1.     Our policy

This Policy outlines how PR Lettings & Management Limited (“we”, “our”, “us”, “the Company”), whose registered office is at 6 Cross Street, Preston, PR1 3L handle the Personal Data of our tenants, prospective tenants, landlords, employees and other third parties.

Everyone has rights with regard to the way in which their Personal Data is handled.  During the course of our activities we will collect, store and process personal data about our tenants, landlords, employees and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in our business activities.

We manage personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (‘the GDPR’) and the Data Protection Act 2018 (‘the DPA’).

This Policy applies to all Personal Data we Process regardless of its format or the media upon which it is stored.  It also applies equally to past or present tenants, landlords, employees or any other Data Subject. 

This Policy applies to all Company Personnel (“you”, “your”).  You must read, understand and adhere to this Policy at all times when Processing Personal Data on our behalf.  Compliance with this Policy is mandatory and any breach may lead to disciplinary action being taken.  Related Policies are available to help you interpret and act in accordance with this Policy. 


2.     Definitions

Data Controller: A person or organisation that, either alone or with others, determines the purposes and the means of processing personal data.

Data Processor: A person or other body, other than an employee of the data controller, who processes the personal data on behalf of the data controller.

Data Protection Legislation:  means the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679) (GDPR) the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the national Data Protection Authority including any amending or replacement legislation in force from time to time.

Data Subject: The person whose personal data is held or processed.

Personal Data:  any information identifying an individual or information relating to an individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories Personal Data. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach:  any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy Notices:  separate notices setting out information that may be provided to individuals when the Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one time privacy statements covering processing related to a specific purpose.

Processing: Operations performed on personal data, such as collecting, recording, organising, structuring, storing, altering, retrieving, using, disseminating, erasing or destroying.  Processing can be automated or manual.

Special Category Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

3.     Purpose of this Policy

The Company takes its obligations towards Data Subjects very seriously and this Policy is a statement of the Company’s commitment to protecting the rights and privacy of individuals in accordance with Data Protection Legislation.

Along with a commitment to protecting individual’s rights; the Data Protection Legislation is taken very seriously as the Company is exposed to potential fines of up to EUR20 million (approximately £18 million) or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the GDPR.

Leanne Clinton is responsible for overseeing this Policy and, as applicable, developing related policies and other privacy guidelines.

Please contact Leanne Clinton with any questions about the operation of this Policy or the Data Protection Legislation or if you have any concerns that this Policy is not being or has not been followed.

4.     Data Protection Principles

The Data Protection Legislation, in particular the GDPR, sets out strict rules about the way in which Personal Data and Special Category Data are collected, accessed, used and disclosed.  The Company shall perform its responsibilities in accordance with the following six principles as outlined in the GDPR:

  • used fairly, lawfully and in a transparent manner;
  • collected for specified, explicit and legitimate purposes and not processed in a manner which is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purpose the data is being used for;
  • accurate and, where necessary, up to date;
  • kept for no longer than is necessary; and
  • kept securely so that data is protected against unauthorised use, accidental loss, destruction or damage.

5.     Our legal basis for processing personal data

Personal Data must be processed lawfully, fairly and in a transparent manner.  The Company shall obtain and process Personal Data fairly and in accordance with statutory and other legal obligation.

The Company will only process Personal Data where it has a “lawful basis” (legal reason) to do so.  The six legal reasons the Company may use are:

  • the individual has given their consent;
  • the processing is necessary for the performance of a contract;
  • to meet our legal obligations;
  • to protect an individual’s vital interests;
  • the processing is necessary for the performance of a task carried out in the public interest; and
  • the processing is necessary for our legitimate business interests, provided that those interests are not overridden by the rights and freedoms of the individual.

For Special Categories of Personal Data, the Company will company with the additional requirements for processing as set out in the GDPR.  These include:

  • where we have obtained explicit consent from the individual;
  • the Personal Data needs to be processed for the purposes of carrying out the obligations in the field of employment, social security and social protection law;
  • the Personal Data needs to be processed to ensure the vital interests of the data subject or another individual where the data subject is physically or legally incapable of giving consent;
  • the Processing relates to Personal Data which are manifestly made public by the data subject;
  • the Processing is necessary for the establishment, exercise or defence of legal claims;
  • the Processing is necessary for reasons of substantial public interest;
  • the Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; and
  • the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes.

The Data Protection Legislation requires the Company to provide detailed, specific information to individuals depending on whether the information was collected directly from individuals or from elsewhere. Such information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that an individual can easily understand them.

Whenever we collect Personal Data directly from individuals, including for human resources or employment purposes, we must provide the individual with all the information required by the Data Protection Legislation including the identity of Company, how and why we will use, process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented when the individual first provides the Personal Data.

A copy of our Privacy Notices that are to be issued to tenants, landlords and employees when they first provide their personal data can be found at the following:




6.     We will…

We will only use Personal Data for specified, explicit and legitimate reasons.  Personal Data must not be used in any way which is incompatible with the reasons for which it was obtained.

We will not use Personal Data for new, different or incompatible reasons from that disclosed when the information was first obtained unless we have informed the individual of the new reasons for using their personal data and they have consented where necessary.

We will make sure that personal data is adequate, relevant and limited to what is necessary in relation to the reasons for which it is obtained.  We will ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with our Data Retention procedure.

We will only collect, use and process personal data when performing our job duties requires it.  We cannot collect, use or process personal data for any reason unrelated to our job duties.

We will ensure that when personal data is no longer required, it is deleted or anonymised in accordance with our Data Retention Policy.  We will maintain retention policies and procedures to ensure that Personal Data is deleted after a reasonable time.  You will take all reasonable steps to destroy or erase from our systems all Personal Data that is no longer required in accordance with the Company’s Data Retention Policy. 

We will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it.  We will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards and will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

7.     Security

We will keep Personal Data secure by taking appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage.  The following procedures are in place to help prevent unauthorised access to, alteration, disclosure or destruction of Personal Data:

  • Any information on our computer system is secure, accurate, relevant and necessary.  The personal data held on mobile electronic devices is minimised and appropriate security measures implemented against unlawful or unauthorised access;
  • We utilise and maintain adequate anti-virus and malware detection and prevention
  • We aim to make sure PR Lettings & Management staff do not misuse any confidential information or pass on information improperly to a third party;
  • Where paper files and records containing personal data are unavoidable, we will store these in secure cabinets;
  • All computers are protected by power-on passwords. 
  • If a computer is left unattended for a period of five minutes, then a screen saver password is activated.  All employees are required to re-set their passwords every three months.  

All employees must follow all our procedures and technologies we put in place to maintain the security of all personal data from the point it is collected to the point it is destroyed. 

You must not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Legislation and relevant standards to protect Personal Data.


8.     Sharing your information

We will not normally share Personal Data with anyone else.  However, there a certain circumstances where we will be required to share Personal Data with other organisations and we will comply with the Data Protection Legislation when disclosing this information.

We sometimes share Personal Data with our suppliers and/or contractors who enable us to provide services to our customers – e.g. gas servicing companies or energy suppliers.  The Personal Data shared is limited to the specific information the supplier requires in order to carry out their service as well as any additional information that ensures we fulfil our health and safety obligations to the people carrying out the work. 

We will be responsible for the fair and lawful processing of Personal Data shared with third parties.  We make sure this occurs through data sharing agreements, either in contracts or as standalone agreements.

We will share personal data with law enforcement and government agencies or public bodies where we are legally required to do so.  Examples include:

  • The prevention or detection of crime and/or fraud;
  • The apprehension or prosecution of offenders;
  • The assessment or collection of tax owed to HMRC;
  • In connection with legal proceedings;
  • Where the disclosure is required to satisfy our safeguarding obligations; or
  • Research and statistical purposes provided the Personal Data is sufficiently anonymised or consent has been provided.

We will not transfer Personal Data to a country or territory outside the European Economic Area unless the country or territory in question ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Personal Data or where we have entered into an Agreement with the provider using standard contractual clauses as approved by the European Commission.

9.     Data Protection Breaches

If you know or suspect that there has been a potential data protection breach, do not attempt to investigate the matter yourself.  You must immediately contact us and follow our Data Breach Procedure.  You must preserve all evidence relating to the potential data protection breach.

We will investigate all reports of potential data protection breaches and provide reports of the investigations and outcomes to the relevant boards and/or committees, including lessons learnt reports.

We will report all data protection breaches to the Information Commissioner’s Office within 72 hours when necessary to do so.  We have put in place procedures to deal with any suspected data protection breaches and will notify individuals and/or the Information Commissioner’s Officer where we are legally required to do so.  Please see our Data Breach Procedure for further guidance.

We will notify those whose Personal Data has been breached at the earliest opportunity where it is appropriate to do so.

10.  Individual’s Rights and Requests

Individuals have rights when it comes to how we handle their personal data.  These include rights to:

  • withdraw their consent to processing at any time;
  • receive certain information about the Data Controller's processing activities;
  • request access to their Personal Data that we hold;
  • prevent our use of their Personal Data for direct marketing purposes;
  • in certain circumstances, to ask us to erase Personal Data;
  • to rectify inaccurate data or to complete incomplete Personal Data;
  • in certain circumstances to restrict the processing of their Personal Data;
  • challenge processing which has been justified on the basis of public interest;
  • request a copy of agreements under which Personal Data is transferred outside of the EEA;
  • object to decisions based solely on automated decision making or profiling;
  • prevent processing that is likely to cause damage or distress;
  • in certain circumstances, be notified of a data protection breach;
  • make a complaint to the Information Commissioner’s Officer; and
  • in limited circumstances, ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.

Individuals have a right to make a ‘subject access request’ to gain access to Personal Data that the we hold about them.  Subject access requests must be submitted in writing, either by letter, email or faxed to us. They should include:

  • name of individual;
  • correspondence address;
  • contact number and email address; and
  • details of the information requested

When responding to requests, we:

  • may ask the individual to provide two forms of identification when submitting a request;
  • may contact the individual via phone to confirm the request was made;
  • will respond without delay and within 1 month of receipt of the request;
  • will provide the information free of charge;
  • may tell the individual that we will comply within 3 months of receipt of the request where requests are complex or numerous, and will explain why.

If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee which takes into account administrative costs.  A request will be deemed to be unfounded or excessive if it is repetitive, or asks for further copies of the same information. When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO.  For further information, please see our Subject Access Request Procedure.

You must immediately forward any request to exercise data protection rights which they receive to Leanne Clinton and comply with our Data Subject Access Procedure, Data Portability Procedure or Right to Erasure Procedure where applicable.

11.  Making sure we do what we say…

Additional measures we have implemented in order to comply with the Data Protection Legislation include:

  • privacy by design and completing privacy impact assessments where processing presents a high risk to rights and freedoms of individuals;
  • integrating data protection into internal documents including this policy, any related policies and any privacy notices;
  • regularly training members of staff on the Data Protection Legislation, this policy, any related policies and any other data protection matters.  We will maintain a record of training attendance by members of staff; and
  • regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance.

We will document our Processing activities and implement measures to protect the security of Personal Data.  This record of processing includes our contact details, clear descriptions of the Personal Data types, data subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, retention periods and a description of the security measures in place.

12.  Review

We will review this Policy every 2 years or in light of any legislative or procedural changes.  Details of any changes will be communicated to all employees.

This website uses cookies. We use cookies to provide social media features and to analyse our traffic.
You consent to our cookies if you continue to use our website. Read our cookie policy. I understand