Data Protection and Privacy Notice

 

Personal Data

Any personal data provided to L K Webb will be held strictly in accordance with the GDPR Regulations.

Data Controller

A Data Controller is an inventory clerk is directly employed by a client (landlord/tenant).  The client provides their personal information directly to the clerk as part of a contract.  The clerk is responsible for handling the personal data of that client and is responsible if the data is passed to a third party (e.g. an estate agent).

If a data breach occurs, the clerk is responsible as the data controller and may have to report the breach to the ICO (Information Commissioner’s Office) within 72 hours.

Data Processor

A Data Processor is an inventory clerk who is given data not directly by the client but by a company a client has employed by a contract (e.g. an estate agent).  In this case, the estate agent would be the Data Controller and the clerk the Data Processor.  If the clerk sends the personal data to the wrong person and a breach occurs, they would need to inform the Data Controller of the breach and possibly report it to the ICO within 72 hours.

Other Organisations

We must ensure that any organisations who we pass personal data to and receive personal data from are GDPR compliant.  It is recommended that we sign an agreement regarding the processing and breach reporting procedures with them.

Data Storage

We must have a legal reason to store personal data otherwise we require consent.  By consent, we will collect any personal data when you register to use our services as an individual.  If data is provided by a third party we will then be the Data Processor.

If the information relates to addresses then we will store information by address.  We must delete the personal data if we do not have a legal basis or consent to store it.  If there is a legal claim we will then have a legal basis to store the information.

If we store personal data we must have retention periods clearly stated and obtain consent.  Data must only be stored digitally on telephones or electronic items such as tablets or laptops which are password protected or encrypted.

Subject Action Requests

These must be processed within 30 days for no fee.

New Systems

We must carry out a risk assessment of any new/existing data systems that may risk the rights and freedoms of individuals and design new systems to be private and secure.

HR and Personnel

The same processing factors must be considered when processing employee data.

Standard data under contract in Article 6 and special data must only be processed with consent under Article 9.

Article 6

To process personal data, one condition from Article 6 must apply.

  • Consent – An individual has given clear consent for you to process their personal data for a specific purpose.
  • Contract – Necessary for a contract you have with the individual.
  • Legal Obligation – To comply with the law, not including contractual obligations.
  • Vital Interests – Protecting someone’s life, CCTV?
  • Public Task – Task in the public interest or a clear basis in law. Public authorities.
  • Legitimate Interests – Processing data in ways you would reasonably expect with minimal privacy impact on individuals rights and freedoms.

Special Category Data – Sensitive Data

  • Racial Ethnic Origin
  • Political Opinion
  • Religious of Philosophical Beliefs
  • Trade Union Membership
  • Genetic Data
  • Biometric Data
  • Health
  • Sex Life
  • Sexual Orientation

We only share your data with our sub contractors instructed by us to carry out any work in relation to your request.  We will not use your data for any other purposes.

To process Special Category Data, we must have a condition under Article 6 above and Article 9 below.

Article 9

  • Consent – An individual has given clear consent for you to process their personal data for a specific purpose.
  • Vital Interests – Protecting someone’s life.
  • Obligation under Employment, Collective Agreement, Social Security or Social Protection Law.
  • Not for Profit Bodies – Carrying out legitimate activities within safeguards in place. Consent required for disclosure outside the organisation.
  • Already Made Public
  • Legal Claims
  • Substantial Public Interest
  • Health
  • Public Health
  • Archiving – In the public interest.

In most cases to process Special Category Data, we will need to use Consent, as the other conditions do not generally apply.

Consent

  • Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in
  • Consent cannot be inferred from silence, pre-ticked boxes or inactivity.
  • Consent can be withdrawn at any time in writing either by email or a letter.

Individuals’ Rights

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing (inaccurate, unlawful, legal claim).
  • The right to data portability (you return data after use on paper/memory stick etc.).
  • The right to object (legitimate interests, research purposes – except public task).
  • The right not to be subject to automated decision making including profiling.

Registration

Our company is registered with the Information Commissioners Office and our registration number is ZA467952.

Data Breaches

If a data breach occurs, we must ensure that every effort is made to rectify or mitigate the loss immediately.  All people concerned must be notified about the breach of their data within 24 hours.

Data breaches must be reported to the ICO within 72 hours only where it is likely to result in a risk to the rights and freedoms of individuals – if it could result in:

  • Discrimination
  • Damage to reputation
  • Financial loss
  • Loss of confidentiality
  • Any other significant economic or social disadvantage.

For serious breaches, phone 0303 123 1113

Email security breach notification form to casework@ico.co.uk