Requirements and obligations on the Dandara Group of Companies (“the Dandara Group” or “the Group”) surrounding the processing and protection of personal data emerge from legislation, regulations, and other guidance (collectively referred to as “the legislation”) in the various countries in which the Group carries out its operations. In Europe, this framework is a reflection of the provisions of European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data and from 25th May 2018 will be the European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and Directive 2002/58/EC on Privacy and Electronic Communications.
The purpose of data protection legislation is to provide individuals with protection with regard to the processing of personal data about them. Legislation in each country where Dandara carries out operations sets out requirements regarding the collection, processing, keeping, use and disclosure of certain information relating to individuals that must be followed by each relevant Group entity which handles personal data.
Due to the group structure and geographical spread of activities, a number of group companies have been identified as “data controllers” and entries made in the Data Protection Registers in the appropriate locations. The Group’s registrations are reviewed and updated from time to time.
At Dandara, we process certain personal data about living individuals including past, present and prospective customers, employees and suppliers for the purposes of satisfying operational needs and legal obligations. The Group recognises the importance of the correct and lawful treatment of personal data as this maintains confidence in the organisation and provides for successful operations. The Group is therefore committed to using all reasonable endeavours to ensure compliance with the requirements of the legislation that applies to it. Consequently, it will strive to create an awareness among staff on the purposes for which the Group processes personal data, and the obligations that both the Group and its employees are under when processing personal data.
All staff are expected to apply this Policy and to seek advice when required. Further information on data protection for employees is included in the staff handbook. All areas of the business are affected by this policy, particularly the HR and sales and marketing functions, and other customer facing departments such as lettings and customer care.
For the purposes of understanding this Policy, these terms have the following meanings:
When processing personal data, the Directors require that the following fundamental principles are followed by employees of the Group at all times:
In order to put into practice the essence of the above-mentioned principles, the Group should strive to observe fully the conditions regarding the fair collection and use of personal data, will meet its obligations to specify the purposes for which personal data is used, and will collect and process appropriate personal data only to the extent that it is needed to fulfil operational or any legal requirements. The Group will at all times seek to ensure the quality of personal data used, and apply strict checks to determine the length of time personal data is held for. Moreover, staff are expected to ensure that the rights of individuals about whom the personal data is held can be fully exercised under the relevant legislation, and ensure that personal data is not transferred abroad or within the Group without suitable safeguards.
The Group will strive to invest in adequate security technologies and maintain strict information security policies designed to prevent unauthorised access to personal data by anyone, including the Group’s own staff. The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that any personal data which they hold is kept securely, and that personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party. Staff having permitted access to personal data are specifically required to comply with the Group’s Information Security Policies.
The Group should operate on the basis that all data subjects about whom data is held are made aware of the Group’s need to process such data for operational purposes. Where the data being processed constitutes ‘special categories of data’, express consent to process the data must be obtained. Processing may even be necessary to comply with legislation (such as health and safety, Landlords and Tenants Acts or anti-discrimination rules), in which case the Group should not seek to legitimise this processing through consent, since this could create a false impression of a genuine free choice to withdraw the consent on the data subject. From time to time, the Group may also be required to disclose personal data to governmental bodies or agencies, (e.g. police) but will only do so under proper authority and circumstances.
Where Group entities enter into an agreement with a data processor, such as in instances of outsourcing of certain back-office activities, it shall ensure that there is a written agreement between the Group entity (as data controller) and the data processor that ensures that sufficient technical and organisational security measures are applied to that personal data, and that the data is not processed except under the instructions of the Group entity in the circumstances specifically set out in the agreement.
The Group will not disclose information to any third party unless management believes that it is lawful to do so. The Group should only transfer personal data to a country outside the EEA if the country to which the information is being transferred has an adequate level of protection to ensure the privacy and fundamental rights and freedoms of the data subjects whose data would be transferred, or if one of a number of measures stipulated by law is met, such as where the transfer is required or authorised under law, where the data subject has given his/her consent, the transfer is necessary for the performance of a contract or the conclusion of a contract, or where the party to whom the Group is sending the data enters into an agreement with the Group based on approved contractual provisions.
It is important that one of these conditions is also met where data is being transferred to entities within the Group that are situated outside the EEA.
Individuals have a right to access any personal information processed by or on behalf of the Group in relation to them whether is it kept on computer or on a paper-based medium held in manual filing systems. Data subjects are also entitled to have any personal data in their respect rectified, blocked or erased if such action does not conflict with legal obligations on the relevant entity. The Group owes a duty of care to the data subject and will strive to facilitate and comply with these requests in a timely and comprehensive manner, and in a cost-effective way.
No access requests should be considered unless they are received in writing. Any formal requests from data subjects regarding information held on them must be referred to the Data Protection Officer in the first instance. All access requests received from customers must be complied with within one month of receipt of such request, unless the request is particularly complex or there are numerous requests, in which case the Group may extend the period by up to an additional 2 months. The Group cannot charge for access requests unless the request is manifestly unfounded or excessive. Where a data subject requests a Group entity to cease using the data for a particular purpose, that entity must comply with that request as soon as possible (unless there is some other reason why the Group entity needs to retain the data, such as an express legal obligation) and notify the data subject in writing accordingly. In instances where the data subject has the reasonable belief that the data will be erased by the entire Group rather than the particular entity, then in accordance with best practice the Data Protection Officer will take the necessary steps to comply with that request.
The Directors understand that there may be circumstances where the right of access to information does not apply. Staff should look to discuss with the Data Protection Officer and in-house legal team to clarify these instances.
The Group may send direct marketing material related to its products and upcoming projects, or from carefully selected third parties that may provide products or services to us or our customers. The Directors acknowledge that customers have a right to request not to receive direct marketing material by informing the Group or one of the Group entities in an appropriate manner.
It is legitimate to send existing customers marketing information (whether through electronic medium or postal system) about related products provided by the Group, provided that the individual has expressly opted in and the right to opt-out is included with each marketing message and provided that the same individual has not previously requested not to receive further marketing information from the entity concerned. With regard to unsolicited direct marketing using electronic media, individuals who are not customers of the entity concerned should not be sent any such material unless the individual “opts-in” to receive such marketing or the individual had forwarded these contact details for electronic mail in relation to a product or service offered by the same entity.
The Group should implement a responsible marketing policy, and should seek to respect an individual’s wishes in terms of protection of privacy at all times.
The Group will need to keep some forms of information for longer than others. All staff are responsible for ensuring that information is not kept for longer than necessary. Each department is responsible for agreeing the retention criteria and period of retention applicable to information held, having regard to statutory requirements and other relevant factors. Advice and guidance can be provided by the Data Protection Officer, or the in-house legal team.
Being engaged in a variety of services, the Group will in the course of its business hold various types of personal data about individuals. It is therefore of the utmost importance that staff adhere to the contents and principles of this Policy. Where required, staff will be trained on data protection principles, and instances of non-compliance may bring about disciplinary action commensurate to the severity of the offence.
The Data Protection Officer is contactable on the following:
Email: dpo@dandara.com
Phone: 01624 693404
the instructions of the Group entity in the circumstances specifically set out in the agreement.
EU Law on Data Protection:
Republic of Ireland
and amending statutory instruments and any subsequent or amending legislation
United Kingdom (and Scotland)
and amending statutory instruments and any subsequent or amending legislation
Bailiwick of Jersey
and supporting regulations and any subsequent or amending legislation
Isle of Man
and supporting regulations and any subsequent or amending legislation
Bailiwick of Guernsey
and amending statutory instruments and any subsequent or amending legislation
Last updated 19th November 2018