REES RICHARDS & PARTNERS PRIVACY POLICY

INTRODUCTION

The UK General Data Protection Regulations (“UK GDPR”) the Data Protection Act 2018 (“DPA 2018”) govern the use and protection of personal data in the United Kingdom. The UK GDPR is the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) and governs the processing of personal data, strengthens the rights of data subjects, and imposes obligations on controllers and processors. The DPA 2018 supplements the UK GDPR by setting out UK-specific exemptions and covering areas not addressed by the UK GDPR, such as processing by law enforcement authorities and intelligence services.

1) Important Information and who we are

a) This policy sets out how Rees Richards & Partners (hereinafter “RRP”), Druslyn House, De La Beche Street, Swansea, SA1 3HH uses and protects any personally identifiable data provided to the firm when using its services. Personal data relates to a living individual (“Data Subject”) who can be identified from that data.

b) RRP is committed to ensuring that an individual’s privacy is protected. Should certain information be provided by which an individual can be identified during the term of a contracted business relationship or when using the firm’s website www.reesrichards.co.uk, mobile websites or apps, then it will only be used in accordance with this privacy statement.

c) The website is not intended for children, and we do not knowingly collect data relating to children.

d) Rees Richards & Partners is registered with the Information Commissioners Office, registration number Z4805898 and is the controller and responsible for your personal data.

e) If you have any questions about this Privacy Policy, including any requests to exercise your legal right please contact the Data Protection Coordinator (“DPC”) using the information set out in clause 13).

f) Should any changes be made to the way in which personal information is ‘Processed’ then this policy will be updated with a revised version number and date in the footer.

2) What personal information may be collected

Personal data is meant by any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

a) Identity Data

i) Full Previous Names
ii) Full Name
iii) Identifiers
iv) Title
v) Date of Birth
vi) Gender

b) Contact Data

i) Address
ii) Email Address
iii) Telephone/ Mobile number

c) Financial Data

i) To comply with the firm’s Anti Money Laundering Policy:

(1) Proof of Identity documents
(2) Credit referencing information principally although not exclusively through Smart Credit Limited www.smartsearchsecure.com
(3) Bank / Credit Card details

d) Details of Contact the Firm has had with a data subject

e) Details of Services received by data subject

f) Details about complaints

3) The lawful basis of processing personal data

a) Performance of a contract – The lawful basis of processing personal data is by way of ‘contract’ as defined by Article 6 of the UK GDPR where processing is necessary for the performance of a contract to which the data subject is party. e.g. Estate Management Leases or Tenancies, Valuations, Estate Agency or other Professional Services.

b) Legitimate interests – Personal data shall be used where it is necessary to conduct RRP’s business and pursue legitimate interests, for example to prevent fraud and enable RRP to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

4) What personal information is used for

a) ‘Processing’ is necessary for the performance of a contract/tenancy agreement with a data subject or to take steps to enter into a contract/tenancy agreement.

b) ‘Processing’ is necessary for compliance with a legal obligation to review and assess financial risk under the HMRC Anti Money Laundering Regulations.

c) Information is required on a Legal/Contractual basis to engage in business arrangements with data subjects, offering terms of business, lease agreements, estate management services, estate agents or other professional services.

d) Information is used to provide the agreed service (Lease agreement, ground rent demands, Statements, record payments etc) and to communicate with the data subject.

5) How personal information collected is held

a) The information is held on working paper files (and/or).

b) Digitally on the firm’s preferred software products which are certified as being GDPR compliant.

c) Data is not transferred outside of the European Economic Area.

6) When personal data information is collected

a) On an application for a fee or rental quote.

b) Upon entering into a contract with RRP for the provision of services and when such services are used.

c) Upon receiving a query via the firm’s website, email or telephone. All inbound telephone calls are recorded.

7) Disclosure of your Personal Data

a) Personal Information may also be collected from or provided by third parties and organisations where necessary, set out below:

i) Solicitors
ii) Other agents providing similar or competing professional services
iii) Land registry
iv) Credit reference agencies
v) Insurance brokers and providers
vi) Banks & Building Societies

b) We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

8) Being a Data Processor

Personal data information will be passed to RRP as a ‘Data processor’ by a ‘Data Controller’ in order for RRP to provide a third-party service on their behalf. E.g. RRP receive instructions from a bank to provide a valuation on a property. The same safeguarding of personal data applies although the ‘Data Controller’ is ultimately responsible for such data.

9) Security

a) RRP are committed to ensuring that personal data information is secure. To prevent unauthorised access or disclosure, physical, electronic and managerial procedures are in place to protect, safeguard and secure the information that is held.

b) We have put in place procedures to deal with any suspected personal data breach and will notify you and any regulator of breach where we are legally required to do so.

10) Controlling personal data information

RRP will not sell, distribute or lease personal data information to third parties unless authorised by the data subject or is required by law to do so. Personal data information may be used to send data subjects promotional information about the firm’s services or those of third parties which are considered to be of interest.

11) Personal Data Information Retention

a) The firm will retain indefinitely all data gathered in the course of its Estate Management, Agency & Professional Services function for legal, regulatory, historical, statistical and property management research or reference.

b) Data will only be permanently erased or anonymised when:

i) Requested by a Data Controller who has provided the personal information.
ii) It must be erased to comply with a legal obligation.
iii) The data subject has withdrawn consent to processing.
iv) A request for the right to be erased has been received and accepted.

12) Your Legal Rights

You have a number of rights under data protection laws in relation to your personal data.

a) Right of access

i) Personal Data Subjects have the right to access personal data and supplementary information in order to be aware of and verify the lawfulness of its processing.

ii) Written requests should be sent to the firm’s ‘Data Protection Coordinator’ (as confirmed above) and the information will be provided free of charge within one month from receipt of the request.

b) Right to rectification
GDPR gives a Data Subject the right to have personal information rectified if it is inaccurate or incomplete. On receipt of accurate information RRP will ensure that all records are updated and any third parties notified within 1 month.

c) Right to restrict processing
Data Subjects have the right to ‘block’ or suppress processing of personal data. In this instance RRP will retain adequate information to ensure that the restriction is respected.

d) Right to erasure
The right to erasure, also known as ‘the right to be forgotten’, gives a Data Subject the right to have personal data erased or to prevent processing of all information in specific circumstances. This request can be made where:

i. Personal data is no longer necessary in relation to the purpose it was originally supplied
ii. When consent is withdrawn
iii. When an objection is received to processing and there is no overriding legitimate interest
iv. Personal Data information is unlawfully processed
v. Personal data must be erased to comply with a legal obligation RRP can refuse to process this request for the following reasons:
vi. To exercise the right to freedom of expression and information
vii. To comply with a legal obligation for the performance of public interest task or exercise of official authority
viii. Archiving purposes in the public interest, historical research or statistical purposes
ix. Exercise or defence of legal claims

13) Contact Details

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact the DPC in the following ways:

a) Email – dylan@reesrichards.co.uk
b) Office Telephone – 01792 650705
c) Mobile 07815 737999.

14) Complaints

RRP will endeavour to process information lawfully, fairly and in a transparent manner which ensures appropriate security of personal data information. Should there be any concerns then please contact the firm’s ‘Data Protection Coordinator’ (as confirmed above).