McCARTHY HOLDEN DATA PROTECTION POLICY
As a business, and as an employer, it is necessary for us to collect, store and process personal data about our customers, suppliers, employees, workers, and other third parties who we engage to provide services for us or do business with.
With the introduction of the General Data Protection Regulation 2016 (GDPR) the way personal data is kept and used by businesses has come under much greater scrutiny. This policy is therefore very important to McCarthy Holden and sets out how we will process personal data which we collect from, or is provided by, data subjects and others on their behalf.
1.2 What do terms used in this policy mean?
There is likely to be a lot of data protection terminology that you may be unfamiliar with and which has a specific meaning under data protection legislation. The terms that are used most frequently include:
Personal data means data relating to a data subject who can be identified (directly or indirectly) from that data (or from that data and other information in our possession or available to us). Personal data can be factual (e.g. a name, address or date of birth) or it can be an opinion about that data subject, their actions and behaviour. It can also include an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic (e.g. DNA or RNA), mental, economic, cultural or social identity of that individual.
Data controller is a term used to describe the people who, or organisations which, determine the purpose and manner for which any personal data is processed.
Data subject means a living, identified or identifiable individual about whom we hold personal data.
Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures.
Data processors means any person or organisation that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition but it could include suppliers who handle personal data on our behalf.
Processing is a term used to describe what we do with the data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring (or disclosing) personal data to third parties.
Special categories of personal data is a term used to describe sensitive personal data such as information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, genetic data and biometric data where processed to uniquely identify a person or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions.
1.3 McCarthy Holden’s responsibility for data protection
As a data controller, we are responsible for establishing practices and policies in line with the GDPR and any other laws governing data protection. It is important that we do more than just say that we are complying with data protection laws, but that we are also able to demonstrate compliance. We do this principally by:
- implementing processes and policies that enable us to comply with data protection laws, such as not collecting more personal data than we need, providing comprehensive, clear and transparent privacy notices, and creating and improving security features on an ongoing basis;
- undertaking data protection impact assessments, where appropriate, when using new technologies where the processing is likely to result in a high risk to the rights and freedoms of data subjects;
- undertaking periodic internal audits of personal data held by us; and
- training staff.
1.4 What data will we be collecting from you?
When you access our website and/or register your interest in the use of our services by phone, in person or on email, McCarthy Holden and any other third parties who host, maintain or support our delivery of services may collect personal information about you.
The personal information we collect from you will typically include but is not limited to the following:
- Full name and contact details (including contact number, email and postal address).
- Any phone number or email used to get in touch with our employees and/or offices.
- Information relating to your identity where we are required by law to collect this to comply with the Money Laundering Regulations 2017 and the Immigration Act (such as passport and/or driving licence).
- Information on your close connections where we are required to assess conflicts of interests under regulatory obligations.
- Your banking details where required such as where you are letting a property or, where renting, to set up an approved tenancy deposit account for you and arrange for rental payments.
- Details about your areas of interest where we wish to send you marketing information about similar products and/or services.
Where we need to collect personal data by law (eg. to meet our obligations under money laundering regulations) or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to fulfil the existing contract and/or services as requested, or enter in a contract and/or services as requested. In this case, we may have to cancel a contract or service you have with us, but we will notify you if this is the case at the time.
1.5 How long will McCarthy Holden keep your data for
McCarthy Holden will keep information for a reasonable amount of time in order to perform the purposes listed in section 1.8. We only keep your information for as long as necessary. McCarthy Holden generally keep personal information for 7 years. However we reserve the right to keep information for longer if we feel that this is in the legitimate interests of McCarthy Holden.
1.6 How will your personal data be processed?
Any personal data that McCarthy Holden process will:
- be processed fairly, lawfully and in a transparent manner;
- be processed ONLY for specified, explicit and legitimate purposes;
- be relevant and limited to what is necessary to collect and process;
- be accurate and kept up to date, ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;
- not be kept for any longer than is necessary to fulfil the purpose or purposes for which it was collected; and
- be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
1.7 Lawfulness, fairness and transparency
For personal data to be processed lawfully, it must be processed for one of the specific reasons set out in the GDPR.
The following are some of the reasons provided by the GDPR which McCarthy Holden will rely on as a business to process personal data:
Processing is necessary:
- for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract for us to provide products or services.
- You have given us explicit consent to the processing of your personal data for one or more specific purposes, namely where you have given us consent to receive electronic marketing by us or to provide you with our property services.
- for compliance with a legal obligation to which we are subject
- for the purposes of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In addition to the legal reasons set out above, we can also process a data subject’s personal data where they have given consent to the processing for one or more specified purposes, provided that the consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes. You have the right to withdraw any consent given.
1.8 How McCarthy Holden will use your data
- To fulfil our obligations to you when providing you with our property services;
- To share your information with others where necessary to fulfil our property services for you or where acting as agent for a third party on your behalf;
- To comply with our statutory and regulatory obligations, including verifying your identity, prevention of fraud and money laundering and to assess your credit worthiness;
- To communicate with you during the course of providing our services, for example with your enquiries and requests;
- For statistical purposes so we can analyse figures to help us manage our business and plan strategically for the future;
- To provide you, or to enable third parties to provide you, with information about goods or services we feel may interest you: where you have provided permission for us to do so or, if you are an existing customer where we choose to contact you by electronic means (including newsletter and email) with information about our own goods and services similar to those which you have already obtained from us or negotiated to obtain from us (marketing emails can be unsubscribed from at any time with the link at the bottom of the email);
- To notify you about changes to our service.
1.9 Keeping personal data secure
When we process personal data, we will do our best to ensure that it remains secure and is protected against unauthorised or unlawful processing and accidental loss, destruction or damage.
We will do this by:
- Encrypting personal data where possible;
- Ensure ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;
- Ensure restoration and access to personal data in a timely manner in the event of a physical or technical incident; and
- Facilitating regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security, we shall of course take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
1.10 Transferring personal data outside the EEA
McCarthy Holden may transfer any personal data we hold to a country outside the European Economic Area (“EEA”), provided that one of the following conditions applies:
- you have given your explicit consent to the proposed transfer.
- the transfer is necessary for the performance of a contract to which the data subject is party or which is in the interest of the data subject, or to take steps at the request of the data subject prior to entering into a contract
- the processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent or
- the transfer is necessary for the establishment or defence of legal claims.
For each data transfer outside the EEA, we will record which of the conditions we are relying on.
1.11 Transferring data to Third Parties
If we need to use third parties to process personal data on our behalf, we will require those third parties to provide us with sufficient guarantees that they have appropriate technical and organisational measures to comply with the GDPR and ensure the protection of the rights of the data subjects. If you would like a full list of our third party processors please contact Samantha Holden on firstname.lastname@example.org
1.12 Rights of data subjects
You have the right to:
- request access to any data we hold about you;
- have any inaccurate personal data about you corrected and incomplete personal data completed;
- object to us processing their personal data for our legitimate interests. We can refuse this request if our legitimate interests outweigh those of the data subject or if we need to continue processing for the establishment or defence of legal claims;
- ask us to destroy personal data about yourself. We can refuse this request if the personal data is still necessary in relation to the purposes for which it was being processed and there is a legal ground for us to continue processing;
- ask us to restrict processing of your personal data to merely storing it. This can only be requested if the accuracy of personal data has been contested and this is being verified, or if we no longer require the personal data but the data subject needs it to establish or defend a legal claim, or if the data subject has objected to the processing of personal data and we are deciding whether our legitimate interest override theirs, or if our processing is unlawful.
If a data subject exercises these rights and we have disclosed the personal data in question to a third party, we will do our best to ensure that the third party complies with the wishes of the data subject.
1.13 Subject access requests
You have the right to request a copy of the personal information we hold about you. You also have the right to request that information we hold about you which may be incorrect, or which has been changed since you first told us, is updated or removed. You must do so in writing either by emailing Samantha Holden on email@example.com or post to 1 High Street, Hartley Wintney. Hampshire. RG27 8PE
You can ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have:
- successfully exercised your right to object to processing
- where you have withdrawn consent for us to process it
- where we may have processed your information unlawfully
- where we are required to erase your personal data to comply with local law
Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you.
You have the right at any time to withdraw any consent you have given us to process your personal data. Please note if you withdraw your consent it will not affect the lawfulness of any processing of your personal data we have carried out before you withdrew your consent.