46, Charlotte Square, Edinburgh EH2 4HQ
t : 0131 220 0015 | f : 0131 226 3323
Sundial Properties Limited is a privately owned property company based in Edinburgh. The company is registered in Scotland with Company Number SC068924 and has its registered office at 46 Charlotte Square, Edinburgh EH2 4HQ
General Statement of Duties
Data Protection Law (the Data Protection Act 1998, the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018, as amended or superseded) places duties on organisations and individuals to process personal information fairly and lawfully.
Sundial Properties Limited (‘the Company’) processes personal data of clients, prospective clients, as well as employees and others involved with the Company, as part of its operation and shall take all reasonable steps to do so in accordance with this Notice. Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data. In this Notice any reference to clients includes current, past or prospective clients.
Responsibility for Data Protection
The Company will endeavour to ensure that all personal data is processed by its employees in accordance with this Notice and in compliance with Data Protection Law. Any queries about this Notice and data protection should be directed to the Finance Director: David Coombs, Sundial Properties, 46 Charlotte Square, Edinburgh, EH2 4HQ, email; firstname.lastname@example.org
The Company shall comply with the Data Protection Principles (‘the Principles’) contained in Data Protection Law to ensure all data is:
- Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
- Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation).
- Accurate and where necessary kept up to date (Accuracy).
- Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation).
- Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
The Company is responsible for and must be able to demonstrate compliance with the Principles listed above (Accountability)
Types of Personal Data
Personal data is information from which a living individual can be identified either directly or indirectly when taken together with other information held by the Company. Personal data covers both facts and opinions about an individual.
The Company may process a wide range of personal data of clients, prospective clients, employees and others as part of its operation. This personal data may include (but is not limited to); names and addresses, bank details, employment records, references, and peoples images.
Processing Personal Data
The Company will need to carry out this processing in order to fulfil its legal rights, duties or obligations – including those pursuant to contract with its employees.
Other uses of personal data will be made in accordance with the Company’s legitimate interests, or the legitimate interests of third parties, provided that these are not outweighed by the impact on the individuals concerned, and provided it does not involve special or sensitive types of personal data. The Company expects that the following uses of personal data may fall within that category of its “legitimate interests”:
- to inform clients or prospective clients of forthcoming developments that might be of interest to them;
- for marketing purposes of properties that Sundial Properties Limited is involved with.
- to give and receive information and references about past, current and prospective employees to/from other employers;
- to enable employees to take part in national or other assessments or professional development training;
- to monitor use of the Company’s IT and communications systems;
- to fulfil its duty to HMRC and other national regulatory bodies and give and receive information about past and current employees;
- to comply with requests from legal authorities on the completion of sales; which includes but is not limited to the City of Edinburgh Council, Lothian Valuation and Joint Board and the electricity, gas and water suppliers;
- to comply with all regulatory bodies;
- to enable the sale and purchase of properties in which the company has or wishes to acquire an interest;
- to instruct lawyers to act on behalf of the Company in sale or purchase of properties in which the company has an interest.
- to protect and safeguard the Company assets and meet any insurance requirements.
Sensitive Personal Data
The Company may, from time to time, be required to process sensitive personal data regarding a client, prospective client, or employee and others involved with the Company. Sensitive personal data includes medical information, bank details and data relating to religion, race, or criminal records and proceedings. Where sensitive personal data is processed by the Company, the explicit consent of the appropriate individual will generally be required in writing unless another condition for processing under Data Protection Law is met, for example where disclosure is necessary for the purposes of exercising or performing any right or legal obligation in relation to employment; is necessary for the purpose of establishing, exercising or defending legal rights; or is necessary for the exercise of any function conferred on the Company by law.
The Company may, from time to time, need to share personal data relating to clients, prospective clients, employees and others involved with the Company with third parties. In considering whether to share personal data the Company must first establish who is requesting the personal data and for what purpose. In determining whether data should be shared with any third party, the Company will consider the provisions of Data Protection law and where relevant refer to Data Sharing checklists produced by the Information Commissioner’s Office. The Company will consider the following:
- necessary & proportionate – how much information is needed and whether the amount of information to be shared is proportionate to that need and the level of risk attached to sharing the information,
- relevant – only information that is relevant will be shared with those who need it,
- adequate – information must be of sufficient quality that it can be understood and relied upon,
- accurate – information must distinguish between fact and opinion and must be accurate and up to date,
- timely – the need for urgency must be considered and balanced with the risk of delay in obtaining consent,
- secure – the means of sharing information must be secure and confined to those for whom the information is intended
- recorded – decisions to share information or not to do so must be recorded, with reasons given and a record taken of whom the information has been shared with.
The Company may receive requests from third parties to disclose personal data it holds about clients, prospective clients, employees or others. The Company confirms that it will not generally disclose information unless the individual has given their consent or one of the specific exemptions under the Legal Framework applies. The Company will disclose such personal data as is necessary to third parties for the following purposes:
- To give a confidential reference relating to a current or past employee to any prospective employer.
- To instruct lawyers in the sale or purchase of properties in which the Company has or wishes to acquire an interest.
- To HMRC and other regulatory bodies pursuant to a legal duty to disclose information.
Rights of Access
Subject access request under Data Protection Law
Under Data Protection Law, individuals have a right of access to their personal data processed by the Company (a subject access request or SAR). Any individual wishing to access their personal data should put their request in writing to the Finance Director. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within a month. Where appropriate the Company may require confirmation of identity (e.g. passport copy), a signed mandate authorising a representative to exercise the right on another’s behalf; or further information to locate the requested personal data.
You should be aware that certain personal data is exempt from the right of access under the Legal Framework. This may include information which identifies other individuals or information which is subject to legal professional privilege.
The Company will also treat as confidential any reference given by the Company for the purpose of the training or employment, or prospective training or employment of any employee. The Company acknowledges that an individual may have the right to access a reference relating to them received by the Company. However, such a reference will only be disclosed if such disclosure will not identify the source of the reference or where, notwithstanding this, the referee has given their consent or if disclosure is reasonable in all the circumstances.
As well as the right to access, individuals have the following rights under Data Protection Law in relation to the processing of their personal data:
- The right to request that inaccurate data held about them is rectified
- The right to request the erasure of personal data
- The right to restriction of processing
- The right to object to processing, and
- The right to data portability.
Where the Company is relying on consent as a means to process personal data, an individual may withdraw this consent at any time. Please be aware however that the Company may have another lawful reason to process the personal data in question without an individual’s consent. That reason will usually have been asserted under this Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment contract, or because a purchase of goods, services or membership of an organisation has been requested).
For more information and guidance about any of these rights individuals should go to the website of the Information Commissioner’s Office at https://ico.org.uk/.
The rights under Data Protection Law are the individual’s to whom the data relates. Where consent is required, the Company will rely on the consent of the individual to whom the data relates.
Use of Personal Information by the Company for promotional/marketing purposes
The Company will, from time to time, make use of personal data relating to clients or prospective clients in the following ways;
- For marketing or promotional purposes;
- To maintain relationships with clients or prospective clients or maintaining contact with clients or prospective clients for marketing or promotional purposes;
In these circumstances the Company will obtain specific consent to the processing of relevant personal data.
The Company will endeavour to ensure that all personal data held in relation to an individual is accurate. Individuals should notify the Company of any changes to information held about them.
The Company will take reasonable steps to ensure that employees will only have access to personal data relating to clients, prospective clients, employees and others where it is necessary for them to do so. The Company have put in place appropriate technical and organisational measures to ensure the security of personal data about individuals. The Company has information security measures in place to prevent unauthorised access to or loss of personal data. Employees will be made aware of these measures and their duties under Data Protection Law, including through regular training.
The Company will only retain personal data as long as necessary or for historical or statistical archive purposes as permitted by the Legal Framework. The Company’s data retention periods are informed by the Company’s relevant legal obligations. All personal data will be disposed of securely.
If an individual believes that the Company has not complied with this Notice or acted otherwise than in accordance with Data Protection Law, they should notify the Finance Director giving details of their complaint and what they expect from the Company to resolve the issue. A referral can also be made, or a complaint can be lodged, with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve a matter where possible directly, before involving the ICO.
This Notice will be reviewed annually by the Company.