INTRODUCTION

This Policy sets out the obligations of Ash Residential Property Management Limited trading as ARPM registered in the United Kingdom under number 05432841 whose registered office is at 1 Beauchamp Court, Victors Way, Barnet, Hertfordshire, EN5 5TZ “the Company” regarding data protection under General Data Protection Regulation “GDPR”.

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

 

DEFINITIONS

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means a company who engage the services of ARPM.

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” in relation to a Customer means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Controller” means the entity which receives the Personal Data

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

 

PROCESSING OF PERSONAL DATA

Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, ARPM is the Controller. When ARPM receives Personal Data, they will act as data controllers for any activity they undertake in accordance with this Privacy Policy.

Customer’s Processing of Personal Data. ARPM shall Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, a Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. A Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which ARPM acquires Personal Data.

ARPM’s Processing of Personal Data. ARPM shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with any Terms of Business(s); (ii) Processing initiated for the use of ARPM’s services; and (iii) Processing to comply with other documented reasonable instructions provided by the Customer (e.g., via email) where such instructions are consistent with the terms of this policy.

Details of the Processing. The subject-matter of Processing of Personal Data by ARPM is the performance of the services pursuant to Terms of Business. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 4 (Details of the Processing) to this DPA.

 

RIGHTS OF DATA SUBJECTS

ARPM will, to the extent legally permitted, action a request from a Data Subject to access, correct or delete that person’s Personal Data or if a Data Subject objects to the Processing thereof (“Data Subject Request”).

 

ARPM PERSONNEL

Confidentiality. ARPM shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. ARPM shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

Reliability. ARPM shall take commercially reasonable steps to ensure the reliability of any ARPM personnel engaged in the Processing of Personal Data.

Limitation of Access. ARPM shall ensure that ARPM’s access to Personal Data is limited to those personnel performing services in accordance with any Terms of Business.

 

CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

ARPM maintains security incident management policies and procedures and shall notify the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by ARPM.

“Personal Data Incident” – ARPM shall make reasonable efforts to identify the cause of any Customer Data Incident and take those steps as ARPM deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within ARPM’s reasonable control.

 

SUB-PROCESSING

The Customer understands that ARPM may be required to provide Personal Data to carefully selected suppliers for the purpose of performing services under any Terms of Business. A list of suppliers can be supplied on request.

 

SECURITY

ARPM shall maintain appropriate technical and organisational measures for protection of the security (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Customer Data), confidentiality and integrity of any Personal Data. ARPM regularly monitors compliance with these measures.

 

THIRD PARTY SERVICE PROVIDERS

We engage third-party service providers to perform a variety of business operations on our behalf. In so doing, we may share your personal information with them. We provide our service providers with only the personal information they need in order to perform the services we request, and we contractually require that they protect this information appropriately and not use it for any other purpose.
For example, we may rely on a 3rd party service provider to:

 

RETURN AND DELETION OF CUSTOMER DATA

ARPM shall return and/or delete Customer Data to the extent allowed by applicable law.

 

LIMITATION OF LIABILITY

For the avoidance of doubt, ARPM and its sub-processor’s total liability for all claims from a Customer arising out of or related to the Code of Practice or any Terms of Business and any other contract shall apply in the aggregate for all claims in breach of this Privacy Policy.

GDPR.

With effect from 25 May 2018, ARPM will control Personal Data in accordance with the GDPR requirements directly applicable to ARPM’s provision of its services.

Data Protection Impact Assessment.

With effect from 25 May 2018, ARPM shall have in place a Data Protection Impact Assessment related to its Processing of any Personal Data as required under the GDPR.

Transfer mechanisms for data transfers.

Sending data outside the EEA. We will only send your data outside of the European Economic Area (‘EEA’) to:

Legal Effect

This Policy is only legally binding between a Customer and ARPM.
Certification of Deletion. The parties agree that a certification of deletion of Personal Data may be provided at the Customer’s request.
Conflict. In the event of any conflict or inconsistency between the body of this Privacy Policy and any of its Schedules the Privacy Policy takes precedence.

 

DETAILS OF THE PROCESSING

Nature and Purpose of Processing

ARPM will Process Personal Data as necessary to perform the services pursuant to any Terms of Business, and as further instructed by a Customer in its use of the services.

Duration of Processing

ARPM will Process Personal Data in accordance with the Privacy Policy for the duration of the delivery of services, unless otherwise agreed upon in writing and for such time after as is required by law.

Categories of Data Subjects

The Customer may submit Personal Data to obtain the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Type of Persona Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

 

Clause 1

Definitions
For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data.

(b) ‘the Customer’ means the person who provides their Personal Data to ARPM.

(c) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a data controller in the Member State in which the data exporter is established.

(d) ‘technical and organisational security measures’ means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

 

Clause 2

Data subjects
ARPM may collect Personal Data which falls under the following categories:

 

Clause 3

Categories of data
The Personal Data transferred could concern the following categories of data: The Customer may submit Personal Data to ARPM which may include, but is not limited to the following categories of Personal Data:

 

Clause 4

Special categories of data (if appropriate)
ARPM will not collect Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life.

Clause 5

Processing operations
The objective of Processing of Personal Data is the performance of ARPM services pursuant to any Terms of Business or any other contractual agreements between the parties.