Who we are
Our website address is: https://www.gallussaleslettings.com.
PRIVACY POLICY
Contents
1. Introduction
2. Legislation
3. Data
4. Processing of personal data
5. Data sharing
6. Data storage and security
7. Breaches
8. Data protection officer
9. Data subject rights
10. Privacy impact assessments
11. Archiving, retention and destruction of data
- Introduction
Gallus Lettings Ltd (“we” or “us”) is committed to ensuring the secure and safe management of data held by us in relation to customers, staff and other individuals. Our staff members have a responsibility to ensure compliance with the terms of this policy, and to manage individuals’ data in accordance with the procedures outlined in this policy and documentation referred to herein.
We need to gather and use certain information about individuals. These can include customers (tenants, landlord clients etc.), employees and other individuals that we have a contractual relationship with. We manage a significant amount of data, from a variety of sources. This data contains “personal data” and “sensitive personal data” (known as “special categories of personal data” under the GDPR).
This policy sets out our duties in processing that data, and the purpose of this policy is to set out the procedures for the management of such data.
- Legislation
It is a legal requirement that we process data correctly; we must collect, handle and store personal information in accordance with the relevant legislation.
The relevant legislation in relation to the processing of data is:
- the General Data Protection Regulation (EU) 2016/679 (the GDPR);
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and
- any legislation that, in respect of the United Kingdom (UK), replaces, or enacts into UK domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the UK leaving the European Union.
- Data
3.1 We hold a variety of data relating to individuals, including customers and employees (also referred to as “data subjects”) which is known as personal data. The personal data held and processed by us is detailed within the “fair processing notice” (FPN) at Appendix 2 hereto and the data protection addendum of the terms and conditions of employment which has been provided to all employees.
3.1.1 Personal data is that from which a living individual can be identified either by that data alone, or in conjunction with other data held by us.
3.1.2 We also hold personal data that is sensitive in nature (i.e. reveals a data subject’s racial or ethnic origin, religious beliefs, political opinions, or relates to health or sexual orientation). This is special category personal data or sensitive personal data.
- Processing of personal data
- We are permitted to process personal data on behalf of data subjects provided it is doing so on one of the following grounds:
- processing with the consent of the data subject (see clause 4.4 hereof);
- processing is necessary for the performance of a contract between us and the data subject or for entering into a contract with the data subject;
- processing is necessary for our compliance with a legal obligation;
- processing is necessary to protect the vital interests of the data subject or another person; or
- processing is necessary for the purposes of legitimate interests.
4.2 Fair processing notice
4.2.1 We have produced a fair processing notice (FPN) which we are required to provide to all customers whose personal data is held by us. That FPN must be provided to the customer from the outset of processing their personal data and they should be advised of the terms of the FPN when it is provided to them.
4.2.2 The FPN at Appendix 2 sets out the personal data processed by us and the basis for that processing. This document is provided to all our customers at the outset of processing their data.
4.3 Employees
4.3.1 Employee personal data and, where applicable, special category personal data or sensitive personal data, is held and processed by us. Details of the data held and processing of that data is contained within the employee FPN which is provided to employees at the same time as their contract of employment.
4.3.2 A copy of any employee’s personal data held by us is available upon written request by that employee from.
4.4 Consent
Consent as a ground of processing will require to be used from time to time by us when processing personal data. It should be used by us where no other alternative ground for processing is available. In the event that we require to obtain consent to process a data subject’s personal data, we shall obtain that consent in writing. The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form if willing to consent. Any consent to be obtained by us must be for a specific and defined purpose (i.e. general consent cannot be sought).
Where consent is obtained and relied upon, the individual providing that consent has the right to withdraw that consent at any time following it being provided.
4.5 Processing of special category personal data or sensitive personal data
In the event that we process special category personal data or sensitive personal data, we must do so in accordance with one of the following grounds of processing:
- the data subject has given explicit consent to the processing of this data for a specified purpose;
- processing is necessary for carrying out obligations or exercising rights related to employment or social security or social protection law;
- processing is necessary to protect the vital interest of the data subject or, if the data subject is incapable of giving consent, the vital interests of another person;
- processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity;
- processing relates to personal data manifestly made public by the individual;
- processing is necessary for the purposes of preventative or occupational medicine, for the assessment of working capacity of employees, medical diagnosis, the prevention of health or social care or treatment;
- processing is necessary for public interest in the area of health;
- processing is necessary for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim and on the condition that it relates to members or former members who have regular contact with the entity; and
- processing is necessary for reasons of substantial public interest under law.
- Data sharing
- We share our data with various third parties for numerous reasons in order that day to day activities are carried out in accordance with our relevant policies and procedures. In order that we can monitor compliance by these third parties with data protection laws, we will require the third-party organisations to enter in to an agreement with us to govern the processing of data, security measures to be implemented and responsibility for breaches.
- Data sharing
5.2.1 Personal data is from time to time shared amongst us and third parties who require to process personal data that we process as well. Both us and the third party will be processing that data in their individual capacities as data controllers.
5.2.2 Where we share in the processing of personal data with a third-party organisation (e.g. for processing of the employees’ pension), we shall require the third-party organisation to enter in to a data sharing agreement with us in accordance with the terms of the model data sharing agreement set out in Appendix 3 to this policy where the circumstances of the data sharing require such an agreement to be in place.
- Data processors
A data processor is a third-party entity that processes personal data on behalf of us and are frequently engaged if certain parts of our work is outsourced (e.g. payroll, maintenance and repair works).
- A data processor must comply with data protection laws. Our data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify us if a data breach is suffered.
- If a data processor wishes to sub-contact their processing, our prior written consent must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
- Where we contract with a third party to process personal data held by us, it shall require the third party to enter in to a data processing agreement with us in accordance with the terms of the model data processing agreement set out in Appendix 4 to this policy.
- Data storage and security
All personal data held by us must be stored securely, whether electronically or in paper format.
6.1 Paper storage
If personal data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no personal data is left where unauthorised personnel can access it. When the personal data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the personal data requires to be retained on a physical file then the employee should ensure that it is properly secured within the file (e.g. stapled, or the documents are put on a Treasury Tag within the file) which is then stored in accordance with our storage provisions.
6.2 Electronic storage
Personal data stored electronically must also be protected from unauthorised use and access. Personal data should be password protected when being sent internally or externally to our data processors or those with whom we have entered in to a data sharing agreement. If personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used and information encrypted on that media device. Personal data should not be saved directly to mobile devices and should be stored on designated drivers and servers.
- Breaches
7.1 A data breach can occur at any point when handling personal data and we have reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach require to be reported externally in accordance with clause 7.3 hereof.
7.2 Internal reporting
We take the security of data very seriously and in the unlikely event of a breach will take the following steps:
- As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the data protection officer (DPO) must be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s);
- we must seek to contain the breach by whatever means available;
- the DPO must consider whether the breach is one which requires to be reported to the Information Commissioner’s Office (ICO) and data subjects affected and do so in accordance with this clause 7;
- notify third parties in accordance with the terms of any applicable data sharing agreements
7.3 Reporting to the ICO
The DPO is required to report any breaches which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach to the ICO within 72 hours of the breach occurring. The DPO must also consider whether it is appropriate to notify those data subjects affected by the breach.
- Data protection officer
8.1 A DPO is an individual who has an over-arching responsibility and oversight over compliance by us with data protection laws. We have elected to appoint a DPO whose details are noted on our website and contained within the FPN at Appendix 3 hereto.
8.2 The DPO will be responsible for:
8.2.1 monitoring our compliance with data protection laws and this policy;
8.2.2 co-operating with and serving as our contact for discussions with the ICO;
8.2.3 reporting breaches or suspected breaches to the ICO and data subjects in accordance with part 7 hereof.
- Data subject rights
9.1 Certain rights are provided to data subjects under the GDPR. Data subjects are entitled to view the personal data held about them by us, whether in written or electronic form.
9.2 Data subjects have a variety of rights which include the right to request a restriction of processing their data, a right to be forgotten and a right to restrict or object to our processing of their data. These rights are notified to our customers in our FPN.
9.3 Subject access requests
Data subjects are permitted to view their data held by us upon making a request to do so (a subject access request). Upon receipt of a request by a data subject, we must respond to the subject access request within one month of the date of receipt of the request. We:
9.3.1 must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law;
9.3.2 where the personal data comprises data relating to other data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the subject access request; or
9.3.3 where we do not hold the personal data sought by the data subject, must confirm that we do not hold any personal data sought by the data subject as soon as practicably possible, and in any event, not later than one month from the date on which the request was made.
9.4 The right to be forgotten
9.4.1 A data subject can exercise their right to be forgotten by submitting a request in writing to us seeking that we erase the data subject’s personal data in its entirety.
9.4.2 Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with this clause and will respond in writing to the request.
9.5 The right to restrict or object to processing
9.5.1 A data subject may request that we restrict our processing of the data subject’s personal data, or object to the processing of that data.
9.5.1.1 In the event that any direct marketing is undertaken from time to time by us, a data subject has an absolute right to object to processing of this nature by us, and if we receive a written request to cease processing for this purpose, then we must do so immediately.
9.5.2 Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.5 and will respond in writing to the request.
- Privacy impact assessments
- Privacy impact assessments (PIAs) are a means of assisting us in identifying and reducing the risks that our operations have on personal privacy of data subjects.
- We shall:
- Carry out a PIA before undertaking a project or processing activity which poses a high risk to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing personal data.
- In carrying out a PIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that we will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data.
10.3 We will require to consult the ICO in the event that a PIA identifies a high level of risk which cannot be reduced. The DPO will be responsible for such reporting, and where a high level of risk is identified by those carrying out the PIA they require to notify the DPO within five (5) working days.
- Archiving, retention and destruction of data
We cannot store and retain personal data indefinitely. We must ensure that personal data is only retained for the period necessary. We shall ensure that all personal data is archived and destroyed timeously and at the point that we no longer need to retain that personal data in accordance with the periods specified within the table at Appendix 5 hereto.
What personal data we collect and why we collect it
Gallus Lettings understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits this website, https://www.gallussaleslettings.com (“Our Site”) and will only collect and use personal data in ways that are described here, and in a manner that is consistent with Our obligations and your rights under the law.
Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of Our Privacy Policy is deemed to occur upon your first use of Our Site. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.
Tenants application form: We require data to process an application for the purpose of assessing suitability for a tenancy. We only retain data for as long as necessary to conduct this task, we do so by way of consent.
Should you provide the contact details of a Guarantor, please seek permission and confirm that you have express permission from this person to do so – as part of your application we may contact the Guarantor to continue our application process, this is an essential function of the application.
Guarantor applicaion form: We require data to process an application for the purpose of assessing suitability for supporting a tenancy in the role of guarantor. We only retain data for as long as necessary to conduct this task, we do so by way of consent.
Rights
You have the following rights under the GDPR, which this Policy and Our use of personal data have been designed to uphold:
- The right to be informed about Our collection and use of personal data
- The right of access to the personal data We hold about you
- The right to rectification if any personal data We hold about you is inaccurate or incomplete
- The right to be forgotten – i.e. the right to ask Us to delete any personal data We hold about you
- The right to restrict (i.e. prevent) the processing of your personal data
- The right to data portability (obtaining a copy of your personal data to re-use with another service or organisation)
- The right to object to Us using your personal data for particular purposes
- Rights with respect to automated decision making and profiling.
If you have any cause for complaint about Our use of your personal data, please contact Us using the details provided under section 16 and We will do Our best to solve the problem for you. If We are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.
For further information about your rights, please contact the Information Commissioner’s Office or your local Citizens Advice Bureau
How Do We Use Your Data?
All personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with Our obligations and safeguard your rights under the GDPR at all times.
Our use of your personal data will always have a lawful basis, either because it is necessary for Our performance of a contract with you, because you have consented to Our use of your personal data (e.g. by subscribing to emails), or because it is in Our legitimate interests. Specifically, We may use your data for the following purposes:
- Providing and managing your Account
- Providing and managing your access to Our Site
- Personalising and tailoring your experience on Our Site
- Supplying Our products and/or services to you (please note that We require your personal data in order to enter into a contract with you)
- Personalising and tailoring Our products and/or services for you
- Replying to emails from you
- Supplying you with emails that you have opted into (you may unsubscribe or opt-out at any time by clicking on the unsubscribe link at the base of emails or by emailing us directly requesting your email address to be removed from our mailing list
- Market research
- Analysing your use of Our Site and gathering feedback to enable Us to continually improve Our Site and your user experience
With your permission and/or where permitted by law, We may also use your data for marketing purposes which may include contacting you by email, telephone, text message or post with information, news and offers on Our products and/or services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that We fully protect your rights and comply with Our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003
Do We Share Your Data?
In certain circumstances, We may be legally required to share certain data held by Us, which may include your personal data, for example, where We are involved in legal proceedings, where We are complying with legal obligations, a court order, or a governmental authority.
We may sometimes contract with third parties to supply products and services to you on Our behalf. These may include payment processing, delivery of goods, search engine facilities, advertising, and marketing. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, We will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, Our obligations, and the obligations of the third party under the law.
We may compile statistics about the use of Our Site including data on traffic, usage patterns, user numbers, sales, and other information. All such data will be anonymised and will not include any personally identifying data, or any anonymised data that can be combined with other data and used to identify you.
We may sometimes use third party data processors that are located outside of the UK or European Economic Area (“the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein). Where We transfer any personal data outside the EEA, We will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under the GDPR.
Cookies
There are several types of Cookies, some of which may be used by and on Our Site
Strictly Necessary Cookies
These cookies are essential for the running of a website and its features. They allow proper website functionality and access to services such as your account, secure shopping and posting comments on a blog. Without them, a website cannot perform properly
Performance Cookies
These cookies collect information about how visitors use a website. For example, which pages are visited most often, how people navigate around the site and if there are any error messages that appear. They don’t collect any information that identifies a user, only anonymised, aggregated information that is used to improve the way the website works and the customer journey
Functionality Cookies
These cookies allow a website to remember your preferences and choices you make, such as your preferred language, region and username. They gather information on things you customise and select and retain it for your next visit. They are not essential but enhance the user experience of a site
Third Party Cookies
Some website pages may use third party services or software, such as maps, online videos or social networking features. Many of these services may set cookies in your browser. This website has no control over third party cookies but visitors can opt out of these cookies via their browser
Flash cookies
Flash cookies are commonly used in website advertisements, video clips and animation. They enable a website to recognise the user’s browser when it returns and store information such as when a video stopped playing. They also provide functions such as remembering your settings and preferences
Advertising Cookies
These cookies are used by advertisers to deliver adverts that are more relevant to you and your interests. They keep track of which ads a person has viewed, control how many times they are exposed to the same advert and track the effectiveness of marketing campaigns. This information can then be used in remarketing, by customising adverts the user sees on other websites
Web Beacons
Web beacons are bits of data that count the number of users who access a website or webpage. They allow an organisation to see if a cookie has been activated, if a user has clicked through to links to adverts contained in emails. This is used to identify which emails are of most interest to a customer and to track the success of advertisements
Enabling/Disabling Cookies
In addition to the controls that We provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third party Cookies. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.
You can choose to delete Cookies on your computer or device at any time, however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, login and personalisation settings.
It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website
Storing your data
We do not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Some or all of your data may be stored outside of the UK or European Economic Area (“the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein). You are deemed to accept and agree to this by using Our Site and submitting information to Us. If We do store data outside the EEA, We will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under the GDPR