GDPR Policy 1.0
Burrow Property Services Limited (hereinafter referred to as “Burrow,” “we,” “our,” or “us”) is committed to ensuring the security and protection of any personal data that we process. We aim to provide a compliant and transparent approach to data protection, especially in the context of any property management activities.
Introduction
This GDPR Policy outlines how Burrow collects, processes, stores, and protects personal data in accordance with the General Data Protection Regulation (GDPR). As a property management company, we handle personal data from property owners, tenants, potential tenants and service providers, and we are committed to safeguarding this data.
Scope
This policy applies to all employees, contractors, and third parties processing personal data on behalf of Burrow. It covers all personal data processed in the course of our business operations, whether electronically or in hard copy.
GDPR Data Controller
Burrow is the Data Controller of the personal data we process. For any questions or concerns regarding data privacy, or requests to exercise your rights under GDPR, please contact:
07447 920205
Data We Collect
In the context of our operations as a property management company, Burrow may collect the following categories of personal data:
Personal Identification Data: Name, date of birth, passport, ID numbers, etc.
Contact Information: Email addresses, phone numbers, and postal addresses.
Property Information: Details of properties for rent, ownership records, tenancy agreements, lease terms, etc.
Financial Information: Bank account details, rent payment records, salary information for tenant referencing, deposit and mortgage details.
Tenancy Information: Tenant references, rental history, guarantor information, utility account details.
Marketing Preferences: Preferences for receiving communications about properties, services, or offers.
Property Maintenance Information: Records related to maintenance and repair services, service provider details.
Burrow may also process special categories of data such as health-related information (for example, accessibility needs in rented properties) with the explicit consent of the data subject.
Legal Basis for Processing
Burrow processes personal data based on the following lawful grounds:
Contractual Necessity: When data is required to fulfill our contractual obligations, such as processing tenancy agreements, arranging property advertising, or managing property maintenance.
Legal Obligations: To comply with regulations, such as tenancy laws, anti-money laundering regulations, or tax obligations.
Consent: Where we have obtained clear consent, such as for direct marketing or sharing data with third-party service providers.
Legitimate Interests: For activities necessary to run our business, such as managing our client relationships, advertising properties, or fraud prevention.
Purpose of Data Processing
Burrow processes personal data for the following purposes:
Property Rentals: To facilitate property lettings, and tenant management, including viewings, offers, contracts, and conveyancing.
Tenancy Management: To manage tenant records, collect rent, and provide property management services.
Client and Supplier Relationships: To manage relationships with property owners, tenants and third-party suppliers.
Financial Transactions: To process payments, deposits, and rent collections.
Marketing: To communicate with prospective landlords and tenants about properties and services that may interest them (subject to consent where required).
Property Maintenance: To coordinate repairs and property maintenance services.
Regulatory Compliance: To comply with relevant legal obligations, such as anti-money laundering.
Data Sharing
Burrow may share personal data with:
Estate Agents and Property Professionals: To facilitate lettings, including solicitors, mortgage brokers, surveyors, and other related parties.
Service Providers: Contractors or maintenance companies responsible for property upkeep or repairs.
Financial Institutions: For processing rent and payments.
Legal Authorities: In cases where data is required for legal proceedings or regulatory compliance (e.g. HMRC, local authorities).
Third Parties: With tenant referencing agencies, credit check providers, or utility companies as necessary for tenancy management.
In all cases, we ensure that appropriate agreements are in place to protect data when it is shared externally.
International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), Burrow ensures that appropriate safeguards are in place to protect the data in accordance with GDPR, such as standard contractual clauses or other lawful transfer mechanisms.
Data Retention
Burrow retains personal data only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law.
For example:
Tenancy Agreements and Related Data: Retained indefinitely after the end of a tenancy to comply with legal obligations or resolve disputes.
Unsuccessful Applicant Data: Retained for 6 months after application in-case of any developments in the tenancy or alternative provision becoming available in another property.
Marketing Data: Retained until consent is withdrawn or as per internal retention policies.
Once the retention period expires, personal data will be securely deleted or anonymised.
Data Subject Rights
Under the GDPR, individuals have the following rights:
Right of Access: To request a copy of the personal data we hold.
Right to Rectification: To correct any inaccuracies in the personal data we hold.
Right to Erasure (Right to be Forgotten): To request deletion of personal data, subject to certain conditions.
Right to Restrict Processing: To request that we limit the processing of personal data under certain circumstances.
Right to Data Portability: To request transfer of personal data to another data controller in a structured, commonly used, and machine-readable format.
Right to Object: To object to the processing of personal data based on legitimate interests or direct marketing purposes.
If you wish to exercise any of your rights, please contact the DPO at the contact details provided above. You also have the right to lodge a complaint with the Information Commissioner’s Office.
Data Security
Burrow uses a variety of technical and organisational measures to protect personal data from unauthorised access, loss, or disclosure. This includes encryption, secure file storage, controlled access to data, and regular security audits of our systems.
Breach Notification
In the event of a personal data breach, Burrow will promptly assess the risk to individuals’ rights and freedoms and, where necessary, notify the relevant supervisory authority within 72 hours. We will also inform affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Changes to this Policy
Burrow reserves the right to amend this policy at any time to reflect changes in the law or our business practices. Any updates will be communicated to stakeholders and will be available on our website.
Contact Information
For any questions or concerns related to this GDPR Policy, or to exercise your data protection rights, please contact:
Data Protection Officer (DPO):
Joe Bunton
07447 920205