Privacy Policy

GDPR Policy

This policy will help us address data protection in a consistent manner. The policy clearly sets out our organisation’s approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy is approved by management and published and communicated to all staff. The policy will be reviewed yearly and updated when required to ensure it remains relevant.


Our businesses registered with the Information Commissioner’s Office


Director Susan Gritton & Assistant Vanessa Bastable are aware that the GDPR is changing. They appreciate the impact this is likely to have and have identified areas that could cause compliance problems under the GDPR as laid out below. 

Information we hold

Following our data audit we have identified 5 instances of client data collection:

All clients will have Name Address Telephone number and Email collected.

  1. As a general Applicant
  2. As a Landlord of a property.
  3. As a Tenant. Additional proof of identification for right to rent checks will be required as well as referencing to include financial checks.
  4. As a client who has asked for a rental valuation.
  5. As a member of staff or a job applicant. Additional proof of identification will be required as well as references.

Our electronic data is password protected and backed up using Cobian software. Our paper based files are held in locked filing cabinets outside of working hours.

Our data is normally only shared with other property related professionals in our normal day to day activities including Tradesmen, EPC providers, Deposit Protection Scheme and AML checks as some examples.

If we have identified inaccurate personal data and have shared this with another organisation we will tell the other organisation about the inaccuracy so it can correct its own records. We will record this change on the property file. In the case of an email change which is likely to be the most common error, the client will be contacted to obtain the necessary consent.

Communicating privacy information

Individuals’ rights

You will have a right to ask to see any data we hold on you and how it is used, as well as a right to be deleted. However due to HMRC regulations we have a lawful basis to keep all record’s for a period of 7 years after the end of our relationship.

Data Destruction

Our paper files are dead filed upon completion of a transaction and are kept in a lockable office. A waste destruction certificate will be obtained for the destruction of confidential waste to DIN 3 Government standard upon expiry of 7 years. Our Electronic records will also be kept for 7 years.

Subject access requests

We will not charge a client for complying with a request.

If we refuse a request, we will tell the individual why and that they have the right to complain to the supervisory authority (ICO) and to a judicial remedy.

We will write to the client to acknowledge receipt of their request and confirm that we will respond within 30 days

If there is a delay in dealing with the request for any reason, the organisation contacts the requester to explain the reason and the expected date for the response.

The response to a SAR includes an explanation of the searches that have been made to deal with the request and the information revealed by those searches.

The organisation logs receipt of SARs and updates it to monitor progress as the SAR is processed. The log includes copies of information supplied in response to the SAR, together with copies of any material withheld and an explanation why.

 A standard checklist is used to ensure consistency in identity verification procedures to enable us to deal with your request.

Lawful basis for processing personal data.

We hold personal data in order to comply with our Legal Obligations, Regulations and Contracts and where we have a Legitimate Interest such as right to rent checks for tenants

Clients will be actively asked to opt into and Consent to receiving our services and a paper record of this will be held on file. Consent will be freely given, specific, informed and unambiguous.

The data is taken to be able to provide the letting agency service required by the client and to protect our staff with information taken prior to viewings.

Where we feel consent is required, prior to the new regulations we will ask all our clients to opt into our service and if they do not respond with an opt in, we will not make further contact.

Data breaches

A breach would consist of our secure computer systems being hacked or computers or mobile phones stolen, or our offices broken into and the secure and locked filing cabinets opened.

We will notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify those concerned directly in most cases. Our high risk clients have been identified as those where we hold passport/driving licence and other financial records.

We are aware that failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

Data Protection Officers

We do not need a formally designated Protection officer as our organisation does not fit the requirement as we are not an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions. Susan Gritton & Vanessa Bastable are our designated persons who take responsibility for data protection compliance.


We do not let properties overseas and do not need to take further action on this point.


We do not collect personal data of children.


Many data security breaches are accidental and result from human error. All staff will be trained in handling personal data and on their data protection responsibilities. Staff training will be ongoing and every effort will be made to reduce the risk of a breach. All staff have been trained to notify the designated person of any potential breach or concern.