GDPR headache

General Discussion

Has anyone had experience with this new GDPR thing we need to do? It is a real headache. Is it complusory to do? Or can I just ignore it.
I read more on the RLA about this and reading the template and implications, its a nightmare.
Also have to pay something to something called ICO?
.....

Personal Data Privacy Notice

Drafting note: This document is intended to be edited by you to reflect your circumstances. The sections indicated by # and square brackets should be personalised. Once you are content that the document meets your needs delete the coloured annotations and save it to your personal computer.

This notice explains what information I/we collect, when I/we collect it and how I/we use this. During the course of our activities, I/we will process personal data (which may be held on paper, electronically, or otherwise) about you and I/we recognise the need to treat it in an appropriate and lawful manner. The purpose of this notice is to make you aware of how I/we will handle your information.

Who am I?

#[insert Private Landlord’s name/ Letting Agent] at #[insert address or company details], (“I”/ “we” or “me”/ “us”) take the issue of security and data protection very seriously and strictly adhere to guidelines published in the General Data Protection Regulation (EU) 2016/679 which is applicable from the 25th May 2018, together with any domestic laws subsequently enacted.

I/we am/are notified as a Data Controller with the Office of the Information Commissioner under registration number #[insert number] and I/we am/are the data controller of any personal data that you provide to us.

Our Data Protection Officer is # [insert name and contact details].

Any questions relating to this notice and our privacy practices should be sent to #[insert contact details].

How I/we collect information from you and what information I collect

I/we collect information about you:
From your application for accommodation
#[insert any other sources].

I/ we collect the following information about you:
Prospective tenants and/or guarantor names, email address, date of birth, address (including any previous addresses, relationship to other prospective tenants, employment status, name of university or college where you are studying (if applicable);
Tenant name, email address, telephone number, Date of Birth, address (including any previous addresses), marital status, National Insurance Number, nationality, next of kin, name of university or college where you are studying (if applicable), the name of friends that you are staying with (if applicable);
Guarantor name, e-mail address, telephone number, Date of Birth, address (including any previous addresses), marital status, National Insurance Number, nationality, next of kin (if applicable);
Property address; term, rent, deposit, utility and service responsibilities;
The employment status of tenants and/or guarantors, address, contact details (including email, phone and fax numbers) of the employer/accountant, payroll numbers, length of employment, salary information (including any regular overtime or commission), and any other income received;
Bank account details of the tenant and prospective tenants, including account number and sort code, and any hire purchase/loan agreements/credit cards or store cards that you have; and
Any welfare benefits that you may be eligible for, or are currently on.

Why I/we need this information about you and how it will be used

I/ we need your information and will use your information:
to undertake and perform our obligations and duties to you in accordance with the terms of our contract with you;
to enable us to supply you with the services and information which you have requested;
to help you to manage your tenancy;
to carry out due diligence on any prospective tenant and/or guarantor, including whether there is any money judgements against them, or any history of bankruptcy or insolvency;
to analyse the information we collect so that we can administer, support and improve and develop our business and the services we offer;
to contact you in order to send you details of any changes to our suppliers which may affect you; and
for all other purposes consistent with the proper performance of our operations and business.

Sharing of Your Information
Drafting note: This section sets out details of when and how any personal data will be shared with third parties. It is important that data subjects are aware of the circumstances where their personal data may be shared and this section should be comprehensive.

The information you provide to me/us will be treated by me as confidential /[and will be processed only by any third party, acting on my behalf, within the UK/EEA] (*Delete if not applicable)
Drafting note: Check whether data is processed (particularly by IT support providers and other online facilities)- see section below.

I/we may disclose your information to other third parties who act for us for the purposes set out in this notice or for purposes approved by you, including the following:
If I/we enter into a joint venture with or merge with a business entity, your information may be disclosed to our new business partners or owners;
To carry out due diligence on you as a prospective tenant/ guarantor, including but not limited to the carrying out of affordability checks, due diligence checks and the obtaining of references from relevant parties, whose data you have provided;
If you request so, your information shall be disclosed in order to determine if there are any money judgements against you, as the prospective tenant/guarantor, or to determine if they have a history of bankruptcy or insolvency;
If you are unable to make payments under your tenancy, your information may be disclosed to any relevant party assisting in the recovery of this debt or the tracing of you as a tenant; and
In the creation, renewal or termination of the tenancy, your information will be disclosed to the relevant local authority, tenancy deposit scheme administrator, service/utility provider, freeholder, factor, facilities manager or any other relevant person or organisation in connection with this.

Unless required to do so by law, I/we will not otherwise share, sell or distribute any of the information you provide to me/ us without your consent.

Transfers outside the UK and Europe
Drafting note: If personal data will be transferred outside the EEA it is important that data subjects are aware of this. As the approach post Brexit is unclear, you may wish to include details of transfers outside the UK specifically. If personal data is stored in the cloud the location of the servers should be confirmed and if outside the UK/EEA this should be stated in this notice. This is something that individual member organisations will need to check.

#[Your information will only be stored within the UK and EEA]/ [I/we may transfer your information outside the UK and/or EEA]: (*delete as appropriate)
#[insert situations where personal data is transferred outside UK/EEA] (*delete if not applicable)

Where information is transferred outside the UK or EEA, I/we ensure that there are adequate safeguards in place to protect your information in accordance with this notice, including the following:
#[Insert basis for transfer and relevant safeguards (e.g. decision by the Commission that the third country has adequate safeguards/ details of appropriate security provisions in place.)]

Security
Drafting note: It is important that personal information is stored securely and appropriate technical measures are taken to protect this information. This section should set out details of the security measures in place.

When you give me/us information I/we take steps to make sure that your personal information is kept secure and safe.

#[insert further details of security processes]
Drafting note: the individual member organisation will require to confirm their own security measures that are in place and will require to update their FPN with these details. Alternatively, you could provide a link to the organisation’s Data Protection/ Privacy Policy.

How long we will keep your information
Drafting note: It is important that personal data is not stored for any longer than it is reasonably required. Data subjects should be notified of how long personal data is stored for, or if this is not possible, then details of the criteria used to determine how long personal data will be kept for. The wording below provides some generic wording, however, this should be updated/specific for each type/use of personal data.

I/we review my data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (I/we may be legally required to hold some types of information), or as set out in any relevant contract I have with you.

My/our full retention schedule is available at #[insert where data subject can source retention schedule (e.g. website or in our office)].

Your Rights

You have the right at any time to:
ask for a copy of the information about you held by me/ us in my records;
require me/ us to correct any inaccuracies in your information;
make a request to me/ us to delete what personal data of yours I/ we hold; and
object to receiving any marketing communications from me/ us.

If you would like to exercise any of your rights above please contact me/us at #[insert e-mail address]

Should you wish to complain about the use of your information, I/ we would ask that you contact me/ us to resolve this matter in the first instance. You also have the right to complain to the Information Commissioner’s Office in relation to my/ our use of your information. The Information Commissioner’s contact details are noted below:

England:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Email: [email protected]

Scotland:
The Information Commissioner’s Office

1. Melville Street, Edinburgh, EH3 7HL

Telephone: 0131 244 9001
Email: [email protected]

Wales
Information Commissioner's Office
2nd floor, Churchill House
Churchill way, Cardiff, CF10 2HH
Telephone: 029 2067 8400
Email: [email protected]

Northern Ireland:
Information Commissioner's Office
3rd Floor, 14 Cromac Place
Belfast, BT7 2JB
Telephone: 028 9027 8757
Email: [email protected]

The accuracy of your information is important to me - please help me/us keep my/our records updated by informing me/ us of any changes to your email address and other contact details.