1. About this policy
This is the “appropriate policy document” for Edge Goodrich setting out how we will protect Special Categories of Personal Data and Criminal Convictions Data.
This policy supports Edge Goodrich’s Data Protection Policy and adopts its definitions.
This document meets the requirement of the Data Protection Act 2018 that an appropriate policy document be in place where Processing Special Categories of Personal Data and Criminal Convictions Data in certain circumstances.
Data Controller: An organisation which processes personal data and controls the way it is used
Criminal Convictions Data: personal data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.
Data Retention Policy: explains how the organisation classifies and manages the retention and disposal of its information. Time periods for retention are set out in the retention schedule.
Data Subject: An individual who can be identified from their personal data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data.
DPA 2018: the Data Protection Act 2018.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the GDPR. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO or refers to the organisation’s data privacy team with responsibility for data protection compliance.
GDPR: the General Data Protection Regulation ((EU) 2016/679).
Personal Data: Information from which an individual can be directly or indirectly identified. Personal Data includes Special Categories of Personal Data.
Privacy Notice: A notice to individuals informing them of their rights and the way their personal data is used.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Special Categories of Personal Data: Categories of particularly sensitive personal information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
3. Why we process Special Categories of Personal Data and Criminal Convictions Data
We process Special Categories of Personal Data and Criminal Convictions Data for the following purposes:
assessing an employee’s fitness to work;
complying with health and safety obligations;
complying with the Equality Act 2010;
checking applicants’ and employees’ right to work/right to rent in the UK;
verifying that candidates are suitable for employment or continued employment;
complying with other legislation e.g. Anti-Money Laundering regulations; and
Addressing public health interests and concerns to ensure the safety of our staff, customers and others with whom they may share a household.
Personal data protection principles
The GDPR requires personal data to be processed in accordance with the six principles set out in Article 5(1). Article 5(2) requires controllers to be able to demonstrate compliance with Article 5(1).
We comply with the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);
collected only for specified, explicit and legitimate purposes (Purpose Limitation);
adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation);
accurate and where necessary kept up to date (Accuracy);
not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation); and
Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
4. Compliance with data protection principles
1. Lawfulness, fairness and transparency
Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
We will only Process Personal Data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding Personal Data to specified lawful purposes. We can Process Special Categories of Personal Data and Criminal Convictions Data only if we have a legal ground for Processing and one of the specific Processing conditions relating to Special Categories of Personal Data or Criminal Convictions Data applies. We will identify and document the legal ground and specific Processing condition relied on for each Processing activity.
When collecting Special Categories of Personal Data and Criminal Convictions Data from Data Subjects, we do so either directly from Data Subjects or indirectly (for example from a third party or publicly available source). We provide Data Subjects with a Privacy Notice setting out all the information required by the GDPR.
Lawful Processing basis
Processing condition for Special Categories of Personal Data
Data concerning health
Compliance with a legal obligation (Article 6 (1)(c)) or necessary for the performance of a contract with the Data Subject (Article 6(1)(b)).
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us as the controller or the Data Subject in connection with employment, social security or social protection:(Paragraph 1(1)(a), Schedule 1, DPA 2018.) or meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018
Racial or ethnic origin data
Compliance with a legal obligation (Article 6(1)(c)).
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us as the controller or the Data Subject in connection with employment, social security or social protection: (Paragraph 1(1)(a), Schedule 1, DPA 2018.)
Criminal Convictions Data
Compliance with a legal obligation (Article 6(1)(c)) or in legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject.
Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us as the Controller or the Data Subject in connection with employment, social security or social protection. (Paragraph 1(1)(a), Schedule 1, DPA 2018.) Meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018 (such as preventing or detecting unlawful acts).(Paragraph 10(1), Schedule 1, DPA 2018.)
Equal opportunity data
In our legitimate interests (Article 6(1)(f)) which are not outweighed by the fundamental rights and freedoms of the Data Subject.
Necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. (Paragraph 8(1)(b), Schedule 1, DPA 2018.) or meets one of the substantial public interest conditions set out in Part 2 of Schedule 1 to the DPA 2018
2. Purpose limitation
Personal Data must be collected only for specified, explicit and legitimate purposes. They must not be further Processed in any manner incompatible with those purposes.
We will only collect personal data for specified purposes and will inform Data Subjects what those purposes are in a published Privacy Notice. We will not use Personal Data for new, different or incompatible purposes from those disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary OR If we use Personal Data for a new compatible purpose then we will inform the Data Subject first.
3. Data minimisation
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
We will only collect or disclose the minimum Personal Data required for the purpose for which the data is collected or disclosed. We will ensure that we do not collect excessive data and that the Personal Data collected is adequate and relevant for the intended purposes. For example, we will regularly review any special measures that we put in place from time to time in order to address public health concerns and will ease or limit such measures once they are no longer necessary to address the concern.
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
We will ensure that the Personal Data we hold and use is accurate, complete, kept up to date and relevant to the purpose for which it is collected by us. We check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. We take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
5. Storage limitation
We only keep Personal Data in an identifiable form for as long as is necessary for the purposes for which it was collected, or where we have a legal obligation to do so. Once we no longer need Personal Data it shall be deleted or rendered permanently anonymous and, for example, specific health data which is collected in order to address particular public health concerns from time to time will be isolated within our systems so that it can be easily identified and erased when no longer needed.
We maintain a Data Retention Policy and related procedures to ensure Personal Data is deleted after a reasonable time has elapsed for the purposes for which it was being held, unless we are legally required to retain that data for longer.
We will ensure Data Subjects are informed of the period for which data is stored and how that period is determined in any applicable Privacy Notice.
6. Security, integrity, confidentiality
Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We will implement and maintain reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of or damage to Personal Data, including by strictly limiting access rights to certain datasets.
7. Accountability principle
We are responsible for, and able to demonstrate compliance with these principles. Our DPO is responsible for ensuring that we are compliant with these principles. Any questions about this policy should be submitted to the DPO.
Ensure that records are kept of all Personal Data Processing activities, and that these are provided to the Information Commissioner on request.
Carry out a DPIA for any high-risk Personal Data Processing to understand how Processing may affect Data Subjects and consult the Information Commissioner if appropriate.
Ensure that the DPO can provide independent advice and monitoring of Personal Data handling, and that the DPO has access to report to the highest management level.
Have internal processes to ensure that Personal Data is only collected, used or handled in a way that is compliant with data protection law.
5. Our policies on retention and erasure of personal data
We take the security of Special Categories of Personal Data and Criminal Convictions Data very seriously. We have administrative, physical and technical safeguards in place to protect Personal Data against unlawful or unauthorised Processing, or accidental loss or damage. We will ensure, where Special Categories of Personal Data or Criminal Convictions Data are Processed that:
The Processing is recorded, and the record sets out, where possible, a suitable time period for the safe and permanent erasure of the different categories of data in accordance with our Data Retention Policy.
Where we no longer require Special Categories of Personal Data or Criminal Convictions Data for the purpose for which it was collected, we will delete it or render it permanently anonymous as soon as possible.
Where records are destroyed we will ensure that they are safely and permanently disposed of.
Edge Goodrich is committed to operating its business in a transparent and open manner consistent with our legal and regulatory obligations. We are aware that the real estate industry is a target for organised criminals seeking to launder the proceeds of criminal activity. We always seek to prevent this activity by cooperating fully with the authorities and reporting suspicious activity to the National Crime Agency.
As part of this commitment, we adopt a strict compliance of all Anti-Money Laundering rules, with specific emphasis on the Proceeds of Crime Act 2002, the Money Laundering Regulations 2017, the Bribery Act 2010 and the Terrorism Act 2000.
Edge Goodrich policy commitment is applicable to all of our customers, including vendors, buyers, landlords and tenants. As a result we obtain and hold for a period of at least seven years evidence pertaining to our customers’ identity and, where appropriate, we obtain proof of ownership of property and source/destination of funds. We will be unable to proceed with any work on behalf of our customers if we are unable to obtain this information. Customers’ identity will be subject to an electronic identity check, which may also include a credit check
We are registered and supervised by HM Revenue & Customs for compliance with the Money Laundering Regulations 2017.If you would like to speak to us about Anti-Money Laundering, please email email@example.com
You acknowledge that you are solely responsible for the use to which you put this website and all the results and information you obtain from it and that all warranties, conditions, undertakings, representations and terms whether expressed or implied, statutory or otherwise are hereby excluded to the fullest extent permitted by law.
Save in respect of liability for death or personal injury arising out of negligence or for fraudulent misrepresentation, we and all contributors to this website hereby disclaim to the fullest extent permitted by law all liability for any loss or damage including any consequential or indirect loss or damage incurred by you, whether arising in tort, contract or otherwise, and arising out of or in relation to or in connection with your access to or use of or inability to use this website.
Whilst we take every care to ensure that the standard of this website remains high and to maintain the continuity of it, we do not accept any ongoing obligation or responsibility to operate this website (or any particular part of it).
If any part of our terms and conditions is deemed to be unenforceable (including any provision in which we exclude our liability to you) the enforceability of any other part of these conditions will not be affected.
These terms and conditions and your use of this website are governed exclusively by English law.
This does not affect your statutory rights as a consumer.
Edge Goodrich Limited is registered in England and Wales (07632381). Our registered office is at Howsons, PO Box 165, Winton House, Stoke on Trent, ST4 2RW.