Introduction
As well as being a primary piece of EU legislation, the General Data Protection Regulation (GDPR) (EU) 2016/679GDPR also provides that individual member states may enact their own legislation to give specific interpretation to the application of some of the provisions covered under the GDPR. In the Republic of Ireland, this is contained within the Data Protection Bill 2017.
During the course of day-to-day business, Pearl Property Managers (PPM) need to gather and use certain information about individuals. Such individuals can include customers, suppliers, business contacts, employees and other persons with whom the organisation has a relationship, or may need to contact.
This Data Protection Policy (hereinafter referred to as the “Policy”) describes how personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
This Policy has been established to ensure PPM:
- Complies with data protection law and follows good practice;
- Protects the rights of staff, clients and associates;
- Is open about how it stores and processes individuals’ data; and
- Protects itself from the risks of a data breach.
Ownership
The Policy is maintained by PPM’s Data Protection Officer (DPO) and is approved by the Senior Management Team. The Policy will be reviewed and revised, as and when it becomes necessary, by the DPO to ensure continued alignment with legal developments and legislative obligations, while at the same time remaining appropriate to PPM’s internal operations and risk management requirements.
Everyone who works for or with PPM has responsibility for ensuring data is collected, stored and handled appropriately. All PPM staff have a personal responsibility to ensure compliance with the principles of the applicable Data Protection legislation and to adhere to PPM’s Policy.
Further comments or questions on the content of this Policy should be directed to the DPO. Any material changes to this Policy will require approval by the Senior Management Team.
The Data Protection Officer
As part of the GDPR, it is mandatory for PPM to have a formally appointed DPO. The DPO’s role facilitates compliance with GDPR and ensures that, in carrying out PPM’s day-to-day business, all personal data held and processed by PPM, such as that belonging to internal staff, clients and third parties, is appropriately protected in accordance with such persons’ regulatory rights.
In line with Article 37(5) of the GDPR, the DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. Furthermore, the DPO role cannot be assigned to someone where his or her other role(s) and their DPO duties present a conflict of interest.
Data Protection Principles
GDPR sets out eight principles governing the use of personal information, which must be complied with, unless an exemption applies.
These principles are in essence a code of good practice for processing personal data. They state that personal data must:
- Be processed fairly and lawfully. This means PPM must:
- Have legitimate grounds for collecting and using the personal data;
- Not use the data in ways that have unjustified adverse effects on the Individuals concerned;
- Be transparent about how it intends to use the data and give Individuals appropriate and fair processing notices when collecting their personal data;
- Handle individuals’ personal data only in ways they would reasonably expect;
- Make sure it does not do anything unlawful with the data.
- Be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. This means that PPM must:
- Be clear from the outset about why it is collecting personal data and what it intends to do with it;
- Comply with the fair processing requirements of the GDPR, including the duty to give clear and fair processing notices to Individuals when collecting their personal data;
- Comply with what the GDPR says about notifying the Information Commissioner;
- Ensure that if it wishes to use or disclose the personal data for any purpose that is additional to, or different from, the originally specified purpose, the new use of disclosure is fair.
- Be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. As such, PPM:
- May only hold personal data about an Individual that is sufficient for the purpose/purposes for which it is being requested;
- May not hold more information than needed for the applicable purpose/purposes.
- Be accurate and, where necessary, kept up to date. Furthermore, PPM will:
- Take reasonable steps to ensure the accuracy of any personal data it obtains;
- Ensure that the source of any personal data is clear;
- Carefully consider any challenges to the accuracy of information;
- Consider whether it is necessary to update the information.
- Not be kept for longer than is necessary. In this regard, PPM shall:
- Review the length of time it keeps personal data;
- Consider the purpose or purposes for which it holds the information in deciding whether (and for how long) to retain it;
- Securely delete information that is no longer needed;
- Update, archive or securely delete information if it goes out of date.
- Be processed in accordance with the Data Protection Bill 2017 and GDPR, and in doing so accept that providers of personal data shall have:
- A right of access to a copy of the information held in their personal data file;
- A right to object to processing that is likely to cause or is causing damage or distress;
- A right to prevent processing for direct marketing;
- A right to object to decisions being taken by automated means;
- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
- A right to claim compensation for damages caused as a result of a breach of the GDPR by PPM.
- Be protected in appropriate ways. Accordingly, PPM shall:
- Design and organise security to fit the nature of the personal data it holds and the harm that may result from an information security breach;
- Be clear about who in the organisation is responsible for ensuring information security;
- Make sure it has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff;
- Be ready to respond to any breach of security swiftly and effectively.
- Not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Data Processing Principles
PPM data processing under the GDPR will be lawful only if it satisfies one of the defined legal bases. The legal bases for lawful processing applicable to PPM are:
- The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary for the purposes of the legitimate interests pursued by PPM or by a third party.
The Rights of the Pearl Property Manager’s Data Subjects
Breach Notification
Under the GDPR, notifying a breach in Personal Data is mandatory in all EU member states. A Data breach is likely to “result in a risk for the rights and freedoms of individuals”. Any data breach must be reported no less than 72 hours after PPM first realises the breach has occurred. Data Subjects who have suffered this breach must be informed by the appointed PPM DPO.
Right to Access
Data Subjects have the right to obtain any data that has been confirmed by PPM to be theirs. In such circumstances, PPM shall provide a copy of the personal data, free of charge, in an electronic format. PPM shall provide data transparency to all Data Subjects and acknowledges the empowerment of Data Subjects under the GDPR.
Right to be Forgotten
Data Subjects may request that PPM erase his/her personal data, prohibit PPM from further dissemination of the data, and request that any third parties in receipt of their personal data halt the processing of same. PPM may, in certain circumstances, retain some data to ensure compliance with other regulations, however where no such justification to retain data exists, the Data Subject’s right to be forgotten applies.
Independent Supervisory Authorities
Under the GDPR, each Member State will have one or more independent public authorities responsible for:
- Monitoring and the enforcing the application of the GDPR;
- Promoting public awareness of the rules and rights around data processing;
- Advising the government on data protection issues;
- Promoting awareness among controllers and processors of their obligations;
- Providing information to individuals about their data protection rights;
- Maintaining a list of processing operations requiring data protection impact assessment.
In Ireland, under the Data Protection Bill 2017, the Data Protection Commissioner, which was formerly responsible for supervising data protection, has been replaced with a Data Protection Commission.
The Data Protection Commission has the power to:
- Order PPM to provide information as required in order to assess compliance with GDPR;
- Carry out investigations of PPM in the form of data audits, including accessing PPM’s premises;
- Order PPM to change their processes in order to comply with Data Subject requests;
- Issue warnings to PPM and can ban processing as well as commence legal proceedings against PPM
Privacy By Design
PPM strives to implement appropriate and effective technical and organisational measures in order to meet the requirement of the GRDP and protect the rights of all PPM Data Subjects. Accordingly, CH endeavours to only obtain, hold and process the data absolutely necessary for the completion of its duties (“data minimisation”), and limit access to personal data strictly to those needing to act out the processing.
Communication with Staff and Service Users
PPM is committed to reviewing all current data privacy notices and alerting individuals to the collection of their data. In doing so, PPM shall promptly identify and rectify any deviation found to exist between the extent of data collected versus that required to be processed.
In accordance with the GDPR, PPM will notify its Data Subjects of our identity, our reasons for gathering data, the uses it will be put to, who it will be disclosed to, and whether the data is going to be transferred outside the EU.
What Data is Collected
PPM may collect and use data about you even if you are not a client of PPM but are working directly or indirectly with such a person, e.g. you may be a director, account holder, or representative of a PPM client, or be a potential client seeking to avail of our services.
Data collected, used and held by PPM may include information:
- To identify you, including your contact information;
- About your financial details/circumstances;
- About your business and financial associations;
- About you provided by others;
- You have otherwise consented to PPM collecting and using.
Other than at the time of information being supplied directly by you to PPM, the company may collect data:
Subsequent to, and from, your use of PPM services and/or the PPM website;
As and when provided to PPM by third parties.
Why Data is Collected
PPM collects data where it is necessary:
In order for the business to comply with statutory/corporate obligations in relation to the provision of its services (e.g. undertaking “know your client” (KYC) and anti-money laundering (AML) due diligence as part of its underwriting process, and reporting to the Central Credit Register, regulatory authorities and law enforcement as required during the course of any loan etc.);
For any other legitimate reason in relation to the management of an existing contract between PPM and the data subject;
For operational purposes which are key to the management of our business, such as Customer Relationship Management (CRM).
In connection with the above, PPM will often be required to share data with authorised representatives, including corporate partners and third party consultants employed by PPM for the purpose of fulfilling its obligations under an agreed contract or service. This may also require PPM to share data with parties outside of the Republic of Ireland – specifically, with associates based in the United Kingdom.
Marketing & Analytics
PPM’s website features the use of ‘E-Marketing’ tools, which provide information about how the company builds relationships with its clients. With these tools, PPM is also able to, and may, from time to time, send emails to users regarding how the business is operating. All users are given an “opt out“ option, should they wish not to avail of such communications, and are free to change their preferences in this regard at any time.
PPM may analyse information about, and provided by, users of its website to:
- Help the company understand users’ needs and develop relationships with users;
- Help the company offer users product and service information deemed to be of interest to users;
- Determine the suitability of, or our willingness to provide, any of the company’s financial products in relation to users’ proposals;
- Assist in compliance checks, e.g. in respect of PPM’s legal obligations in connection to money laundering and/or fraud.
Privacy – Non-Provision of Data
If PPM requires personal data for the purpose of delivering its services and you decide not to provide PPM with the required data, PPm may not be able to:
- Provide information regarding the company’s service or products;
- Continue to provide information about services of interest;
- Renew the provision of existing contracted services.
Storage and Handling of Data
PPM uses different storage methods for different types of data. Fundamentally, all PPM data is stored electronically on a third party cloud-based storage platform, namely Microsoft Office 365 OneDrive. PPM uses other Microsoft Office 365 packages/applications such as Microsoft Outlook to communicate and keep track of correspondence with data subjects.
PPM uses Adobe Acrobat software alongside Microsoft Office 365 to ensure all documentation containing personal data issued by PPM is protected by encryption.
Hard copy backups of certain documents may also be created for PPM’s sole use, which are stored in PPM’s secure office premises.
Dispose of Data
PPM adopts a rigorous clerical and electronic filing system in which the reviewing and updating of files, including the removal of those no longer deemed necessary, occurs regularly. Data that is no longer in use and deemed unneccessary for further holding will be disposed of by any of the following means, as appropriate:
Shredding of hard copy documentation;
- Permanently deleting electronic files from Microsoft Office 365 OneDrive
- Permanently deleting email correspondence from Microsoft Office Outlook.