Privacy and Personal Data Protection Policy
Please read this Privacy Notice carefully as it describes our collection, use, disclosure, retention and protection of your personal information. Where you provide us with your personal information described below, you agree that we may collect, store and use it a) in order to perform our contractual obligations to you, b) based on our legitimate interest for processing (i.e. for internal administrative purposes or for the detection or prevention of crime) or c) based on your consent, which you may withdraw at any time, as described in this Privacy Notice.
The company is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained within this document.
This document describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”).
Who we are
The Group Data Controller is Comland Commercial Ltd a company registered in England under number 03463248 whose registered office is at Lunar House, Mercury Park, Wooburn Green, Buckinghamshire, HP10 0HH (“the Group Data Controller”).
The Group Data Controller is committed to protecting the privacy and security of your personal information. The Group Data Controller is committed to being clear and transparent about how it collects and uses that data and to meeting its data protection obligations.
Data Protection Principles
The Group Data Controller will comply with data protection law. This means that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with these purposes;
- Relevant to the purposes we have told you about and limited to those purposes only;
- Accurate and kept up to date;
- Kept only for such time as is necessary for the purposes we have told you about; and
- Kept securely.
What information does the Group Data Controller collect?
To the extent permissible under applicable law, the Group Data Controller collects and processes a range of personal information (personal data) about you and any other party whose details you provide to us.
If you intend giving us personal information about someone else, you are responsible for ensuring that you comply with any obligation and consent obligations under applicable data protections laws. In so far as required by applicable data protection laws, you must ensure that beforehand you have their explicit consent to do so and that you explain to them how we collect, use, disclose and retain their personal information or direct them to read our Privacy Notice.
Personal data means any information about an individual from which the person can be identified. The personal data the Group Data Controller collects and processes includes but is not limited to:
- Identity and personal contact details, such as your name, title, address, email address, telephone number, date of birth, national insurance number, car registration;
- Background information such as previous landlord details, salary, income, employer details, accountant details;
- Bank account details, bank references and credit check results;
- Lease details including rent reviews, renewals, joint tenants, other occupiers and guarantors;
- Rent deposit information (if any) including return on lease termination;
- Rent and utilities payment records;
- Recovery of arrears, claims or proceedings to obtain possession;
- Repair and health and safety records;
- Breach of lease terms/complaints
- Business Rates and utilities records;
- Notices and correspondence regarding lease termination;
- CCTV and audio recordings (if any);
- General correspondence in all formats (letters, emails, text messages etc).
- Developments and/or properties you have an expressed an interest in or viewed, and
- Sales details including purchase price, deposit, mortgage, and any funding arrangements such as shared equity or help to buy schemes.
We may also collect, store and use the following special categories of more sensitive personal information:
- Information about medical or health conditions, including whether or not you have a disability for which the Group Data Controller needs to make adaptations; and
- Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
The Group Data Controller collects this information in a variety of ways. For example, data is collected through the lease application process and through correspondence during the term of the lease. The Group Data Controller also generates its own records such as rent payment records.
In some cases, the Group Data Controller collects personal data about you from third parties, such as:
- References supplied by former landlords, employers and personal referees;
- Information from credit reference agencies;
- Companies House,
- Other tenants, occupiers or neighbours;
- Local authorities;
- The police or other law enforcement agencies;
- Department for Work and Pensions
- Utility companies or service providers;
- Sales/Letting/managing agents; and
- Websites or online portals for lettings or sales
Data is stored in a range of different places, including in paper files and in the Group Data Controller’s IT systems (including the Group Data Controller’s email system).
Why does the Group Data Controller process personal data?
The Group Data Controller needs to process data to consider applications for leases or sales offers and manage the contractual relationship with tenants and buyers.
In addition, the Group Data Controller needs to process data to ensure that we are complying with our legal obligations.
In other cases, the Group Data Controller has a legitimate interest in processing personal data before, during and after the end of the landlord/tenant or sales relationship.
Situations in which we will use your personal information
Situations in which the Group Data Controller will process your personal information; for legitimate business purposes, include, but are not limited to:
- verify the identity of a proposed tenant/occupier/buyer;
- decide on the suitability of a proposed tenant/occupier/buyer;
- assess the financial standing/suitability of a proposed tenant/occupier/buyer;
- deal with joint tenants and occupiers who are linked to the lease/purchase;
- enter into a lease or sales agreement;
- secure payment of rent/ purchase monies and performance of tenant/buyer obligations;
- collect rent and other payments;
- manage the lease, sale contract and the property;
- arrangements for any share equity scheme or help to buy;
- keep accurate records relating to the Landlord’s rental and sale business;
- arrange repairs and maintenance of the property;
- monitor and enforce performance of tenant’s/buyer’s obligations;
- recover debts and/or obtain possession of a property;
- notify utility suppliers and local authorities about commencement and termination of a lease on or sale of a property;
- ensure Business Rates, Council Tax and utilities charges are billed and paid appropriately;
- ensure that welfare benefits (such as Universal Credit and housing benefit) are paid to the landlord or tenant where appropriate;
- handle lease termination and the return of any rent deposit;
- handle complaints;
- address health and disability issues relating to tenants/occupiers;
- create and keep audio and CCTV recordings;
- provide information to public or local authorities who are legally entitled to require this information;
- contact next of kin or close relatives in case of emergency;
- store of emails, records of calls and other communications;
- provide you with updates on developments, or properties in which you have expressed an interest, and also similar developments or properties we consider may be of interest to you;
- deliver other marketing information to you from us, where you have consented to be contacted for such purposes;
- comply with legal and regulatory requirements;
- bring and defend legal claims; and
- prevent, detect and investigate crime and anti-social behaviour.
If you fail to provide personal information
If you do not prove certain information when requested, the Group Data Controller may not be able to proceed with the grant of a lease or sale transaction
Change of purpose
The Group Data Controller will only use your personal information for the purpose for which it was collected unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will advise you of this and explain the legal basis which allows us to do so.
You should be aware that we may process your personal information without your knowledge or consent where this is required or permitted by law.
Use of sensitive personal information
Some special categories of personal data, such as information about health or medical conditions, are processed to comply with legal obligations (for example, in relation to tenants/occupiers with disabilities and for health and safety purposes).
For how long do you keep data?
The Group Data Controller will hold your personal data for as long as permitted for legal, regulatory, fraud prevention and legitimate business purposes.
Who is data shared with?
Your information will be shared internally with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006, and other associated companies.
Your data may be shared internally, including with the Directors of the company, members of the estates team and members of the finance team and IT staff if access to the data is necessary for the performance of their roles.
The Group Data Controller also shares your data with third parties where required by law, where it is necessary in order to administer the relationship with you or where we have another legitimate interest in doing so. Information can be shared with:
- Professional advisers, including solicitors and accountants;
- Sales/Letting/managing agents;
- Freeholder and/or their managing agents;
- Existing or previous landlords;
- Existing or previous employers;
- Credit Reference Agencies (CRAs) and or Fraud Prevention Agencies (FPAs)
- Debt collectors and tracing services;
- Local authorities and government/public bodies;
- Ombudsman/redress schemes;
- Professional bodies/regulators;
- Police/enforcement agencies;
- Internet service providers;
- Banks/building societies;
- Tenant’s/occupier’s next of kin or close relatives in case of emergency;
- Joint tenants and other occupiers;
- Third party holders of a rent deposit;
- H M Revenue and Customs;
- Council Tax or Business Rates authority;
- Utility providers;
- Contractors and tradespeople providing services at the property;
- Prospective purchasers of property;
- Providers of New Home warranty schemes;
- Other landlords including where you apply to another landlord for a lease;
- In the event that we sell or transfer any of our business or assets, in which case we may disclose your personal data to the prospective buyers of such business or assets;
- If we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets
Information that you submit to us may be sent to Credit Reference Agencies (CRAs) and or Fraud Prevention Agencies (FPAs) and recorded by them. If you do not make payment in full and on time, in accordance with the terms of your lease, CRAs may record the outstanding debt. This information may be supplied to other organisations by CRAs and FPAs to perform similar checks and to trace your whereabouts and recover debts that you owe. Records remain on file for 6 years after they are closed.
If you tell us that you have a spouse or financial associate, we will link your records together, so you must be sure that you have their agreement to disclose information about them. CRAs also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
If false or inaccurate information is provided and fraud is identified, details will be passed to FPAs
We may use third parties based outside of the European Economic Area (“EEA”) to help us provide applications and services and this means that we may transfer your information to service providers outside the EEA.
We take steps to ensure that where your information is transferred outside of the EEA by our service providers and hosting providers, appropriate measures and controls in place to protect that information in accordance with applicable data protection laws and regulations as determined by the European Commission.
How does the Group Data Controller protect data?
The Group Data Controller takes the security of your data seriously. The Group Data Controller has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Where the Group Data Controller engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please be sure to keep us informed if your personal information changes during the lease application or purchase process or during the term of a lease or new home warranty period.
As a data subject, you have a number of rights. You can:
- request access and obtain a copy of your data on request (known as a “data subject access request”);
- require the Group Data Controller to change incorrect or incomplete data;
- request erasure of your personal information. This enables you to ask the Group Data Controller to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- object to the processing of your data where the Group Data Controller is relying on its legitimate interests as the legal ground for processing; and
- ask the Group Data Controller to suspend the processing of your personal data for a period of time if data is inaccurate or there is a dispute about its accuracy or the reason for processing it.
If you would like to exercise any of these rights, or you have any questions about the privacy notice, please contact GDC@comland.co.uk.
If you request a copy of your information you may be required to pay a statutory fee.
If you believe that the Group Data Controller has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office.
Changes to our privacy notice
We may change our Privacy Notice from time to time. However, we will not reduce your rights under this Privacy Notice. We will always update this Privacy Notice on our website, so please try to read it when you visit the website (the ‘last updated’ reference tells you when we last updated our Privacy Notice).
Implementation of Policy
This Policy shall be deemed effective as of 25/05/2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.