15 May 2018
Aston Rose retains personal data as defined in the EU Regulation 2016/679 (“GDPR”). Aston Rose is required to comply with the Data Protection Principles and this Policy sets out how we are to do this. We will only collect and retain (“process”) data for the following purposes and will at all times observe the Data Protection Principles as set out below.
There is a conflict in what is required. Aston Rose is required under the Proceeds of Crime legislation and anti-money laundering regulations to obtain identity information and also enquire and obtain information on why property is being acquired or disposed of and who is providing purchase monies and why. On the other hand Aston Rose is required to keep personal information safe, only take personal information that is necessary and destroy such personal information after the purpose of its retention has ceased.
Data will be processed in connection with:
- Acting for a client in the course of property related business
- Acting in the course of property management, which will include data on lessees both absentee and occupational in the management of buildings
- Name and address and reasonable financial status details of potential buyers or lessees acquiring property from clients
- Necessary data on our employees
The type of data processed will be:
- Name address and required Identity Documents of the person to satisfy anti-money laundering requirements
- Financial data reasonably necessary to evaluate and make decisions and recommendations upon the suitability of people to enter into obligations with clients (including bank statements, references and proof of residence) as well as ongoing monitoring for the purposes of the Proceeds of Crime legislation
- In the case of property management, the names and addresses of lessees and their mortgagees
- The Financial Accounts and Service Charge and Rent Demands and Statements of Account relating to the administration and obligations of lessees under their leases
- All correspondence with clients, lessees and other parties generated by the above purposes. This will include email correspondence, replies and forwarded emails
- Historical data in respect of the above, which will be archived and kept for the purposes of recording the prior history of property management or prior history of any matter in which a client has been a party. It is not practicable with our current management accounts system to extract for destruction data of prior lessees of properties but we can and will restrict access to those accounts that relate to properties that Aston Rose no longer manage
- Data of current employees necessary for their current employment, to include the employee’s name, address, bank details for receipt of their salaries, National Insurance number, pension plan details, attendance records. Aston Rose will ensure that such data is obtained with the consent of the employee and that employees sign their consent upon starting their employment
- Historical data of prior employees for any necessary record of the employment, including any references given. It will be our intention not to keep any record of prior employees for longer than 3 years after their leaving their employment with us.
- Health data of employees reasonably necessary for the administration of their employment and attendance. Save for historical purposes above, health records will be destroyed as soon as possible after the cessation of employment of the individual.
Subject to the above, Aston Rose will not process any data relating to revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The Data Protection Principles, which Aston Rose will at all time observe are:
Personal Data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Processing of data by Aston Rose will be only for one or more of the following purposes set out in the GDPR:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.
Aston Rose will at all times retain data securely. This will be proportionate to the sensitivity of the data and what is reasonably practicable for us to do. In considering this the following will be guidelines:
- We will not allow any data of employees to be stored outside our offices. All paper data will be secured in locked cabinets. Our computer servers will be kept in locked cabinets and suitably password protected and employee data available only to a director.
- Other data will be generally kept within the office upon the server. Files will not be password protected and may be accessible to members of staff. The computer system will be password protected so that reasonable steps are taken to prevent outsiders hacking into the computer system. The computer system will be available to our employees remotely but will be password protected. The password of anyone authorised to have access will be changed not less frequently than once every 3 months
- Data (apart from that on our employees) may be stored off site but only in accordance with the provisions of the GDPR
- Aston Rose will not use automated processing systems operating decision evaluation upon personal aspects relating to people which are based solely on automated processing and which produce adverse legal effects concerning, or significantly affect, those people
- Specific financial data on anyone (e.g. bank statements of others in support of references but not bank account details for payment of money or property management accounts) will be destroyed as soon as possible and in any case within 3 months of obtaining it
- Aston Rose will not part with personal information to a third party without the written consent of that data subject, save in the circumstances of the management of a property, of which the data subject is a lessee, being taken over by a successor company.
- Emails will be stored in the Microsoft Outlook program and will either be kept as part of that program or copied into dedicated files. In either case the data is to be kept on the Company server. It will not be practicable to extract for destruction historical emails from the system. When forwarding emails, Aston Rose will ensure as far as possible that personal data in the email chain below is deleted so that personal data is not forwarded with the new email.