This Policy sets out the obligations of Ash Residential Property Management Limited trading as ARPM registered in the United Kingdom under number 05432841 whose registered office is at 1 Beauchamp Court, Victors Way, Barnet, Hertfordshire, EN5 5TZ “the Company” regarding data protection under General Data Protection Regulation “GDPR”.
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer” means a company who engage the services of ARPM.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” in relation to a Customer means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Controller” means the entity which receives the Personal Data “Processor” means the entity which Processes Personal Data on behalf of the Controller.
PROCESSING OF PERSONAL DATA
Customer’s Processing of Personal Data. ARPM shall Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, a Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. A Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which ARPM acquires Personal Data.
ARPM’s Processing of Personal Data. ARPM shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with any Terms of Business(s); (ii) Processing initiated for the use of ARPM’s services; and (iii) Processing to comply with other documented reasonable instructions provided by the Customer (e.g., via email) where such instructions are consistent with the terms of this policy.
Details of the Processing. The subject-matter of Processing of Personal Data by ARPM is the performance of the services pursuant to Terms of Business. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 4 (Details of the Processing) to this DPA.
RIGHTS OF DATA SUBJECTS
ARPM will, to the extent legally permitted, action a request from a Data Subject to access, correct or delete that person’s Personal Data or if a Data Subject objects to the Processing thereof (“Data Subject Request”).
Confidentiality. ARPM shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. ARPM shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
Reliability. ARPM shall take commercially reasonable steps to ensure the reliability of any ARPM personnel engaged in the Processing of Personal Data.
Limitation of Access. ARPM shall ensure that ARPM’s access to Personal Data is limited to those personnel performing services in accordance with any Terms of Business.
CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
ARPM maintains security incident management policies and procedures and shall notify the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by ARPM.
“Personal Data Incident” – ARPM shall make reasonable efforts to identify the cause of any Customer Data Incident and take those steps as ARPM deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within ARPM’s reasonable control.
The Customer understands that ARPM may be required to provide Personal Data to carefully selected suppliers for the purpose of performing services under any Terms of Business. A list of suppliers can be supplied on request.
ARPM shall maintain appropriate technical and organisational measures for protection of the security (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Customer Data), confidentiality and integrity of any Personal Data. ARPM regularly monitors compliance with these measures.
THIRD PARTY SERVICE PROVIDERS
We engage third-party service providers to perform a variety of business operations on our behalf. In so doing, we may share your personal information with them. We provide our service providers with only the personal information they need in order to perform the services we request, and we contractually require that they protect this information appropriately and not use it for any other purpose.
For example, we may rely on a 3rd party service provider to:
• Fulfil your service requests and answer your questions.
• Host our sites and deliver our email or other communications.
• Analyse our data, sometimes combined with data from other sources, to send you communications.
• Conduct research and analyse data to improve our products, services and sites.
• Maintenance request reported by Tenants / Landlords under any Terms of Business.
• Where services are provided to us by a third party and it is necessary or expedient for us to share information with such third parties
• Perform other services that we request.
RETURN AND DELETION OF CUSTOMER DATA
ARPM shall return and/or delete Customer Data to the extent allowed by applicable law.
LIMITATION OF LIABILITY
With effect from 25 May 2018, ARPM will control Personal Data in accordance with the GDPR requirements directly applicable to ARPM’s provision of its services.
Data Protection Impact Assessment.
With effect from 25 May 2018, ARPM shall have in place a Data Protection Impact Assessment related to its Processing of any Personal Data as required under the GDPR.
Transfer mechanisms for data transfers.
Sending data outside the EEA
We will only send your data outside of the European Economic Area (‘EEA’) to:
• Follow your instructions
• Comply with a legal duty
• Work with our suppliers who help us to provide you a service.
If we do transfer your personal information outside the EEA to our suppliers, we will make sure that it is protected to the same extent as in the EEA. We’ll use one of these safeguards:
• Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.
• Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
This Policy is only legally binding between a Customer and ARPM.
Certification of Deletion. The parties agree that a certification of deletion of Personal Data may be provided at the Customer’s request.
DETAILS OF THE PROCESSING
Nature and Purpose of Processing
ARPM will Process Personal Data as necessary to perform the services pursuant to any Terms of Business, and as further instructed by a Customer in its use of the services.
Duration of Processing
Categories of Data Subjects
The Customer may submit Personal Data to obtain the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
• Prospects, customers, business partners and vendors of Customer (who are natural persons)
• Employees or contact persons of Customer’s prospects, customers, business partners and vendors
• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Customer’s Users authorised by Customer to use the Services
Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: –
• First and last name
• Employer – Contact information (company, email, phone, physical business address)
• ID data
• Professional life data – Personal life data
• Connection data – Localisation data
• Financial Data – Bank Details
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data.
(b) ‘the Customer’ means the person who provides their Personal Data to ARPM.
(c) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a data controller in the Member State in which the data exporter is established.
(d) ‘technical and organisational security measures’ means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
ARPM may collect Personal Data which falls under the following categories:
• Prospects, Customers, Customer’s customer data (landlord and tenants), business partners and vendors
Categories of data
The Personal Data transferred could concern the following categories of data: The Customer may submit Personal Data to ARPM which may include, but is not limited to the following categories of Personal Data:
• First and last name
• Contact information (not limited to company, email, phone, physical business address)
• Professional life data
• Personal life data
Special categories of data (if appropriate)
ARPM will not collect Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life.
The objective of Processing of Personal Data is the performance of ARPM services pursuant to any Terms of Business or any other contractual agreements between the parties.