Privacy Policy

This policy will help us address data protection in a consistent manner. The policy clearly set out our organisations approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy is approved by management and published and communicated to staff. The policy will be reviewed yearly and updated when required to ensure it remains relevant.

Registration

Our business is registered with the information Commissioners Office.

Awareness

Key directors Ian Hunter and Sarah Hunter are aware that the GDPR is changing. They appreciate the impact this is likely to have and have identified areas that could cause compliance problems under the GDPR as laid out below.

Information we hold

Following our Data Audit we have identified 7 instances of client data collection:

All clients will have name, address, telephone number and email collected.

1. As a general applicant
2. As a vendor of a property. Additional proof of identification for AML regulations will be required.
3. As a purchaser/tenant. Additional proof of identification for AML regulations will be required and financial checks.
4. As a client who has asked for a valuation.
5. As a mortgage customer. Additional information will be required for a mortgage.
6. As a lettings landlord. Additional proof of identification for AML regulations with be required.
7. As a member of staff or job applicant. Additional proof of identification for AML regulations will be required/references.

Our online data is held in two ways, firstly in a secure off-site cloud based client database known as teamwork’s which is password protected and secondly on our password protected server. Our paper based files are held in locked filing cabinets outside of working hours.

Our data is normally only shared with other property professionals in our normal day to day activities including solicitors, mortgage brokers, other estate agents, surveyors, EPC providers, AML checks as examples. Our privacy policy notice provides further information.

If we have inaccurate personal data and have shared this with another organisation we will tell the other organisation about the inaccuracy so it can correct its own records. We will record this change in the notes section of our property file. In the case of an email change which is likely to be most common error a new verification email will be provided via our estate agent software.

Communicating Privacy Information

Individuals Rights:

Our Software allows for easy identification of a client and an easy deletion of their record. Once identified we are able to provide the following:

  • The right to be informed
  • The right of access
  • The right of rectifications
  • The right of erasure
  • The right of restrict processing
  • The right of data portability
  • The right to object and/
  • The right not to be subject to automated decision-making, including profiling.

Data Destruction

Our paper files are dead filed upon completion of a transaction and are accessible up until destruction which is normally at 7 years depending on other associated regulations. We are moving towards all our paper files being saved to our estate agency software and therefore on completion of a sale the paper file will be copied electronically and then destroyed.

Subject Access Requests

We will not charge a client for complying with a request.

We will respond within a month of a request unless they are manifestly unfounded or excessive.

If we refuse a request, we will tell the individual why and they have the right to complain to the supervisory authority and to seek a judicial remedy.

We will write to the client to acknowledge receipt of their request and confirm that we will respond within 30 days.

If there is a delay in dealing with the request for any reason, the organisation contacts he requester to explain the reason and the expected date for the response.

The response to a SAR includes an explanation of the searches that have been made to deal with the request and the information revealed by those searches.

The organisation logs receipt of the SARs and updates it to monitor progress as the SAR is progressed. The log includes copies of information supplied in response to the SAR, together with copies of any material withheld and an explanation why.

A standard checklist is used to ensure consistency in identity verification procedures and to ensure that the necessary information if obtained from relevant departments across the organisation.

Lawful Basis for Processing Personal Data

We hold personal data in order to comply with our Legal Obligations, Contracts and where we have a legitimate interest with reference to AML regulations, THE CONSUMER PROTECTION FROM UNFAIR TRADING REGULATIONS and THE ESTATE AGENCY ACT, amongst others.

Clients will be actively asked to opt into and consent to receiving our services and a record of this will be held on our software in most instances by an automated email system. All emails generated form our software will have a unsubscribe option. Consent will be freely given, specific, informed and unambiguous.

The data is taken to be able to provide the estate agency service required by the client and to protect our staff with information taken prior to viewings.

Where we feel consent is required, prior to the new regulations, we will ask all our clients to opt into our service and if they do not respond with an ‘opt in’ we will not make further contact.

Data Breaches

A breach would consist of our service computer system being hacked or computers or mobile phones stolen, or our offices are broken into and the secure and locked filing cabinets opened.

We will notify the ICO of a breach where it is likely to result in a rick to the rights and freedoms of individuals-if, for examples, it could result in discrimination, damage to reputation, finical loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to rights and freedoms of individuals, we will also notify those concerned directly in most cases. Our high risk clients have been identified as those where we hold passport/driving licence and other financial records.

We are aware that failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

Data Protection by Design and Data Protection Impact Assessments

We have instigated a privacy policy by design approach to data protection. Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. With this is mind we have designed our processes and systems with privacy in mind at the outset. This has resulted in the redesign of our estate agency software to have an ‘opt in’ email and a review of how we hold, store and dispose of personal data. We carried out a privacy impact assessment as part of this process.

Our assessment is that we do not need to carry out a Data Protection Impact Assessment as we do not fall under the mandatory requirements to do so.

Data Protection Officers

We do not need to formally designate a protection office as our organisation does not fit the requirements as we are not an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions. Ian Hunter is our designated person who takes responsibility for data protection compliance.

International

We do not sell properties overseas and do not need to take further action on this point.

Children

We do not collect personal data on children.

Training

Many Data security breaches are accidental and result from insider actions. All staff will be trained in handling personal data and on their data protection responsibilities. Specialist training for staff with specific duties, such as marketing, information security and database management, will also be delivered when the designated person deems necessary. Regular communication of key message is equally important to help reinforce training and maintain awareness (for example, internet articles, circulars, team briefings and posters. And will be circulated where applicable. Training records will be kept.

Cookies We use cookies to ensure that we give you the best experience on our website. To find out more about our cookies policy, see our cookies policy here or in the footer.