Privacy Notice

We take data privacy very seriously. We won’t share any of your personal information with anyone, except where permitted in this Privacy Notice. 

Definitions

The following definitions apply:

Agreed Purposes: identifying and screening prospective tenants for the Client; acting as main point of contact for tenant throughout tenancy agreement.

Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation in force at the time.

Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.

Permitted Recipients: the parties to this Agreement, the employees of each party, and any third parties engaged to perform obligations in connection with this Agreement.

Shared Personal Data: the personal data to be shared between the parties under this Agreement. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject: name, address and contact details, including email address and telephone number; information about entitlement to live in the UK, and; character references.

UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR (as defined by section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018), the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.       This Schedule sets out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes.

2.       Each party shall comply with all the obligations imposed on a Controller under the Data Protection Legislation.

3.       Each party shall:

3.1           ensure that it has all necessary consents and notices and lawful bases in place to enable lawful transfer of the Shared Personal Data to the Data Recipient for the Agreed Purposes;

3.2           give full information to any data subject whose personal data may be processed under this Agreement of the nature such processing. This includes giving notice that, on the termination of this Agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;

3.3           process the Shared Personal Data only for the Agreed Purposes;

3.4           not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;

3.5           ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by this Agreement;

3.6           ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and

3.7           not transfer any personal data outside of the European Economic Area unless the transferor:

3.7.1       complies with the provisions of Article 26 of the General Data Protection Regulation (in the event the third party is a joint controller); and

3.7.2       ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferor otherwise complies with its obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer..

4.              Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall:

4.1           consult with the other party about any notices given to data subjects in relation to the Shared Personal Data;

4.2           promptly inform the other party about the receipt of any data subject access request;

4.3           provide the other party with reasonable assistance in complying with any data subject access request;

4.4           not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other party wherever possible;

4.5           assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

4.6           notify the other party without undue delay on becoming aware of any breach of the Data Protection Legislation;

4.7           at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this Agreement unless required by law to store the personal data;

4.8           use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;

4.9           maintain complete and accurate records and information to demonstrate its compliance with this clause 4.9 and allow for audits by the other party or the other party's designated auditor; and

4.10         provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the procedures to be followed in the event of a data security breach, and the regular review of the parties' compliance with the Data Protection Legislation.