1. The General Data Protection Regulations (GDPR) are enforced as from on 25 May 2018 and supersede the Data Protection Act 1998. GDPR is applicable to all EU Residents’ data wherever it is processed throughout the world.
2. This policy sets out how Rees Richards & Partners (RRP), Druslyn House, De La Beche Street, Swansea, SA1 3HH uses and protects any personally identifiable data provided to the firm when using its services. Personal data relates to a living individual (‘Data Subject’) who can be identified from that data.
3. RRP is committed to ensuring that an individual’s privacy is protected. Should certain information be provided by
which an individual can be identified during the term of a contracted business relationship or when using the firm’s website www.reesrichards.co.uk, mobile websites or apps, then it will only be used in accordance with this privacy statement.
4. Rees Richards & Partners is registered with the Information Commissioners Office, registration number Z4805898.
5. The ‘Data Protection Coordinator’ is Dylan Williams who may be contacted by:-
Email – email@example.com
Office Telephone – 01792 650705
Mobile 07815 737999.
6. Should any changes be made to the way in which personal information is ‘Processed’ then this policy will be updated with a revised version number and date in the footer.
7. What personal information may be collected
a. Contact details including:
iii. Email, telephone/mobile number
b. Date of birth
c. To comply with the firm’s Anti Money Laundering Policy:-
i. Proof of Identity documents
ii. Credit referencing information principally although not exclusively through Smart Credit Limited www.smartsearchsecure.com d. Bank / Credit Card details
8. The lawful basis of processing personal data
The lawful basis of processing personal data is by way of ‘contract’ as defined by Article 6 of the General Data Protection Regulations where processing is necessary for the performance of a contract to which the data subject is party. e.g. Estate Management Leases or Tenancies, Valuations, Estate Agency or other Professional Services.
9. What personal information is used for
a. ‘Processing’ is necessary for the performance of a contract/tenancy agreement with a data subject or to take steps to enter into a contract/tenancy agreement.
b. ‘Processing’ is necessary for compliance with a legal obligation to review and assess financial risk under the HMRC Anti Money Laundering Regulations.
c. Information is required on a Legal/Contractual basis to engage in business arrangements with data subjects, offering terms of business, lease agreements, estate management services, estate agents or other professional services.
d. Information is used to provide the agreed service (Lease agreement, ground rent demands, Statements, record payments etc) and to communicate with the data subject.
10. How personal information collected is held
a. The information is held on working paper files (and/or)
b. Digitally on the firm’s preferred software products which are certified as being GDPR compliant.
11. When personal data information is collected
a. On an application for a fee or rental quote.
b. Upon entering into a contract with RRP for the provision of services and when such services are used. c. Upon receiving a query via the firm’s website, email or telephone
d. Personal Information may also be collected from or provided by third parties and organisations e.g.
ii. Other agents providing similar or competing professional services
iii. Land registry
iv. Credit reference agencies
v. Insurance brokers and providers vi. Banks & Building Societies
12. Being a Data Processor
Personal data information will be passed to RRP as a ‘Data processor’ by a ‘Data Controller’ in order for RRP to provide a third-party service on their behalf. E.g. RRP receive instructions from a bank to provide a valuation on a property. The same safeguarding of personal data applies although the ‘Data Controller’ is ultimately responsible for such data.
13. Personal data held may also include
a. Details of contact the firm has had with a data subject
b. Details of services received by the data subject
c. Details about complaints
RRP are committed to ensuring that personal data information is secure. To prevent unauthorised access or disclosure, physical, electronic and managerial procedures are in place to protect, safeguard and secure the information that is held.
15. Controlling personal data information
RRP will not sell, distribute or lease personal data information to third parties unless authorised by the data subject or is required by law to do so. Personal data information may be used to send data subjects promotional information about the firm’s services or those of third parties which are considered to be of interest.
16. Personal Data Information Retention
a. The firm will retain indefinitely all data gathered in the course of its Estate Management, Agency & Professional Services function for legal, regulatory, historical, statistical and property management research or reference.
b. Data will only be permanently erased or anonymised when:-
i. Requested by a Data Controller who has provided the personal information.
ii. It must be erased to comply with a legal obligation.
iii. The data subject has withdrawn consent to processing.
iv. A request for the right to be erased has been received and accepted.
17. Right of access
a. Personal Data Subjects have the right to access personal data and supplementary information in order to be aware of and verify the lawfulness of its processing.
b. Written requests should be sent to the firm’s ‘Data Protection Coordinator’ (as confirmed above) and the information will be provided free of charge within one month from receipt of the request.
18. Right to rectification
GDPR gives a Data Subject the right to have personal information rectified if it is inaccurate or incomplete. On receipt of accurate information RRP will ensure that all records are updated and any third parties notified within 1 month.
19. Right to restrict processing
Data Subjects have the right to ‘block’ or suppress processing of personal data. In this instance RRP will retain adequate information to ensure that the restriction is respected.
20. Right to erasure
The right to erasure, also known as ‘the right to be forgotten’, gives a Data Subject the right to have personal data erased or to prevent processing of all information in specific circumstances. This request can be made where:
i. Personal data is no longer necessary in relation to the purpose it was originally supplied ii. When consent is withdrawn
iii. When an objection is received to processing and there is no overriding legitimate interest
iv. Personal Data information is unlawfully processed
v. Personal data must be erased to comply with a legal obligation RRP can refuse to process this request for the following reasons:
vi. To exercise the right to freedom of expression and information
vii. To comply with a legal obligation for the performance of public interest task or exercise of official authority
viii. Archiving purposes in the public interest, historical research or statistical purposes ix. Exercise or defence of legal claims
RRP will endeavour to process information lawfully, fairly and in a transparent manner which ensures appropriate security of personal data information. Should there be any concerns then please contact the firm’s ‘Data Protection Coordinator’ (as confirmed above).