This policy sets out the obligations of Davies & Davies Estate Agents Ltd (D&D), a company registered in England, Company No. 09865269 whose registered office is at 85 Stroud Green Road, London N4 3EG, regarding data protection and the rights of individuals in respect of their personal data.
This policy aims to ensure compliance with Data Protection Principles of the Data Protection Act 1998 and the new General Data Protection Regulation (GDPR) which come into effect on 25 May 2018.
D&D is registered with the Information Commissioner as a data controller and will maintain its notification status with the Commissioner. The registration number is ZA175801.
The nominated Data Protection Officer (DPO) is Alina Kovaci.
D&D has specific legal obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the company, its employees, contractors, or other parties working on behalf of the company.
Throughout this policy the term “individuals” usually means customers but will also mean staff members (current and former employees), job applicants, contractors, suppliers, advisers and professional consultants and marketing contacts. For the purposes of this policy, the term is usually synonymous with the legal term “data subject”.
All Personal Data Collected, Processed And Held By D&D Must Be:
- processed lawfully, fairly and in a transparent manner without adversely affecting the rights of the data subjects;
- collected directly from data subjects for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
D&D collects personal data relating to the following services it provides:
- Residential sales
- Residential lettings
- Property management
Individuals Personal Data
D&D will collect the following categories of personal data:
- First Name, middle name and surname
- Previous name
- Date of birth
- Marital status
- Residential status
- NI Number
- Photographic ID document (passport, driving licence)
- Proof of address documents
- Current address
- Previous address
- Landlord/Landlord’s agent name, address, emails address, contact number
- Dependants and dependants name
- Dependants date of birth
- Next of kin
- Bank statement
- Credit card statement
- Savings account statement
- Employers name, address, email address and contact number
- Accountant details
- Self-assessment accounts
- Bank details
- Mortgage details
- Insurance details
- Web browser type and version
D&D will collect the relevant personal data required to conducting its business from:
- Data subjects
- Next of kin
- Spouse, partner or family member
- Business associates
- Government / Land Registry
- Solicitor firms
This information will typically be collected by completing our standard forms, via the internet – through our website or our dedicated property portals: Rightmove and Zoopla, via email, during a telephone conversation or at our office.
D&D will only collect, process and hold personal data for the following purposes:
- To verify your identity
- To register and assess applicants and to provide our services: selling a property, buying a property, letting a property, taking a tenancy of a property, purchase any of our services;
- To perform professional duties such as rent collection, landlord payments, deposit refunds, resolving maintenance issues, auditing, reconciliations, complaint enquiries
- To contact you with the information that you require
- To contact you by email, telephone or post using your stated preferred choice communication method in the first instance
- To comply with legal obligations such as to prevent and to protect against fraud and money laundering
- To comply with industry standards
- To send promotional communication about our services, special offers or other information which we think you may find interesting using the email address or telephone contact number which you have provided
- To carry out research for our D&D’s own purposes or where the research may involve the compilation of statistics, or the amalgamation of records into a form where no information about specific individuals are disclosed or can be inferred.
- To contact you for market research purposes about our services
- To subscribe to our e-newsletters and updates
- To report a problem with our website;
- To evaluate job applicants for the recruitment of new staff members
- To register for working or training with us
Use Of Property Information And Photographs
D&D will use information relating to customers’ property including photographs to market the customers’ property in accordance with instructions and may use the information at any time for general marketing purposes but will always take reasonable steps to ensure no personal information relating to the customer apart from that relating to the property is used.
We use the information about your visit to our website for the following purposes:
- to ensure that content of our website is presented in the most effective manner for you and for your computer or mobile device
- to administer the website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to identify and implement improvements in the operation of the website, the content included on the web site and the way in which content is presented;
- as part of our efforts to keep the web site safe and secure;
- to measure or understand the effectiveness and relevance of advertising on the site
There are CCTV cameras in areas where staff may meet customers, being the ground floor, first floor office and second floor office. The purpose of the CCTV, which is recorded, is for the security and safety of the staff and customers and for the security of the premises. CCTV and recordings may be used on occasion for staff training
Lawful Basis Of Processing
D&D processes your personal information under the following:
- Performance of a contract: where you enter into a contract with D&D and we need to process your information as part of this contract
- Legitimate interests: some information is processed by D&D as part of its legitimate interests which include: fraud, risk assessment, due diligence, network and information security, suppressions and managing opting out of communications, direct marketing, monitoring, updating customer details, lettings, sales and property management.
- Legal obligation: processing is necessary for compliance with a legal obligation to which the D&D is subject
- Consent: where we process information under consent we will seek you clear and unambiguous consent prior to processing your data
D&D will not disclose your personal data to any third parties except for the following:
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation
- when we are requested by HMRC for information in accordance with legislated authorities
- where we are required to do so by law or in connection with legal proceedings
- to comply with Anti-Money Laundering Regulations
- we may disclose personal information to our accountants: Melinek Fine LLP; and our legal advisers: Cubism Ltd
- To our landlord and vendor clients where you as an applicant tenant or buyer have expressed an interest
- Credit reference agencies: Paragon Scheme Management Services Ltd and Van Mildert Landlord and Tenant Protection Limited for the purpose of providing our letting service
- Government deposit schemes: TDS Custodial and The Dispute Service Ltd to comply with the industry standards and tenancy deposit regulation
- We may disclose personal information to our contractors and sub-contractors or associate firms when you have given consent to this or for the purpose of carrying out our obligations as part of a contract
- Heron Financial Ltd – financial services providers where you have consented for us to do so
- Lawrence Eden Associates Chartered Surveyors – where you have consented for us to do so
- Davies & Davies Chartered Surveyors – where you have consented for us to do so
Your Rights And Options
1. The right to be informed – This policy informs all individuals about the collection and use of their personal data.
2. The right of access – You may make a request at any time to obtain the personal data which D&D holds about you either by phone on 020 7272 0986-option 3, by email to firstname.lastname@example.org or by post to: The DPO, Davies & Davies Estate Agents, 85 Stroud green Road, Finsbury Park, London, N4 3EG. It is called Subject Access Request (SAR) and it can be made by filing in a Subject Access Request (SAR) form or by writing to us instead.
a) We will respond to any SARs within a month of receipt. However, this may be extended by up to two months if the SAR is complex and/or if numerous requests are made.
b) All SARs will be handled by the DPO
c) There is no fee for handling normal SAR requests. However, D&D reserves the right to charge a reasonable fee for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly if it repetitive.
d) Staff members who wish to make a SAR should use a Subject Access Request Form and send it to D&D’s Data Protection Officer (DPO)
3. The right to rectification – D&D will ensure that all personal data collected, processed and held by is kept accurate and up-to-date. Data subjects have the right to request rectification of personal data. The accuracy of data will be checked at the time it is collected and at regular intervals thereafter.
If you require any rectification of information, please contact us either by phone on 020 7272 0986-option 3 by email to email@example.com, or by post to: The DPO, Davies & Davies Estate Agents, 85 Stroud green Road, Finsbury Park, London, N4 3E
If any personal data is found to be inaccurate or out of date, all reasonable steps should be taken without delay to amend or erase the data, as appropriate.
D&D will rectify the personal data in question, and inform the you of that rectification, within one month of you informing us of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, we will inform you without delay.
In the event that any affected personal information has been disclosed to third parties, those parties will be informed of any rectification that must be made to that personal data
4. The right to erasure or “the right to be forgotten” – You have the right to request that the Company erases the personal data it holds about them in the following circumstances:
a. it is no longer necessary for D&D to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;
b. you wish to withdraw your consent to D&D holding and processing your personal data;
c. if you object to D&D holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);
d. the personal data has been processed unlawfully;
e. the personal data needs to be erased in order for D&D to comply with a particular legal obligation
f. the personal data is being held and processed for the purpose of providing information society services to a child.
Unless we have reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and you will be informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject will be informed.
In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
If we have disclosed the personal data to others, we will contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we will also inform the individuals about these recipients.
However, please note that the right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
Under GDPR there are two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
If you would like to request D&D to delete the personal data we hold about you, you can contact our DPO outlining what information you would like deleted, either by phone on 020 7272 0986-option 3, by email to firstname.lastname@example.org or by post to: The DPO, Davies & Davies Estate Agents, 85 Stroud green Road, Finsbury Park, London, N4 3E
5. The right to restrict processing – This is not an absolute right and only applies in certain circumstances.
You have the right to request you restrict the processing of their personal data in the following circumstances:
- the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
- the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
- the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:
- if an individual has challenged the accuracy of their data and asked for you to rectify it (Article 16), they also have a right to request you restrict processing while you consider their rectification request; or
- if an individual exercises their right to object under Article 21(1), they also have a right to request you restrict processing while you consider their objection request.
Therefore, as a matter of good practice we will automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question
You may request that D&D cease processing the personal data held about you. If you make such a request, we will retain only the amount of personal data concerning you (if any), that is necessary to ensure that the personal data in question is not processed further.
If you wish to make a request for restriction please contact us either by phone on 020 7272 0986-option 3, by email to email@example.com or by post to: The DPO, Davies & Davies Estate Agents, 85 Stroud green Road, Finsbury Park, London, N4 3E. We will act upon the request without undue delay and at the latest within one month of receipt.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so)
6. The right to data portability – only applies to the personal data you have provided to D&D where the processing is based on your consent or for the performance of a contract and when processing is carried out by automated means. Under the data protection regulation, you have the right to receive a copy of your personal data and to use it for other purposes (namely transmitting it to other data controllers).
Where technically feasible, if requested your personal data will be sent directly to the required data controller.
All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, we will inform you.
If you wish to make such a request you can contact us either by phone on 020 7272 0986-option 3, by email to firstname.lastname@example.org or by post to: The DPO, Davies & Davies Estate Agents, 85 Stroud green Road, Finsbury Park, London, N4 3E.
7. The right to object – You have the right to object to D&D processing your personal data based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.
If you would like to object to any processing of your personal data D&D you can contact us outlining what processing of information you would like to object to.
To update your preferences, ask us to remove your information from our mailing lists please contact our DPO Officer either by phone on 020 7272 0986-option 3, by email at email@example.com or by post: The DPO, Davies & Davies Estate Agents, 85 Stroud green Road, Finsbury Park, London, N4 3EG
Where you object to us processing your personal data based on our legitimate interests, we will cease the processing immediately, unless it can be demonstrated that our legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
Where you object to the D&D processing you personal data for direct marketing purposes, the Company shall cease such processing immediately
8. Rights in relation to automated decision making and profiling – Where personal data used in automated decision-making processes you have the right to challenge such decisions under the current regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision.
The right does not apply in the following circumstances: the decision is necessary for the entry into, or performance of, a contract between the data controller (D&D) and the data subject(you, the customer); the decision is authorised by Union or Member state law applicable to the controller; or the data subject has given their explicit consent.
When personal data is used for profiling purposes, the following shall apply:
- Clear information explaining the profiling shall be provided to data subjects, including the significance and likely consequences of the profiling
- Appropriate mathematical or statistical procedures shall be used
- Technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected.
- All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling
Opting out of processing – you can opt out of the collection of personal information by automated means e.g. when visiting our website by using the Cookie Consent tool displayed in the website (the browser you use may provide options on how to opt out of receiving certain types of cookies). Please note that without cookies you may not be able to use all of the website features and/or online services.
You can at any time tell us not to send you marketing communications by e-mail firstname.lastname@example.org. Unsubscribing via the “unsubscribe link” within the marketing e-mails you receive from us, or by writing to us: The DPO, Davies & Davies Estate Agents, 85 Stroud green Road, Finsbury Park, London, N4 3EG
- Withdrawal of consent – If we obtain your information by consent you have the right to withdraw any consent you previously provided to us.
- If we process your information under a legitimate interest you can object at any time to the processing of your personal information. D&D will apply your preferences going forward. But this will mean that you cannot take advantage of certain products, services and campaign promotions.
- The right to consent removal may be limited in some circumstances by local law requirements and you will be informed appropriately.
D&D will not keep personal data for longer than it is necessary for the purpose or purposes for which it was originally collected, processed and held and will take all reasonable steps to erase and dispose of that personal data without delay.
However, Clients details must be held by us for accounting, taxation and legal purposes for 10 years.
Where We Store And How We Protect Your Personal Data
All data collected will be kept securely on our computers and servers, with our secure cloud-based contact management software providers, property management software and paper files. D&D take all steps reasonably necessary to ensure that all data is treated securely and in accordance with the data protection principles and requirements of good practice. We maintain administrative, technical and physical safeguards designed to protect all personal data against any accidental, unlawful or unauthorised erasure, loss, modification, access, disclosure or use.
Disposal Of Data
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of or anonymised.
International Data Transfers
It may be sometimes necessary to transfer personal data overseas. When this is needed, information is only shared within the European economic area (EEA). Any transfers made will be in full compliance with all aspects of the data protection regulation.
Data Breach Notification
All personal data breaches must be reported immediately to the DPO
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the DPO must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the DPO must ensure that all affected data subjects are informed of the breach directly and without undue delay.
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
- All members of staff, contractors, or other parties working on behalf of D&D shall be made fully aware of both their individual responsibilities and the firm’s responsibilities under the GDPR and under this policy, and shall be provided with a copy of this policy
- Only members of staff, contractors, or other parties working on behalf of D&D that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company
- All members of staff, contractors, or other parties working on behalf of D&D handling personal data will be appropriately trained to do so
- All members of staff, contractors, or other parties working on behalf of D&D handling personal data will be appropriately supervised
- All members of staff, contractors, or other parties working on behalf of D&D handling personal data must exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise
- Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed.
- All personal data held by D&D shall be reviewed periodically
- The performance of those employees, contractors, or other parties working on behalf of the D&D handling personal data shall be regularly evaluated and reviewed;
- All employees, contractors, or other parties working on behalf of D&D handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;
- All contractors or other parties working on behalf of D&D handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of D&D arising out of this Policy and the GDPR, and
- Where any contractor or other party working on behalf of D&D handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless D&D against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.