Data Protection Policy
Dandara Group of Companies
Policy on the protection of personal data
Requirements and obligations on the Dandara Group of Companies (“the Dandara Group” or “the Group”) surrounding the processing and protection of personal data emerge from legislation, regulations, and other guidance (collectively referred to as “the legislation”) in the various countries in which the Group carries out its operations. In Europe, this framework is a reflection of the provisions of European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data and from 25th May 2018 will be the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and Directive 2002/58/EC on Privacy and Electronic Communications.
The purpose of data protection legislation is to provide individuals with protection with regard to the processing of personal data about them. Legislation in each country where Dandara carries out operations sets out requirements regarding the collection, processing, keeping, use and disclosure of certain information relating to individuals that must be followed by each relevant Group entity which handles personal data.
Due to the group structure and geographical spread of activities, a number of group companies have been identified as “data controllers” and entries made in the Data Protection Registers in the appropriate locations. The Group’s registrations are reviewed and updated from time to time.
Commitment to Privacy
At Dandara, we process certain personal data about living individuals including past, present and prospective customers, employees and suppliers for the purposes of satisfying operational needs and legal obligations. The Group recognises the importance of the correct and lawful treatment of personal data as this maintains confidence in the organisation and provides for successful operations. The Group is therefore committed to using all reasonable endeavours to ensure compliance with the requirements of the legislation that applies to it. Consequently, it will strive to create an awareness among staff on the purposes for which the Group processes personal data, and the obligations that both the Group and its employees are under when processing personal data.
All staff are expected to apply this Policy and to seek advice when required. Further information on data protection for employees is included in the staff handbook. All areas of the business are affected by this policy, particularly the HR and sales and marketing functions, and other customer facing departments such as lettings and customer care.
Definitions
For the purposes of understanding this Policy, these terms have the following meanings:
- Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed.
- Personal data is defined as data relating to a living individual who can be identified either from the data itself or from the data in conjunction with other information in the possession of the data controller. This definition also covers written expressions of opinion about individuals. Therefore personal data includes information such as telephone numbers, names, addresses (including email addresses), sound and image data (for example voice recordings or CCTV), and indications of status and title. Data can be stored in various forms (paper, electronic records, compact discs, tapes, etc).
- Special categories of personal data includes information about the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject; genetic or biometric data; information on whether the data subject is a member of a trade union; the physical or mental health or condition or sexual life of the data subject; the commission or alleged commission of any offence by the data subject; or any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
- Processing means performing any operation or set of operations on the information or data, whether or not by automatic means, including:
- Obtaining, recording or keeping the information or data
- Collecting, organising, storing, altering or adapting the information or data
- Retrieving, consulting or using the information or data
- Disclosing the information or data by transmitting, disseminating or otherwise making it available, or
- Aligning, combining, blocking, erasing or destroying the information or data.
- Data subject means an individual who is the subject of personal data
Processing of Personal Data
When processing personal data, the Directors require that the following fundamental principles are followed by employees of the Group at all times:
- A. Finality – data must be collected for a specified and explicit purpose and not further processed in a way incompatible with those purposes, for example, would the customer be surprised to learn that a particular use or disclosure is taking place.
- B. Transparency – as a very minimum, individuals (be they clients, employees, suppliers) need to know which data the Group is collecting about them (directly or from other sources), and which are the purposes of processing operations envisaged or carried out with these data presently or in the future. Transparency is also assured by granting the data subject the right of access to his/her personal data;
- C. Legitimacy – the processing of personal data must be legitimate and have the required data subject’s consent where applicable;
- D. Proportionality – the personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected and/or further processed. Even if individuals have been informed about the processing operation and such processing activity is legitimate and proportionate, the processing still needs to be fair with the individual;
- E. Accuracy and retention of data – records must be accurate and, where necessary, kept up to date. The Group must take every reasonable step to ensure that data that is inaccurate or incomplete, having regard to the purposes for which it was collected or further processed, is erased or rectified;
- F. Security – the Group must implement appropriate technical and organisational measures to guarantee that the personal data of its clients, employees and suppliers is kept secured. The more sensitive and confidential the information, the higher the duty of care. Particular protection should be granted as regards unauthorised disclosure or access. The Group will ensure that it has appropriate security measures in place to guard against unauthorised access to, use, alteration, or disclosure of personal data and against its accidental loss or destruction. The appropriateness of security measures is to be gauged against technological development, the costs of implementing such measures, the harm that might result from unlawful processing and the nature of the data concerned;
- G. Awareness among staff – staff in charge or with responsibilities in the processing of personal data should be trained on the principles and techniques of data protection.
In order to put into practice the essence of the above-mentioned principles, the Group should strive to observe fully the conditions regarding the fair collection and use of personal data, will meet its obligations to specify the purposes for which personal data is used, and will collect and process appropriate personal data only to the extent that it is needed to fulfil operational or any legal requirements. The Group will at all times seek to ensure the quality of personal data used, and apply strict checks to determine the length of time personal data is held for. Moreover, staff are expected to ensure that the rights of individuals about whom the personal data is held can be fully exercised under the relevant legislation, and ensure that personal data is not transferred abroad or within the Group without suitable safeguards.
The Group will strive to invest in adequate security technologies and maintain strict information security policies designed to prevent unauthorised access to personal data by anyone, including the Group’s own staff. The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that any personal data which they hold is kept securely, and that personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party. Staff having permitted access to personal data are specifically required to comply with the Group’s Information Security Policies.
Data Subject consent
The Group should operate on the basis that all data subjects about whom data is held are made aware of the Group’s need to process such data for operational purposes. Where the data being processed constitutes ‘special categories of data’, express consent to process the data must be obtained. Processing may even be necessary to comply with legislation (such as health and safety, Landlords and Tenants Acts or anti-discrimination rules), in which case the Group should not seek to legitimise this processing through consent, since this could create a false impression of a genuine free choice to withdraw the consent on the data subject. From time to time, the Group may also be required to disclose personal data to governmental bodies or agencies, (e.g. police) but will only do so under proper authority and circumstances.
Data Processors
Where Group entities enter into an agreement with a data processor, such as in instances of outsourcing of certain back-office activities, it shall ensure that there is a written agreement between the Group entity (as data controller) and the data processor that ensures that sufficient technical and organisational security measures are applied to that personal data, and that the data is not processed except under the instructions of the Group entity in the circumstances specifically set out in the agreement.
Data disclosures and transfers to third parties
The Group will not disclose information to any third party unless management believes that it is lawful to do so. The Group should only transfer personal data to a country outside the EEA if the country to which the information is being transferred has an adequate level of protection to ensure the privacy and fundamental rights and freedoms of the data subjects whose data would be transferred, or if one of a number of measures stipulated by law is met, such as where the transfer is required or authorised under law, where the data subject has given his/her consent, the transfer is necessary for the performance of a contract or the conclusion of a contract, or where the party to whom the Group is sending the data enters into an agreement with the Group based on approved contractual provisions.
It is important that one of these conditions is also met where data is being transferred to entities within the Group that are situated outside the EEA.
Individuals right to access, block or erase their Personal Data
Individuals have a right to access any personal information processed by or on behalf of the Group in relation to them whether is it kept on computer or on a paper-based medium held in manual filing systems. Data subjects are also entitled to have any personal data in their respect rectified, blocked or erased if such action does not conflict with legal obligations on the relevant entity. The Group owes a duty of care to the data subject and will strive to facilitate and comply with these requests in a timely and comprehensive manner, and in a cost-effective way.
No access requests should be considered unless they are received in writing. Any formal requests from data subjects regarding information held on them must be referred to the Data Protection Officer in the first instance. All access requests received from customers must be complied with within one month of receipt of such request, unless the request is particularly complex or there are numerous requests, in which case the Group may extend the period by up to an additional 2 months. The Group cannot charge for access requests unless the request is manifestly unfounded or excessive. Where a data subject requests a Group entity to cease using the data for a particular purpose, that entity must comply with that request as soon as possible (unless there is some other reason why the Group entity needs to retain the data, such as an express legal obligation) and notify the data subject in writing accordingly. In instances where the data subject has the reasonable belief that the data will be erased by the entire Group rather than the particular entity, then in accordance with best practice the Data Protection Officer will take the necessary steps to comply with that request.
The Directors understand that there may be circumstances where the right of access to information does not apply. Staff should look to discuss with the Data Protection Officer and in-house legal team to clarify these instances.
Marketing
The Group may send direct marketing material related to its products and upcoming projects, or from carefully selected third parties that may provide products or services to us or our customers. The Directors acknowledge that customers have a right to request not to receive direct marketing material by informing the Group or one of the Group entities in an appropriate manner.
It is legitimate to send existing customers marketing information (whether through electronic medium or postal system) about related products provided by the Group, provided that the individual has expressly opted in and the right to opt-out is included with each marketing message and provided that the same individual has not previously requested not to receive further marketing information from the entity concerned. With regard to unsolicited direct marketing using electronic media, individuals who are not customers of the entity concerned should not be sent any such material unless the individual “opts-in” to receive such marketing or the individual had forwarded these contact details for electronic mail in relation to a product or service offered by the same entity.
The Group should implement a responsible marketing policy, and should seek to respect an individual’s wishes in terms of protection of privacy at all times.
Retention of data
The Group will need to keep some forms of information for longer than others. All staff are responsible for ensuring that information is not kept for longer than necessary. Each department is responsible for agreeing the retention criteria and period of retention applicable to information held, having regard to statutory requirements and other relevant factors. Advice and guidance can be provided by the Data Protection Officer, or the in-house legal team.
Non-compliance by staff members
Being engaged in a variety of services, the Group will in the course of its business hold various types of personal data about individuals. It is therefore of the utmost importance that staff adhere to the contents and principles of this Policy. Where required, staff will be trained on data protection principles, and instances of non-compliance may bring about disciplinary action commensurate to the severity of the offence.
Data Protection Officer
The Data Protection Officer is contactable on the following:
Email: dpo@dandara.com
Phone: 01624 693404
List of legislation applicable in the jurisdictions in which the Dandara Group operates
EU Law on Data Protection:
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data’.
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Country legislation:
Republic of Ireland
- Data Protection Act 1988
- Data Protection (Amendment) Act 2003
- Data Protection Act 2018
and amending statutory instruments and any subsequent or amending legislation
United Kingdom (and Scotland)
- Data Protection Act 2018
and amending statutory instruments and any subsequent or amending legislation
Bailiwick of Jersey
- Data Protection (Jersey) Law 2018
- Data Protection Authority (Jersey) Law 2018
- Data Protection (Registration and Charges) (Jersey) Law 2018
and supporting regulations and any subsequent or amending legislation
Isle of Man
- Data Protection Act 2018
and supporting regulations and any subsequent or amending legislation
Bailiwick of Guernsey
- Data Protection (Bailiwick of Guernsey) Law 2017
and amending statutory instruments and any subsequent or amending legislation