Privacy Policy
Eccord is primarily a controller for the personal data that it collects and uses about you. We will treat your personal information as confidential and in accordance with applicable data protection legislation, and will only share your data with others when absolutely necessary and in accordance with this Privacy Policy.
1. INFORMATION ABOUT ECCORD
Eccord Ltd - A limited company registered in England under company number 06006478.
Registered address: | 56 Sloane Square, London SW1W 8AX |
VAT number: | 891187982 |
Data Protection Officer: | Jo Eccles |
Email: | enquire@eccord.com |
Telephone: | +44(0)20 7244 4485 |
Eccord are members of the:
- ARLA Propertymark (Association of Residential Letting Agents)
- The Property Ombudsman (TPO)
2. WHAT THIS POLICY COVERS
This Privacy Policy explains;
- What is personal data
- What personal data do we collect
- How we use your personal data
- What happens if you do not provide data that we request
- How we store your personal data
- How we transfer your personal data
- How long we keep your personal data
- What your rights are
- How you can access your personal data
- How you can contact us
- Changes to this Privacy Policy
3. WHAT IS PERSONAL DATA
UK GDPR regulations define personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Personal data is, in simpler terms, is any information about you that enables you to be identified. This could include information such as contact details, date of birth, bank account details or any information about your needs or circumstances which would allow us to identify you.
Some personal data is classified as ‘special category’ data under data protection legislation. This includes information relating to health, racial or ethnic origin, religious beliefs or political opinions and sexual orientation. This information is more sensitive and we need to have further justifications for collecting, storing and using this type of personal data. There are also additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data.
4. WHAT PERSONAL DATA DO WE COLLECT
We may collect some or all of the following personal data should you make a general enquiry with the business or have a prospective call about our services:
- Name
- Email address
- Telephone number
- Postal address
- Business name
- Job title
- Profession
Additional personal data may be collected depending on your relationship with us and whether you contract with our services, including:
CLIENTS
- Information about your preferences and interests, particularly when discussing a search criteria brief.
- Information about you or your family where necessary to perform a contract with you. Should this be ‘special category’ data this will only be collected and processed with your explicit consent.
- Information about your identity, where required by law (e.g. AML regulations) in the form of photographic identification (such as a passport, a driving licence and/or visa) and proof of residence (such as a recent utility bill).
- Where we are working alongside third parties such as solicitors, developers, referrers or agents, we may need to share these documents on the basis of legal obligation.
- If we are dealing with an entity such as a company, trust or charity, we may need to obtain documentation to confirm whom the beneficial owner is of the firm or the person(s) with significant control over it. e.g. certificate of incorporation/articles of association. The personal information of the beneficial owner(s), settlor and/or beneficiaries may need to be obtained via identity and address documents.
- Information about appointed authorised party(s) / Power of Attorney where you have requested we liaise with them on your behalf.
- Bank account details to arrange onward payment of rent due / payment of monies to you.
- Where you engage us to manage a property on your behalf, we will ask for additional emergency contact information in case we need to get in touch with you outside of working hours or in the event there is a matter requiring your urgent attention.
- We may also, with your consent, share your personal information with third-party lenders as is necessary to allow us to fulfil our obligations to you.
APPLICANTS & TENANTS
- In order to put a rental offer forward to our client on your behalf, we will collect data about your employment status, employer, job title, income level, reason for moving and credit history. This is so we can assess your application suitability in a non-automated manner.
- Bank/building / similar account details to allow us to make deposit return payments to you.
- If you are a tenant renting under the 'Right to Rent' scheme we will collect details of your biometric residence card or permit, your immigration status document and/or your date of birth to carry out our required checks.
CANDIDATES & PROSPECTIVE EMPLOYEES
As part of our recruitment process, Eccord collects and processes personal data relating to candidates collected via CVs and/or cover letters and through interviews or other forms of assessment. This includes:
- Details of your qualifications, skills, experience and employment history.
- Information about your current level of remuneration, including benefit entitlements.
- Whether or not you have a disability for which the firm needs to make reasonable adjustments during the recruitment process.
- Information about your entitlement to work in the UK, obtained from your passport or other identity documents.
- Recruitment agencies also regularly provide personal data, primarily in the form of candidate CVs.
- We will also collect personal data about you from third parties, such as references supplied by former employers, once a job offer has been made and once we inform you that this is being conducted.
Data will be stored in a range of different places, including on your application record, in a HR management system and on other IT systems (including email).
5. WHEN PROVIDING SERVICES TO ENTITY CLIENTS
In certain circumstances, where we are dealing with an entity such as a company, trust or charity as our client, we may be required to process personal data on behalf of our client as a joint controller or data processor when processing personal data for the performance of our services.
In respect of the data processor activities, we will:
- Only process such personal data in accordance with our client’s documented instructions unless required by law to otherwise process that personal data. Where we are relying on applicable laws as the basis for processing personal data, we will promptly notify our client of this before performing the processing required by the applicable laws unless we are prohibited from so notifying our client.
- Ensure that we have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. We will ensure that such measures are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures we have adopted.
- Ensure that all our staff who have access to and/or process personal data are obliged to keep the personal data confidential.
- Not transfer any personal data outside of the UK or EU unless:
- (a) the third country is subject to adequacy regulations under the applicable data protection legislation that the territory provides adequate protection for the privacy rights of individuals or;
- (b) the transfer is otherwise compliant with UK GDPR.
- Comply with reasonable instructions provided advance by our client with respect to the processing of the personal data;
- Assist our client, at its cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the applicable data protection legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
- Notify our client without undue delay on becoming aware of a personal data breach.
- At the written direction of our client, delete or return personal data and any copies to our client on termination of services we provide to our client, unless required by applicable laws to store the personal data; and
- Maintain complete and accurate records and information to demonstrate our compliance with these processing obligations and allow for audits by our client or our client’s designated auditor and immediately inform our client if, in our opinion, an instruction infringes the data protection legislation.
- We will not engage a sub-processor without our client’s prior specific or general written authorisation. We will inform our client of any intended changes concerning the addition or replacement of sub-processors, thereby giving our client the opportunity to object to such changes. If we engage a sub-processor for carrying out processing activities on our client’s behalf, the same data processing obligations as set out here will be imposed on that sub-processor by way of a contract with us. Where the sub-processor fails to fulfil its data protection obligations, we will remain fully liable to you for the performance of that sub-processor’s obligations.
6. HOW WE COLLECT YOUR PERSONAL DATA
There are various methods we may use to collect personal data from you, including via:
ONLINE CONTACT FORM
- If you submit enquiries to us via our online contact form, the information provided in the contact form as well as any contact information provided therein will be stored by us in order to handle your enquiry and in the event that we have further questions. We will not share this information without your consent.
- The processing of this data is on the basis of contractual necessity or legitimate interest to allow Eccord to efficiently process your enquiry.
- The information you enter into the contact form shall remain with us until you ask us to delete the data, revoke your consent to the archiving of the data, or if the purpose for which the information is being archived no longer exists (e.g. after we responded to your enquiry). This shall be without prejudice to any mandatory legal provisions, in particular retention periods.
EMAIL OR TELEPHONE
- If you contact us by email or telephone, your request, including all resulting personal data, will be stored by us for the purpose of processing your request. We do not pass data on to third parties without your consent.
- The processing of this data is on the basis of contractual necessity or legitimate interest to allow us to efficiently process your enquiry.
- The information you provide us shall remain with us until you ask us to delete the data, revoke your consent to the archiving of the data, or if the purpose for which the information is being archived no longer exists (e.g. after we respond to your enquiry). This shall be without prejudice to any mandatory legal provisions, in particular retention periods.
- For communication with our contacts and other third parties, one of the services we use is the instant messaging service WhatsApp. The communication is encrypted end-to-end (peer-to-peer), which prevents WhatsApp or other third parties from gaining access to the communication content.
- However, WhatsApp does gain access to ‘metadata’ created during the communication process (e.g. sender, recipient and time details) and WhatsApp has disclosed it shares personal data of its users with its U.S. based parent company Facebook.
- The use of WhatsApp is based on our legitimate interest in communicating as quickly and effectively as possible with our contacts and interested parties - if a response to a WhatsApp message has been received from you, this is considered consent to using this form of data collection and data processing will be carried out exclusively on the basis of the consent. This consent may be revoked at any time with effect for the future.
- The information exchanged with our contacts on WhatsApp shall remain with us until you ask us to delete the data, revoke your consent to the archiving of the data, or if the purpose for which the information is being processed no longer exists. This shall be without prejudice to any mandatory legal provisions, in particular retention periods.
- Further details on WhatsApp's privacy policy can be found: https://www.whatsapp.com/legal/#privacy-policy.
7. HOW WE USE YOUR PERSONAL DATA
Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary to perform our contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it, such as staying in touch with you. Your personal data may be used for one or more of the following purposes:
- Supplying our services to you - your personal details are required in order for us to contract with you and fulfil our obligations. This may include updates or changes in our service.
- Personalising and tailoring our services for you.
- Communicating with you - this may include responding to emails or calls from you.
- For recruitment or employment-related purposes.
- Where we need to comply with a legal obligation.
- Where we use third-party services providers who process personal data on our behalf in order to provide services to us. This includes IT systems providers as well as third-party referencing and compliance agencies for the purposes of the prevention and detection of crime.
- Where the processing is necessary for us to carry out activities for which it is in Eccord’s legitimate interests (or those of a third-party) to do so, provided that your interests and fundamental rights do not override those interests, including:
- Processing that is necessary for us to stay in touch with you and/or keep a business record of your engagement with us should you contract with our services again, meaning your historic record needs to be referenced.
- Processing that is necessary for us to promote our services and brand – this will include sending you marketing newsletters via email, after you have engaged with us, which may be similar and of interest to you or where you have expressly indicated that you would like to receive such information. You have the right to opt out of receiving this information at any time using the unsubscribe button in the bottom of the email.
- Processing that is necessary for us to operate the administrative and technical aspects of our business efficiently and effectively – this will include verifying the accuracy of data that we hold about you; outsourcing certain functions to third parties who specialise in certain services, and for information security purposes i.e. in order for us to take steps to protect your data against loss, damage, theft or unauthorised access or to comply with a request from you in connection with the exercise of any of your rights outlined below.
- We use third-party service providers who process personal data on our behalf in order to provide services to us. This includes IT systems/database providers as well as third-party referencing and compliance agencies for the prevention and detection of crime.
In more limited circumstances we may also rely on the following legal bases:
- Where we need to protect your interests or someone else's interests.
- Where it is needed in the public interest or for official purposes.
- We may process ‘special categories’ of personal data but will obtain your explicit consent and will explain the purpose for which the data will be used at the point where we ask for your consent.
8. WHAT HAPPENS IF YOU DO NOT PROVIDE DATA THAT WE REQUEST
We need some of your personal data to perform the services you have requested from us. For example:
- Where we are acquiring a property on your behalf, we need to know your contact details so that we can update you with information on the property search and progress of a purchase.
- Where you have asked us to find you a property which meets certain access requirements, we may need to know some further details about your particular circumstances so that we can find you a suitable property.
- We may need identity documents, proof of residence, political and source of funds documentation from you to meet our obligations to prevent fraud and money laundering.
If you do not provide the data required for these purposes, we will not be able to perform our contract with you and may not be able to provide services to you. We will explain when this is the case at the point where we collect information from you.
9. HOW WE STORE & TRANSFER YOUR PERSONAL DATA
The security of data is very important to us and we have measures in place which are designed to prevent unauthorised access to your personal data when being transferred or stored, including but not limited to:
- Emails and documents are stored with Microsoft who provide service-side technologies that encrypt data at rest and in transit:
- For data at rest, Microsoft 365 uses BitLocker, Azure Storage Service Encryption (SSE), Distributed Key Manager (DKM), and Microsoft 365 service encryption.
- For data in transit, Office 365 use industry-standard secure transport protocols, such as Internet Protocol Security (IPsec) and Transport Layer Security (TLS), between Microsoft datacentres and between user devices and Microsoft datacentres.
- We have strict access requirements in place and access is restricted to those where it is absolutely necessary for legitimate business purposes. This access is regularly reviewed in line with the information classification of the data.
- In general where there is a combination of different types of data being processed, the highest level of protection will be applied. The same applies where there is any doubt over the sensitivity of the data concerned.
We may store or transfer the personal data we collect about you to third-party service providers in countries other than the country in which the information originally was collected (e.g. on a CRM database). Those countries may not have the same data protection laws as the country in which you initially provided the information.
When we store or transfer your data to recipients in other countries, we will perform this in accordance with the requirements of applicable law. We will also protect the transferred personal data in accordance with this Privacy Policy. We only make these storage arrangements or transfers where we are satisfied that adequate levels of at rest/in transit encryption are in place to protect any data held in that country and that the service provider acts at all times in compliance with applicable privacy laws.
10. HOW LONG WE KEEP YOUR PERSONAL DATA
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
- For the period during which we provide services to you and for any subsequent period during which we are required by legislation to retain data or due to legitimate interests in regard to running Eccord business activities and staying in touch with you.
- When you have agreed to continue to receive marketing material from us, we will continue to hold your personal data up until the point that you may choose to opt-out.
11. WHAT YOUR RIGHTS ARE
Under GDPR laws, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data.
- The right to access the personal data we hold about you.
- The right to have your personal data corrected or changed if any of your personal data held by us is inaccurate or incomplete.
- The right to be forgotten - i.e. the right to withdraw your consent and ask us to delete or otherwise dispose of any of your personal data that we hold.
- The right to restrict (i.e. prevent) the processing of your personal data.
- The right to object to us using your personal data where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful.
- The right to data portability – i.e. you have the right to request a copy of certain personal data that you have provided to us in a commonly used electronic format.
- The right to not be subject to wholly automated decisions which produce legal effects or which could have a similarly significant effect on you. Eccord however, do not use your personal data in this way.
If you would like to exercise any of your rights, please contact enquire@eccord.com and mark you email for the attention of Jo Eccles.
Please note that we will keep a record of the fact that you have made a request to exercise your rights, and our response to your request, in order to demonstrate compliance with our data protection obligations and so that we can handle any queries, complaints or claims in relation to your request. This record will be kept in accordance with our retention policies.
Further information about your rights, or if you have any cause for complaint about our use of your personal data, you can speak with your local Citizens Advice Bureau or the Information Commissioner’s Office.
12. HOW YOU CAN ACCESS YOUR PERSONAL DATA
If you want to know what personal data we have about you, you can ask us for details of that personal data and/or for a copy of it (where any such personal data is held). This is known as a 'subject access request'.
All subject access requests should be made in writing and sent via email to enquire@eccord.com, marked for the attention of Jo Eccles.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within 20 working days and, in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
13. HOW YOU CAN CONTACT US
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please email enquire@eccord.com and mark for the attention of Jo Eccles. Alternatively you can call us on +44(0) 20 7244 4885.
Further information about your rights, or if you have any cause for complaint about our use of your personal data, you can speak with your local Citizens Advice Bureau or the Information Commissioner’s Office.
14. CHANGES TO THIS PRIVACY POLICY
We may change this Privacy Policy from time to time. This may be necessary, for example if the law changes or if we change our business in a way that affects personal data protection. Any changes will be made to this Privacy Policy and made available on our website.
Our Cookie Policy
This site uses cookies - small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers.