Contents

 

1. Introduction

2. Legislation

3. Data

4. Processing of personal data

5. Data sharing

6. Data storage and security

7. Breaches

8. Data protection coordinator

9. Data subject rights

10. Privacy impact assessments

11. Archiving, retention and destruction of data

12. Web usage

 

1. Introduction

Mavor&Company is committed to ensuring the secure and safe management of data held by us in relation to customers, staff and other individuals. Our staff members have a responsibility to ensure compliance with the terms of this policy and to manage individuals’ data in accordance with the procedures outlined in this policy and documentation referred to herein.

We need to gather and use certain information about individuals.  These can include customers (tenants, landlord clients etc.), employees and other individuals that we have a contractual relationship with.  We manage a significant amount of data, from a variety of sources.  This data contains “personal data” and “sensitive personal data” (known as “special categories of personal data” under the GDPR).

This policy sets out our duties in processing that data, and the purpose of this policy is to set out the procedures for the management of such data.

 

2. Legislation 

It is a legal requirement that we process data correctly; we must collect, handle and store personal information in accordance with the relevant legislation. 

The relevant legislation in relation to the processing of data is: 

• the General Data Protection Regulation (EU) 2016/679 (the GDPR);
• the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and
• any legislation that, in respect of the United Kingdom (UK), replaces, or enacts into UK domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the UK leaving the European Union.

 

3. Data 

3.1        We hold a variety of data relating to individuals, including clients, landlords, tenants and employees (also referred to as “data subjects”) which is known as personal data.  The personal data held and processed by us is detailed within the various “fair processing notices” (FPN) at Appendix 1, 2 and 3 hereto and the “employees data protection clause” of the terms and conditions of employment which has been provided to all employees and is detailed in Appendix 1.

3.1.1     Personal data is that from which a living individual can be identified either by that data alone or in conjunction with other data held by us.

3.1.2     We also hold personal data that is sensitive in nature (i.e. reveals a data subject’s racial or ethnic origin, religious beliefs, political opinions, or relates to health or sexual orientation).  This is special category of personal data or sensitive personal data.

 

4. Processing of personal data 

We are permitted to process personal data on behalf of data subjects provided it is doing so on one of the following grounds;

processing with the consent of the data subject (see clause 4.4 hereof);

processing is necessary for the performance of a contract between us and the data subject or for entering into a contract with the data subject;

processing is necessary for our compliance with a legal obligation;

processing is necessary to protect the vital interests of the data subject or another person; or

processing is necessary for the purposes of legitimate interests.

 

4.2        Fair processing notice
4.2.1     We have produced fair processing notices (FPN) which we are required to provide to all customers whose personal data is held by us.  That FPN must be provided to the customer from the outset of processing their personal data and they should be advised of the terms of the FPN when it is provided to them.

4.2.2     The FPN at Appendix 1, 2 and 3 sets out the personal data processed by us and the basis for that processing.  This document is provided to all our customers at the outset of processing their data.

 

4.3        Employees

4.3.1     Employee personal data and, where applicable, special category personal data or sensitive personal data, is held and processed by us. Details of the data held and processing of that data is contained within the employee Fair Protection Notice which is provided to all employees at the same time as their contract of employment, as well as the Addition to Employment Clause in Appendix 4. New employees from May 2018 will have this clause included within their contract.

4.3.2     A copy of any employee’s personal data held by us is available upon written request by that employee from Data Protection Coordinator Patricia Mavor.

 

4.4        Consent

Consent as a ground of processing will require to be used from time to time by us when processing personal data.  It should be used by us where no other alternative ground for processing is available.  In the event that we require to obtain consent to process a data subject’s personal data, we shall obtain that consent in writing.  The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form if willing to consent.  Any consent to be obtained by us must be for a specific and defined purpose (i.e. general consent cannot be sought).

 

4.5        Processing of special category personal data or sensitive personal data

In the event that we process special category personal data or sensitive personal data, we must do so in accordance with one of the following grounds of processing:

• the data subject has given explicit consent to the processing of this data for a specified purpose;
• processing is necessary for carrying out obligations or exercising rights related to employment or social security;
• processing is necessary to protect the vital interest of the data subject or, if the data subject is incapable of giving consent, the vital interests of another person;
• processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity; and
• processing is necessary for reasons of substantial public interest.

 

5. Data sharing 

• We share our data with various third-parties for numerous reasons in order that day to day activities are carried out in accordance with our relevant policies and procedures. In order that we can monitor compliance by these third-parties with data protection laws, we will require the third-party organisations to enter in to an agreement with us to govern the processing of data, security measures to be implemented and responsibility for breaches.

 

• Data sharing

5.2.1       Personal data is from time to time shared amongst us and third-parties who require to process personal data that we process as well.  Both us and the third-party will be processing that data in their individual capacities as data controllers.

5.2.2       Where we share in the processing of personal data with a third-party organisation and that data is not used for the normal business purposes of Mavor&Company as the data controller, we shall require the third-party organisation to enter in to a data sharing agreement (DSA) with us.

 

• Data processors

A data processor is a third-party entity that processes personal data on behalf of us and are frequently engaged if certain parts of our work is outsourced (e.g. payroll, maintenance and repair works).

• A data processor must comply with data protection laws. Our data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify us if a data breach is suffered.
• If a data processor wishes to sub-contact their processing, our prior written consent must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
• Where we contract with a third-party to process personal data held by us, it shall require the third-party to enter in to a data protection agreement (DPA) with us as set out in Appendix 5.

 

6. Data storage and security

All personal data held by us must be stored securely, whether electronically or in paper format.

 

6.1        Paper storage

if personal data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it.  Employees should make sure that no personal data is left where unauthorised personnel can access it.  When the personal data is no longer required it must be disposed of by the employee so as to ensure its destruction.  If the personal data requires to be retained on a physical file then the employee should ensure that it is properly secured within the file (e.g. stapled) which is then stored in accordance with our storage provisions.

 

6.2        Electronic storage

personal data stored electronically must also be protected from unauthorised use and access. Personal data should be password protected when being sent internally or externally to our data processors or those with whom we have entered in to a data sharing agreement.  If personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used.  Personal data should not be saved directly to mobile devices and should be stored on designated drivers and servers.

 

7. Breaches 

7.1        A data breach can occur at any point when handling personal data and we have reporting duties in the event of a data breach or potential breach occurring.  Breaches which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach require to be reported externally in accordance with clause 7.3 hereof.

 

7.2        Internal reporting

We take the security of data very seriously and in the unlikely event of a breach will take the following steps:

• As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the data protection coordinator (DPC) must be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s);
• we must seek to contain the breach by whatever means available;
• the DPC must consider whether the breach is one which requires to be reported to the Information Commissioner’s Office (ICO) and data subjects affected and do so in accordance with this clause 7;
• notify third parties in accordance with the terms of any applicable data sharing agreements

 

7.3        Reporting to the ICO

The DPC is required to report any breaches which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach to the ICO within 72 hours of the breach occurring.  The DPC must also consider whether it is appropriate to notify those data subjects affected by the breach.

 

8. Data protection coordinator 

8.1.       The data protection coordinator (DPC) is an individual who has an over-arching responsibility and oversight over compliance by us with data protection laws.  The DPC details are noted are contained within the FPN.

 

8.2        The DPC will be responsible for:

8.2.1     Monitoring our compliance with data protection laws and this policy;

8.2.2     co-operating with and serving as our contact for discussions with the ICO;

8.2.3     reporting breaches or suspected breaches to the ICO and data subjects in accordance with part 7 hereof.

 

9. Data subject rights

9.1        Certain rights are provided to data subjects under the GDPR.  Data subjects are entitled to view the personal data held about them by us, whether in written or electronic form.

9.2        Data subjects have a right to request a restriction of processing their data, a right to be forgotten and a right to object to our processing of their data.  These rights are notified to our customers in our FPN.

 

9.3        Subject access requests

Data subjects are permitted to view their data held by us upon making a request to do so (a subject access request).  Upon receipt of a request by a data subject, we must respond to the subject access request within one month of the date of receipt of the request. We:

 

9.3.1     must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law;

9.3.2     where the personal data comprises data relating to other Data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the subject access request; or

9.3.3     where we do not hold the personal data sought by the data subject, must confirm that we do not hold any personal data sought by the data subject as soon as practicably possible, and in any event, not later than one month from the date on which the request was made.

 

9.4        The right to be forgotten

9.4.1     A data subject can exercise their right to be forgotten by submitting a request in writing to us seeking that we erase the data subject’s personal data in its entirety.

9.4.2     Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time.  The DPC will have responsibility for accepting or refusing the data subject’s request in accordance with this clause and will respond in writing to the request.

 

9.5        The right to restrict or object to the processing

9.5.1     A data subject may request that we restrict our processing of the data subject’s personal data, or object to the processing of that data.

9.5.1.1 In the event that any direct marketing is undertaken from time to time by us, a data subject has an absolute right to object to processing of this nature by us, and if we receive a written request to cease processing for this purpose, then we must do so immediately.

9.5.2     Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time.  The DPC will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.5 and will respond in writing to the request.

 

10. Privacy impact assessments 

• Privacy impact assessments (PIAs) are a means of assisting us in identifying and reducing the risks that our operations have on personal privacy of data subjects.

 

We shall:

• Carry out a PIA before undertaking a project or processing activity which poses a high risk to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing personal data.
• In carrying out a PIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that we will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data.

 

10.3      We will require to consult the ICO in the event that a PIA identifies a high level of risk which cannot be reduced.  The DPC will be responsible for such reporting, and where a high level of risk is identified by those carrying out the PIA they require to notify the DPC within five (5) working days.

 

11. Archiving, retention and destruction of data

We cannot store and retain personal data indefinitely.  We must ensure that personal data is only retained for the period necessary. We shall ensure that all personal data is archived and destroyed timeously and at the point that we no longer need to retain that personal data in accordance with the periods specified within the Appendix 6 Mavor & Company Retention Schedule.

 

12. Web usage

How do we use your information?
We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features, to personalise your experience and to allow us to deliver the type of content and product offerings in which you are most interested.

The information that we collect and store relating to you is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purposes:

To provide you with information requested from us relating to our products or services and to provide information on other products which we feel may be of interest to you if you have consented to receive such information.

 

To meet our contractual commitments to you.

To notify you about any changes to our Website, such as improvements or service/product changes, that may affect our service.

If you are an existing customer, we may contact you with information about goods and services similar to those which were the subject of a previous sale to you.

If you are a new customer, we will only contact you or allow third parties to contact you only when you have provided consent and only by those means you provided consent for.
If you do not want us to use your data for ourselves or third parties you will have the opportunity to withhold your consent to this when you provide your details to us on the form on which we collect your data.

Please be advised that we do not reveal information about identifiable individuals to our advertisers but we may, on occasion, provide them with aggregate statistical information about our visitors such as your area of residence or age group.
Information that is collected is securely stored in compliance with the General Data Protection Regulation (GDPR) and is never shared with third parties.  Your information will only be stored for as long as it is necessary to provide you with the service for which you require from us. Information will only be disclosed if we are legally obliged to do so in accordance with the law.

Do we use ‘cookies’?
Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the site’s or service provider’s systems to recognise your browser and capture and remember certain information. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

We use cookies to:
Compile aggregate data about site traffic and site interactions to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since each browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.  If you turn cookies off, some features will be disabled. It won’t affect the user’s overall experience that make your site visit more efficient, although some functions may not work properly.

Third-party disclosure
We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information unless we provide users with advance notice. This does not include website hosting partners and other parties who assist us in operating our website, conducting our business, or serving our users, so long as those parties agree to keep this information confidential. We may also release information when it’s release is appropriate to comply with the law, enforce our site policies, or protect ours or others’ rights, property or safety.

However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Third-party links
Occasionally, at our discretion, we may include or offer third-party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

E-Newsletters:
We sometimes operate a newsletter program for which you can subscribe on our website.  You can unsubscribe at anytime by following the ‘unsubscribe’ link at the bottom of the newsletter, after which your details will be removed from our newsletter database.

Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the General Data Protection Regulation (GDPR). No personal details are passed on to third parties nor shared with companies / people outside of the company that operates this website.

We have implemented the following:
We, along with third-party vendors such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to compile data regarding user interactions with ad impressions and other ad service functions as they relate to our website.
 

Social Media:
Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.

Users are advised to use social media platforms wisely and communicate/engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.

This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.

Contacting Us:
We welcome any queries, comments or request that you may have regarding our service or this policy. Please do not hesitate to contact us.

 

Appendix 1 – Fair Processing Notice – Employees 

This notice explains what information we collect, when we collect it and how we use this. During the course of our activities, we will process personal data (which may be held on paper, electronically, or otherwise) about you and we recognise the need to treat it in an appropriate and lawful manner. The purpose of this notice is to make you aware of how we will handle your information. 

1. Mavor & Company is committed to a policy of protecting the rights of individuals with respect to the processing of their personal data and adhere to guidelines published in the Data Protection Act of 1998 and the General Data Protection Regulation (EU) 2016/679 which is applicable from the 25 May 2018, together with any domestic laws subsequently enacted. We collect and use personal data for a variety of reasons.

We are notified as a data controller with the Information Commissioner’s Office under registration number ZA289085 and we are the data controller of any personal data that you provide to us.

2. We collect the following information from you through a variety of resources (i) directly from you; or (ii) third parties (including employment agencies etc.):

• Name
• Date of birth
• Address
• Telephone numbers
• Email address
• NI number
• Personal characteristics such as gender and ethnic group
• Qualifications
• Absence information
• Bank details
• Next of kin

We collect and use the above information and personal data for:

• Administration of contracts of employment
• Payment of salaries
• Recruitment and selection
• Pensions and associated benefits, appraisal, training and development
• Membership of professional bodies

3. We may disclose to and share information about you with third parties for the purposes set out in this notice, or for purposes approved by you, including the following:

• to process your 4 weekly salary payments;
• to allow your pension provider to process pensions information and handle your pension;
• to allow your electronic payslips to be produced and issued to you;
• if we enter into a joint venture with or are sold to or merge with another business entity, your information may be disclosed to our new business partners or owners.

4. Your information will only be stored within the UK and European Economic Area (EEA)

5. When you give us information we take steps to make sure that your personal information is kept secure and safe. For further information please refer to our Privacy Policy, a copy of which is available on request. 

6. We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information), or as set out in any relevant contract we have with you. For further information please refer to our Retention Schedule, a copy of which is available on request.

7. You have the right at any time to:

• ask for a copy of the information about you held by us in our records;
• require us to correct any inaccuracies in your information;
• make a request to us to delete what personal data of yours we hold about you; and
• object to receiving any marketing communications from us.

If you would like to exercise any of your rights or should you wish to complain about the use of your information, please contact our data processing coordinator Patricia Mavor email; pat@mavorproperty.co.uk in the first instance.

 

You also have the right to complain to the ICO in relation to our use of your information.  The ICO’s contact details are noted below:

 

The Information Commissioner’s Office – Scotland
45 Melville Street, Edinburgh, EH3 7HL
Telephone: 0131 244 9001
Email: Scotland@ico.org.uk

 

The accuracy of your information is important to us – please help us keep our records
updated by informing us of any changes to your details.

Any questions relating to this notice and our privacy practices should be sent to our data protection coordinator Patricia Mavor email: pat@mavorproperty.co.uk.

 

Appendix 2 – Fair Processing Notice – Landlords 

This notice explains what information we collect, when we collect it and how we use this. During the course of our activities we will process personal data (which may be held on paper, electronically, or otherwise) about you and we recognise the need to treat it in an appropriate and lawful manner. The purpose of this notice is to make you aware of how we will handle your information.

 

Who are we?
Mavor&Company take the issue of security and data protection very seriously and strictly adhere to guidelines published in the Data Protection Act of 1998 and the General Data Protection Regulation (EU) 2016/679 which is applicable from the 25 May 2018, together with any domestic laws subsequently enacted.

We are notified as a data controller with the Information Commissioner’s Office (ICO)
under registration number ZA289085 and we are the data controller of any personal data that you provide to us.

How we collect information from you and what information we collect
We collect information about you:

• when you ask for a viewing, apply for a property, become a tenant, request services/repairs, enter into a tenancy agreement or otherwise provide us with your personal details
• from your use of our online, email or telephone services, whether to report any tenancy related issues, ask a question, make a complaint or otherwise provide us with your personal details
• from your arrangements to make payment to us (such as bank details, payment card numbers, employment details, benefit entitlement and any other income and expenditure related information) or otherwise provide us with your personal details

We collect the following information about you:

• Name
• Address
• Telephone numbers
• Email addresses
• Date of birth
• Bank details
• Specific financial details as required for compliance eg mortgage and insurance information
• Identification information for complying with anti-money laundering regulations eg passport and utility bills
• Landlord registration number

We receive the following information from third parties:

• Landlord registration details
• Non-resident landlord details for tax purposes
• Insurance companies this Agreement is entered into and becomes a binding part of the Principal Agreement with effect from the date

 

Why we need this information about you and how it will be used
We need your information and will use your information:

• to undertake and perform our obligations and duties to you in accordance with the terms of our contract with you
• to enable us to supply you with the services and information which you have requested
• to enable us to respond to your requests in accordance with the terms of our contract with you
• to analyse the information we collect so that we can administer, support and improve and develop our business and the services we offer
• to contact you in order to send you details of any changes to our services or supplies which may affect you
• for all other purposes consistent with the proper performance of our operations and business including our contract with you

 

Sharing of your information
The information you provide to us will be treated by us as confidential and will be processed only by our employees within the UK/European Economic Area (EEA). We may disclose your information to other third parties who act for us for the purposes set out in this notice or for purposes approved by you, including the following:

• if we enter into a joint venture with or merge with another business entity, your information may be disclosed to our new business partners or owners
• if we instruct repair or maintenance works, your information may be disclosed to any contractor if required for example British Gas Home Care
• if we are providing details to a deposit protection scheme eg Safe Deposits Scotland
• if we are investigating a complaint, information may be disclosed to Police Scotland, local authorities and any others, whether investigating the complaint or otherwise
• if we are updating property and tenancy details, your information may be disclosed to third parties for example utility companies and local authorities
• if we are investigating payments made or otherwise, your information may be disclosed to payment processors, local authorities and the Department for Work & Pensions
• if we are asked by HMRC in regard to taxation, your information may be disclosed
• if we are approached by a tenant of your property for your details we have a legal requirement to provide your details under the Housing (Scotland) Act 1987
• if we are dealing with an application to the First Tier Housing Tribunal for Scotland we have a legal requirement to provide your information
• if we are conducting a survey of our products and/or service, your information may be disclosed to third parties assisting in the compilation and analysis of the survey results 

Unless required to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your consent.

 

Security
When you give us information we take steps to make sure that your personal information is kept secure and safe. For further information please refer to our Privacy Policy, a copy of which is available on request.

Our Privacy Policy is also available at www.mavorproperty.co.uk

 

How long we will keep your information
We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information), or as set out in any relevant contract we have with you. For further information please refer to our Retention Schedule, a copy of which is available on request.

Your rights
You have the right at any time to:

• ask for a copy of the information about you held by us in our records
• require us to correct any inaccuracies in your information
• make a request to us to delete what personal data we hold about you
• object to receiving any marketing communications from us

If you would like to exercise any of your rights above or should you wish to complain about the use of your information, please contact our data protection coordinator Patricia Mavor email: pat@mavorproperty.co.uk in the first instance.

You also have the right to complain to the Information Commissioner’s Office (ICO) in relation to our use of your information.  The ICO’s contact details are noted below:

 

The Information Commissioner’s Office – Scotland
45 Melville Street, Edinburgh, EH3 7HL
Telephone: 0131 244 9001
Email: scotland@ico.org.uk

 

The accuracy of your information is important to us – please help us keep our records updated by informing us of any changes to your email address and other contact details.

Any questions relating to this fair processing notice and our privacy practices should be sent to our data protection coordinator Patricia Mavor email: pat@mavorproperty.co.uk

 

Appendix 3 – Fair Processing Notice – Tenants
This notice explains what information we collect, when we collect it and how we use this. During the course of our activities we will process personal data (which may be held on paper, electronically, or otherwise) about you and we recognise the need to treat it in an appropriate and lawful manner. The purpose of this notice is to make you aware of how we will handle your information.

Who are we? 

Mavor&Company take the issue of security and data protection very seriously and strictly adhere to guidelines published in the Data Protection Act of 1998 and the General Data Protection Regulation (EU) 2016/679 which is applicable from the 25 May 2018, together with any domestic laws subsequently enacted.

We are notified as a data controller with the Information Commissioner’s Office (ICO) under registration number ZA289085 and we are the data controller of any personal data that you provide to us.

How we collect information from you and what information we collect
We collect information about you:

• when you ask for a viewing, apply for a property, become a tenant, request services/repairs, enter into a tenancy agreement or otherwise provide us with your personal details
• from your use of our online, email or telephone services, whether to report any tenancy related issues, ask a question, make a complaint or otherwise provide us with your personal details
• from your arrangements to make payment to us (such as bank details, payment card numbers, employment details, benefit entitlement and any other income and expenditure related information) or otherwise provide us with your personal details

We collect the following information about you:

• Name
• Address
• Telephone numbers
• Email address
• National insurance number
• Date of birth
• Bank details and any other financial information
• Employment information
• Next of kin
• Identification information for complying with anti-money laundering regulations eg passport and utility bills

We receive the following information from third parties:

• Benefits information
• Employers information
• Credit check information
• Information regarding the conduct or condition of previous or existing tenancies

 

Why we need this information about you and how it will be used
We need your information and will use your information:

• to undertake and perform our obligations and duties to you in accordance with the terms of our contract with you
• to enable us to supply you with the services and information which you have requested
• to enable us to respond to your repair request, housing application and complaints made
• to analyse the information we collect so that we can administer, support and improve and develop our business and the services we offer
• to contact you in order to send you details of any changes to our services or supplies which may affect you
• for all other purposes consistent with the proper performance of our operations and business

 

Sharing of your information
The information you provide to us will be treated by us as confidential and will be processed only by our employees within the UK/European Economic Area (EEA). We may disclose your information to other third parties who act for us for the purposes set out in this notice or for purposes approved by you, including the following:

• if we enter into a joint venture with or merge with another business entity, your information may be disclosed to our new business partners or owners
• if we instruct repair or maintenance works, your information may be disclosed to any contractor
• if we are investigating a complaint, information may be disclosed to Police Scotland, local authorities and any others, whether investigating the complaint or otherwise
• if we are updating tenancy details, your information may be disclosed to third parties for example utility companies and local authorities
• if we are investigating payments made or otherwise, your information may be disclosed to payment processors, local authorities and the Department for Work & Pensions
• if we are asked by HMRC in regard to taxation, your information may be disclosed
• if we are conducting a survey of our products and/or service, your information may be disclosed to third parties assisting in the compilation and analysis of the survey results

 

Unless required to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your consent.

 

Security
When you give us information we take steps to make sure that your personal information is kept secure and safe. For further information please refer to our Privacy Policy, a copy of which is available on request.

Our Privacy Policy is also available at www.mavorproperty.co.uk

 

How long we will keep your information
We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information), or as set out in any relevant contract we have with you. For further information please refer to our Retention Schedule, a copy of which is available on request.

 

Your rights
You have the right at any time to:

• ask for a copy of the information about you held by us in our records
• require us to correct any inaccuracies in your information
• make a request to us to delete what personal data we hold about you
• object to receiving any marketing communications from us

 

If you would like to exercise any of your rights above or should you wish to complain about the use of your information, please contact our data protection coordinator Patricia Mavor email: pat@mavorproperty.co.uk in the first instance.

You also have the right to complain to the Information Commissioner’s Office (ICO) in relation to our use of your information.  The ICO’s contact details are noted below:

The Information Commissioner’s Office – Scotland
45 Melville Street, Edinburgh, EH3 7HL
Telephone: 0131 244 9001
Email: scotland@ico.org.uk

 

The accuracy of your information is important to us – please help us keep our records updated by informing us of any changes to your email address and other contact details.

Any questions relating to this fair processing notice and our privacy practices should be sent to our data protection coordinator Patricia Mavor email: pat@mavorproperty.co.uk

 

Appendix 4 – Addition to Employment Clause
We hold information about you on your personnel file. You are entitled to access this file and other information that we hold about you, subject to certain restrictions imposed by law. The Fair Processing Notice for Employees which has been provided to you confirms what personal information we hold which we have obtained from you or from third parties.

Our Privacy Policy contains further details regarding data protection matters, and the handling of personal data. By signing this Addition to Employment Contract you confirm that you have read and understood our Privacy Policy and will comply with the terms of that Policy.  A copy of our Privacy Policy is available on request.

We may also require to process sensitive personal data of yours.  Any sensitive personal data we process to comply with our obligations as your employers and/or your vital interests is outlined within the Fair Processing Notice for Employees. We will seek to obtain your consent to process any additional sensitive personal data of yours that we wish to process.

 

 

Appendix 5 – Data Processing Agreement
Mavor & Company, the Data Controller require, pursuant to or in connection with the Principal Agreement/Contract (whether written, specific or implied), we have with you as the Data Processor detailed below: 

[insert organisation name, address and company registration number (if applicable)] 

that you are compliant with the General Data Protection Regulation 2016/679, and any subsequently enacted legislation in furtherance of Data Protection.

Within this document, we state what we require of you as the Data Processor in order to be compliant. Should you have any questions regarding the contents of this document, you should contact the person in your organisation that has overall responsibility for data protection.

1. Definitions
   • Applicable Laws shall mean (a) European Union or member state laws with respect to any Company Personal Data in respect of which any Company Group Member is subject to EU Data Protection laws; and (b) any other applicable law with respect to any Controller Personal Data in respect
   • Controller Personal Data shall mean any personal data processed by the Data Processor on behalf of the Data Controller pursuant to or in connection with the Principal Agreement or Contract;
   • Principal Agreement/ Contract shall mean the main contract or agreement of services or other activities existing between the Data Controller and Data Processor;
   • Subprocessor shall mean any person (including any third party, but excluding an employee of the Processor or any of its sub-contractors) appointed by or on behalf of Processor which is engaged in the processing of personal data on behalf of the Controller in connection with the Principal Agreement/Contract;
2. Processor and Personnel
   • The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to the Controller Personal Data; and
   • The Processor must ensure that access to the Controller Personal Data is strictly limited to those individuals who need to know or need to access this data.
3. Security
   • The Processor must, when processing Controller Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk; and
   • In assessing the appropriate level of security, the Processor shall take into account in particular the risks that are presented by processing, in particular a Personal Data Breach.
4. Subprocessing
   • The Controller authorises the Processor to appoint (and permit each Subprocessor appointed to appoint) Subprocessors;
     • This is only insofar as prior written notice is given of its intention to appoint a Subprocessor, including within this, the scope of processing that shall be undertaken by the Subprocessor, and that the Controller thereafter provides prior written consent of such appointment;
   • The Processor may continue to use those Subprocessors already engaged by the Processor as at 25 May 2018, so long as such Subprocessors are able to meet the obligations under section 4.5; and
   • The Processor must ensure that it undertakes adequate due diligence of the Subprocessor, and their systems, prior to their processing of Controller Personal Data to warrant that there is a level of protection as mandated in the Principal Agreement.
5. Data Subject Rights
   • The Processor must ensure that have appropriate technical and organisational measures so as to assist in the fulfilment of the Controller’s obligations to respond to requests by any Data Subject under any Applicable Law;
   • The Processor must notify the Controller on receipt by them, or any Subprocessor, of a request from a Data Subject under any Applicable Law; and
   • The Processor must ensure that no response is given to any such request by the Processor or the Subprocessor, except on documented instructions of the Controller, or as required by the Applicable Laws to which the Processor is subject, in which latter case, the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the Contracted Processor responds to the request.
6. Personal Data Breach
   • The Processor must notify the Controller without undue delay upon the Processor or any Subprocessor becoming aware of a Personal Data Breach affecting the Controller Personal Data, providing the Controller with sufficient information to allow them to meet any obligations under the Applicable Laws.
   • The Processor shall co-operate with the Controller, and at their own expense take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach.
7. Data Protection Impact Assessment and Prior Consultation
   • The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessment and Prior consultations with Supervising Authorities. 

8. Deletion or return of Controller Personal Data
   • The Processor must promptly and in any event, within seven (7) days of the termination or conclusion of any Services involving the processing of Controller Personal Data (“Cessation Date”), delete and procure the deletion of all copies of any Controller Personal Data.
   • The Controller may also, at its own discretion, by providing seven days written notice of the Cessation Date, require the Processor, to:
     • Return a complete copy of all Controller Personal Data to the Controller by secure file transfer in such a format as is reasonably notified by the Controller to the Processor; and
     • Delete and procure the deletion of all other copies of Controller Personal Data that they, or any Subprocessor, have.
   • The Processor must only do what is required under Clause 8.1 and 8.2 to the extent that the Applicable Laws do not require them to retain such information. In such event, the Processor must ensure the confidentiality of all such Controller Personal Data, and that it is processed, for such periods as mandated, only insofar as said Applicable Laws require it to be processed.
   • The Processor must provide written certification, within 14 days of the Cessation Date, to the Controller that it has fully complied with their obligations under this Clause.
9. Audit Rights
   • The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Statement, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller Personal Data by the Processor;
   • The Controller shall give the Processor reasonable notice of any audit or inspection to be conducted, and shall make reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Processor’s premises, equipment, personnel and business while the Controller’s personnel are on those premises in the course of such an audit or inspection; or
   • The Processor need not give access to its premises for the purposes of an audit or inspection to any individual unless they produce reasonable evidence of identity and authority; or outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller has given notice that this will be the case.

 

Appendix 6 – Retention Schedule
Recommended Statutory Retention Periods 

Accident books, accident records/reports
3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21).
Statutory authority: The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. 

Accounting records
Not less than 3 years after the end of the financial year to which they relate.
Statutory authority: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631). 

Income tax and NI returns, income tax records and correspondence with HMRC
Not less than 3 years after the end of the financial year to which they relate.
Statutory authority: The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631). 

Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity
6 years from the end of the scheme year in which the event took place.
Statutory authority: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended. 

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence.
3 years after the end of the tax year in which the maternity period ends.
Statutory authority: The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended.

 

Wage/salary records (also overtime, bonuses, expenses)
Statutory retention period: 6 years.
Statutory authority: Taxes Management Act 1970.

 

National minimum wage records
3 years after the end of the pay reference period following the one that the records cover.
Statutory authority: National Minimum Wage Act 1998.

 

Records relating to working time
2 years from date on which they were made.
Statutory authority: The Working Time Regulations 1998 (SI 1998/1833).  

 

Recommended Non-statutory Retention Periods
The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So where documents may be relevant to a contractual claim, it’s recommended that these are kept for at least a corresponding 6-year period.
Application forms and interview notes (for unsuccessful candidates)
Recommended retention period: 1 year
Inland Revenue/HMRC approvals
Recommended retention period: permanently
Personnel files and training records (including disciplinary records and working time records)
Recommended retention period: 6 years after employment ceases
Redundancy details, calculations of payments, refunds, notification to the Secretary of State
Recommended retention period: 6 years from the date of redundancy
Directors’ records
Recommended retention period: permanently for historical purposes.

 

Recommended Retention Periods relating to the letting and property management of residential property
Landlord records
Recommended retention period: 6 years after termination of contract
Tenant records
Recommended retention period: 6 years after termination of tenancy
Council tax records
Recommended retention period: 6 years
Prospective tenants records
Recommended retention period: 1 month
Housing benefit information
Recommended retention period: duration of tenancy
Anti-social behaviour case files
Recommended retention period: 6 years or end of legal action
Contractors’ records
Recommended retention period: 6 years after termination of contract