click to enable zoom
Loading Maps
We didn't find any results
open map
View Roadmap Satellite Hybrid Terrain My Location Fullscreen Prev Next
Advanced Search

£ 0 to £ 2,500

More Search Options
We found 0 results. Do you want to load the results now ?
Advanced Search

£ 0 to £ 2,500

More Search Options
we found 0 results
Your search results

GDPR Statement

Information audit to map data flows.

Landlords Terms of Business

Type of information includes bank details, full names, addresses, and telephone numbers.

Information is logged onto Carl database and hard copy saved in hanging file and as a PDF on server computer.

The information is used to draft contracts, other correspondence and pay the clients.  Information is kept on file through the duration that the property is let and then 6 years after.

 

Tenants and Guarantor application forms

Type of information includes bank details, full names,  telephone numbers,  addresses, benefit entitlement, date of birth, National insurance number, reason for moving, Credit history, Employment status, Personal reference details, next of kin, employment details.

Some of that information is logged on to Carl database and a hard copy saved in the hanging file.

The information is used to draft contracts, ensure right to rent, suitability for tenure and day to day management during the life of a tenancy term.  Information is kept on file through the duration that the property is let and then six years after.

 

PDQ Reciepts

Card payment receipts are to be kept for a minimum duration of 13 months and then shredded.  This information is not and should not be shared

 

Who information is shared with

Information detailed on page 1 under the heading, ‘Landlords Terms of Business’, is not, and should not be shared and will be used for the sole purpose as detailed under said heading.

Information detailed on page 1 under the heading, ‘Tenants and Guarantor application forms’, is not and should not be shared other than those detailed on said form and agreed by the signing of such document.

Notwithstanding the above, information may be released to other third parties if legally required to do so.

 

Lawful bases for processing personal data

The business below identifies the lawful bases for processing information

Landlords Terms of Business –  

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

 

Tenants and Guarantor application forms

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.  Should a Tenant or Guarantor wish to act on their right to withdraw consent one of the below can be relied upon.

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

 

PDQ Reciepts

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

 

Consent

Consent is requested on the Tenancy and Guarantor application forms and will be updated before 25th May 2018 to implement the following GDPR requirements:

* Keep your consent requests separate from other terms and conditions.

* Consent requires a positive opt-in. Use unticked opt-in boxes or similar active opt-in methods.

* Avoid making consent a precondition of service.

* Be specific and granular. Allow individuals to consent separately to different types of processing wherever appropriate.

* Name your business and any specific third party organisations who will rely on this consent.

* Keep records of what an individual has consented to, including what you told them, and when and how they consented.

* Tell individuals they can withdraw consent at any time and how to do this.

 

Registration

More (IW) Ltd is registered with the Information Commissioners Office

 

Right to be informed including privacy notices

Individuals need to know that their data is collected, why it is processed and who it is shared with.

You should publish this information in your privacy notice on your website and within any forms or letters you send to individuals.

The information must be:

* concise, transparent, intelligible and easily accessible;

* written in clear and plain language, particularly if addressed to a child; and

* free of charge.

The information you supply is determined by whether or not you obtained the personal data directly from the individual or from a third party

 

Right of access

The business has a process detailed below to recognise and respond to individuals requests to access their personal data

Confirmation should be provided that their data is being processed.

Access to their personal data and supplementary information should be granted.

The information should be given without charge and within one month.

 

Right to rectification and data quality

Individuals have the right to have personal data rectified if it is inaccurate or incomplete.

More -The Letting Centre will respond to a request without delay and at least within one month of receipt.

More- The Letting Centre regularly review the information stored to identify when changes need to be made and therefore preventing inaccurate records.

If any member of staff or management identifies any data accuracy issues, these must be communicate so lessons can be learned through ongoing awareness campaigns and internal training.

 

Right to erasure including retention and disposal

Individuals have the right to be forgotten and can request the erasure of personal data when:

* it is no longer necessary in relation to the purpose for which it was originally collected/processed;

* the individual withdraws consent;

* the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;

* it was unlawfully processed (ie otherwise in breach of the GDPR);

* it has to be erased in order to comply with a legal obligation; or

* it is processed in relation to the offer of information society services to a child.

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

* to exercise the right of freedom of expression and information;

* to comply with a legal obligation for the performance of a public interest task or exercise of official authority;

* for public health purposes in the public interest;

* archiving purposes in the public interest, scientific research historical research or statistical purposes; or

* the exercise or defence of legal claims.

It is More – The Letting Centre’s policy to dispose of personal data in a secure manor as already detailed in this document.

 

Right to restrict processing

Individuals have a right to block or restrict the processing of personal data.

When processing is restricted, you are permitted to store the personal data, but not further process it.

You can retain just enough information about the individual to ensure that the restriction is respected in the future.

If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.

You must inform individuals when you decide to lift a restriction on processing.

 

Right of data portability

Not applicable

 

Right to object

Procedures to handle an individual’s objection to the processing of their personal data.

Individuals have the right to object to:

* processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); and

* processing for purposes of scientific/historical research and statistics.

Individuals must have an objection on “grounds relating to his or her particular situation”.

However for processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority or for purposes of scientific/historical research and statistics you must stop processing the personal data unless:

* you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or

* the processing is for the establishment, exercise or defence of legal claims.

Individuals also have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). You must stop processing for direct marketing as soon as you receive an objection. There are no exemptions or grounds to refuse.

You must inform individuals of their right to object “at the point of first communication” and clearly lay this out in your privacy notice.

 

Rights related to automated decision making including profiling

It has been established that none of the business data processing operations constitute automated decision making.

 

Accountability

This document forms the companies policy statement and has been approved by management read, understood and signed by all staff

More – The Letting Centre monitors its own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.  It is the responsibility of the manager to report any training needs to the Directors.

 

Data processor contracts in place

Barclays PDQ machine

Carl Communications

Rentguard

 

Information risks

Any information risk concerns should be reported to the manager who should carry out a (DPIA) Data protection risk assessment bringing any concerns to the Directors for appropriate staff training to be implemented.

 

Data protection by design

The business understands when you must conduct a DPIA (Data Protection Impact Assessment) and has processes in place to action this.

DPIAs help you to identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy.

An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur.

You must carry out a DPIA when:

* using new technologies; and

* when the processing is likely to result in a high risk to the rights and freedoms of individuals.

The DPIA should contain the following information:

* a description of the processing operations and the purposes including, where applicable, the legitimate interests pursued by your business;

* an assessment of the necessity and proportionality of the processing in relation to the purpose;

* an assessment of the risks to individuals; and

* controls that you put in place to address any risks you’ve identified (including security).

 

Management responsibility

The office manager

 

Security policy

You should process personal data in a manner that ensures appropriate security.  The below risk assessment details potential security risks and how to stop them occurring.

Breach notification

The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and without undue delay.

In all cases you must maintain records of personal data breaches, whether or not they were notifiable to the ICO.

A notifiable breach has to be reported to the ICO within 72 hours of the business becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide additional information in phases. You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.