GDPR compliance is ultimately the responsibility of the data controller who has collected data belonging to individuals, even if they have entrusted processing of some or all of this data to a data processors.
In this case, an agency is the data controller who has collected personal data from its customers, e.g. tenants and landlords. However, the agency will in turn employ the services of software providers such as ourselves at RentPro to help you in the running of your business, and this will involve entrusting this personal data to our care. Since the tenant and landlord data subjects are ultimately your responsibility, you must satisfy yourself that we are trustworthy, i.e. GDPR-compliant.
Any requests from data subjects such as tenants, buyers, vendors, landlords, or suppliers must be submitted to and processed by the agency as the data controller for these individuals. Any such requests made directly to RentPro will be redirected to the appropriate data controller for consideration.
However, we can provide some guidance on how you can handle the most common requests. You should make it clear to your data subjects that any such requests should be formally submitted to your business either in writing or by email, and set the expectation on the response time.
Establishing the legal basis for processing personal data
For all data which you collect, store and process regarding individuals' personal data, you should be clear about the legal basis for collecting this data, and quite often it is does not come down to gaining explicit consent as people often believe.
Storing contact details such as names, addresses, emails and phone numbers is often completely necessary in order for you to be able to deliver your service to your customers and you don't rely on consent for this; rather, it is processed on the grounds on contractual obligation. Beyond your contract, you may need to retain financial information and again you don't require explicit consent for retaining invoices and transaction history, since this is processed on the grounds of legitimate interest.
However, be very careful that you consider ALL data which you are collecting and only hold the minimum amount necessary for the purpose, and only for as long as you need it. You may not have justification for holding bank account details once you have stopping making payouts to former landlords, so you should delete those elements, but you may have grounds for maintaining his phone number.
Also, be very sure that you don't use data for purposes other than those which you have specified to individual. You cannot share emails with third parties for marketing purposes if you have not made it clear at the signup stage that you are doing this, since you must have consent for this type of activity, and in that case you clearly would not.
Amending incorrect information
This is achieved within our products by simply updating the relevant contact information on the record in question, e.g. a tenant or landlord contact details form.
Requests for data to be erased / forgotten
Not all requests to be forgotten need to be processed fully; it depends on whether you have a legitimate legal basis for retaining some or all personal data which supersedes the data subject's erasure request.
The most obvious example is a landlord asking to have his personal details removed from your system since he is no longer a customer. However, if you have issued invoices to and collected payments from this individual then you have a valid legal basis to retain some personal data so you can correlated invoices to this person for accounting purposes.
A compromise may be to remove that data which is now redundant, e.g. email addresses, phone numbers, registration details, bank accounts, date of birth, and perhaps even postal addresses, but retain either the landlord name or some form of reference identifier which allows your business to match invoices and payments to the individual if required.
Access to data stored on an individual
This information should be made available to the requesting data subject in an electronic format within a reasonable period, typically 30 days, free of charge.
You may retrieve the pertinent information directly from the tabs on the relevant record, e.g the tenant tabs and accounting reports, and copy and paste this into a spreadsheet. Alternatively, provided you have the access privileges, you can export this data in CSV format from RentPro via Admin > Export, or from ShowHouse via Settings > Agency > Export Data and filter and extract the data belonging to the data subject in question, again preparing this in a spreadsheet format for maximum portability.
Useful links
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Comments
0 comments
Please sign in to leave a comment.