties.
Everyone has rights with regard to the way in which their Personal Data is handled. During the course of our activities we will collect, store and process personal data about our tenants, landlords, employees and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in our business activities.
We manage personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (‘the GDPR’) and the Data Protection Act 2018 (‘the DPA’).
This Policy applies to all Personal Data we Process regardless of its format or the media upon which it is stored. It also applies equally to past or present tenants, landlords, employees or any other Data Subject.
This Policy applies to all Company Personnel (“you”, “your”). You must read, understand and adhere to this Policy at all times when Processing Personal Data on our behalf. Compliance with this Policy is mandatory and any breach may lead to disciplinary action being taken. Related Policies are available to help you interpret and act in accordance with this Policy.
Data Controller: A person or organisation that, either alone or with others, determines the purposes and the means of processing personal data.
Data Processor: A person or other body, other than an employee of the data controller, who processes the personal data on behalf of the data controller.
Data Protection Legislation: means the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679) (GDPR) the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the national Data Protection Authority including any amending or replacement legislation in force from time to time.
Data Subject: The person whose personal data is held or processed.
Personal Data: any information identifying an individual or information relating to an individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories Personal Data. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Processing: Operations performed on personal data, such as collecting, recording, organising, structuring, storing, altering, retrieving, using, disseminating, erasing or destroying. Processing can be automated or manual.
Special Category Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
3. Purpose of this Policy
The Company takes its obligations towards Data Subjects very seriously and this Policy is a statement of the Company’s commitment to protecting the rights and privacy of individuals in accordance with Data Protection Legislation.
Along with a commitment to protecting individual’s rights; the Data Protection Legislation is taken very seriously as the Company is exposed to potential fines of up to EUR20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the GDPR.
Leanne Clinton is responsible for overseeing this Policy and, as applicable, developing related policies and other privacy guidelines.
Please contact Leanne Clinton with any questions about the operation of this Policy or the Data Protection Legislation or if you have any concerns that this Policy is not being or has not been followed.
4. Data Protection Principles
The Data Protection Legislation, in particular the GDPR, sets out strict rules about the way in which Personal Data and Special Category Data are collected, accessed, used and disclosed. The Company shall perform its responsibilities in accordance with the following six principles as outlined in the GDPR:
5. Our legal basis for processing personal data
Personal Data must be processed lawfully, fairly and in a transparent manner. The Company shall obtain and process Personal Data fairly and in accordance with statutory and other legal obligation.
The Company will only process Personal Data where it has a “lawful basis” (legal reason) to do so. The six legal reasons the Company may use are:
For Special Categories of Personal Data, the Company will company with the additional requirements for processing as set out in the GDPR. These include:
The Data Protection Legislation requires the Company to provide detailed, specific information to individuals depending on whether the information was collected directly from individuals or from elsewhere. Such information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that an individual can easily understand them.
Whenever we collect Personal Data directly from individuals, including for human resources or employment purposes, we must provide the individual with all the information required by the Data Protection Legislation including the identity of Company, how and why we will use, process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented when the individual first provides the Personal Data.
A copy of our Privacy Notices that are to be issued to tenants, landlords and employees when they first provide their personal data can be found at the following:
6. We will…
We will only use Personal Data for specified, explicit and legitimate reasons. Personal Data must not be used in any way which is incompatible with the reasons for which it was obtained.
We will not use Personal Data for new, different or incompatible reasons from that disclosed when the information was first obtained unless we have informed the individual of the new reasons for using their personal data and they have consented where necessary.
We will make sure that personal data is adequate, relevant and limited to what is necessary in relation to the reasons for which it is obtained. We will ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with our Data Retention procedure.
We will only collect, use and process personal data when performing our job duties requires it. We cannot collect, use or process personal data for any reason unrelated to our job duties.
We will ensure that when personal data is no longer required, it is deleted or anonymised in accordance with our Data Retention Policy. We will maintain retention policies and procedures to ensure that Personal Data is deleted after a reasonable time. You will take all reasonable steps to destroy or erase from our systems all Personal Data that is no longer required in accordance with the Company’s Data Retention Policy.
We will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. We will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards and will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
We will keep Personal Data secure by taking appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage. The following procedures are in place to help prevent unauthorised access to, alteration, disclosure or destruction of Personal Data:
All employees must follow all our procedures and technologies we put in place to maintain the security of all personal data from the point it is collected to the point it is destroyed.
You must not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Legislation and relevant standards to protect Personal Data.
8. Sharing your information
We will not normally share Personal Data with anyone else. However, there a certain circumstances where we will be required to share Personal Data with other organisations and we will comply with the Data Protection Legislation when disclosing this information.
We sometimes share Personal Data with our suppliers and/or contractors who enable us to provide services to our customers – e.g. gas servicing companies or energy suppliers. The Personal Data shared is limited to the specific information the supplier requires in order to carry out their service as well as any additional information that ensures we fulfil our health and safety obligations to the people carrying out the work.
We will be responsible for the fair and lawful processing of Personal Data shared with third parties. We make sure this occurs through data sharing agreements, either in contracts or as standalone agreements.
We will share personal data with law enforcement and government agencies or public bodies where we are legally required to do so. Examples include:
We will not transfer Personal Data to a country or territory outside the European Economic Area unless the country or territory in question ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Personal Data or where we have entered into an Agreement with the provider using standard contractual clauses as approved by the European Commission.
9. Data Protection Breaches
If you know or suspect that there has been a potential data protection breach, do not attempt to investigate the matter yourself. You must immediately contact us and follow our Data Breach Procedure. You must preserve all evidence relating to the potential data protection breach.
We will investigate all reports of potential data protection breaches and provide reports of the investigations and outcomes to the relevant boards and/or committees, including lessons learnt reports.
We will report all data protection breaches to the Information Commissioner’s Office within 72 hours when necessary to do so. We have put in place procedures to deal with any suspected data protection breaches and will notify individuals and/or the Information Commissioner’s Officer where we are legally required to do so. Please see our Data Breach Procedure for further guidance.
We will notify those whose Personal Data has been breached at the earliest opportunity where it is appropriate to do so.
10. Individual’s Rights and Requests
Individuals have rights when it comes to how we handle their personal data. These include rights to:
Individuals have a right to make a ‘subject access request’ to gain access to Personal Data that the we hold about them. Subject access requests must be submitted in writing, either by letter, email or faxed to us. They should include:
When responding to requests, we:
If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee which takes into account administrative costs. A request will be deemed to be unfounded or excessive if it is repetitive, or asks for further copies of the same information. When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO. For further information, please see our Subject Access Request Procedure.
You must immediately forward any request to exercise data protection rights which they receive to Leanne Clinton and comply with our Data Subject Access Procedure, Data Portability Procedure or Right to Erasure Procedure where applicable.
11. Making sure we do what we say…
Additional measures we have implemented in order to comply with the Data Protection Legislation include:
We will document our Processing activities and implement measures to protect the security of Personal Data. This record of processing includes our contact details, clear descriptions of the Personal Data types, data subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, retention periods and a description of the security measures in place.
We will review this Policy every 2 years or in light of any legislative or procedural changes. Details of any changes will be communicated to all employees.