Our Complete Guide to GDPR
What is the GDPR?
The General Data Protection Regulations are a new set of pan-European regulations which seek to impose greater unity across the EU around the handling of the personal data of individuals and come into force on 25 May 2018.
Will this replace the Data Protection Act 1998?
In 2017, the UK government published the first draft of the Data Protection Bill (due to become the Data Protection Act 2018). This will replace the current DPA, bringing EU GDPR standards into UK law. The DPA deals exclusively with data protection for the UK (as will the Data Protection Bill), whilst the GDPR is designed to raise standards and introduce a consistent approach to data protection across the EU.
Is Fixflo compliant with GDPR?
Fixflo has been working hard to prepare for the changes being introduced by the GDPR. We have been advised by and have followed the advice of external legal Counsel and believe that on our and our legal adviser’s interpretation of the regulations we will be fully GDPR compliant by 25 May 2018.
What changes are included in the Data Protection Addendum (DPA)?
The changes only relate to the GDPR. The DPA sets out the data protection measures that we have put in place to comply with GDPR. In particular, the DPA sets out the scope, nature, purpose and duration of the data processing carried out by Fixflo. It also describes the types of personal data and categories of data subject.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is designed to assist organisations to identify, assess and mitigate or minimise privacy risks with data processing activities. Such an assessment should be carried out if organisations process data on a large scale or process data of vulnerable data subjects.
We are aware that our clients may need to do a DPIA for use of the Fixflo system and so we have prepared a template to help with this. To access this you will need to be an Admin of your Fixflo account.
Simply go to Setup > Settings > T&Cs to access your DPIA.
What is the Statement of Data Usage?
This statement explains how the personal data of data subjects is used through the Fixflo system. We have produced this to help our clients with their own GDPR internal compliance.
You can access your Statement of Data Usage by going to Setup > Settings >T&Cs within Fixflo. Please note you will need to be an Admin of your account to access this.
What is a data controller?
A data controller is the person who determines the purposes and means of processing personal data. This means that the data controller decides who to collect data from, and why and how that data will be used. In the context of Fixflo, our clients are the data controllers.
What is a data processor?
A data processor provides a service; they receive data from the data controller, process it and then generate output. This means that the data processor does not decide how or why the data is used. In the context of Fixflo, we are the data processor.
On what basis does Fixflo process personal data on behalf of its clients?
Under the GDPR, if a business wants to process personal data it can only do so if it can satisfy at least one of the conditions provided. These include:
- Legitimate interests – processing is necessary for purposes of legitimate interests
- Contractual – processing is necessary for the performance of a contract
- Consent – the individual concerned has consented to the processing.
Fixflo relies on the legitimate interests condition. This is on the basis that it is in a landlord’s legitimate interest to maintain its property or properties that are managed using Fixflo.
Do we need the occupier’s consent before we can send them text messages through the Fixflo system?
As the basis for processing personal data is legitimate interests and not consent, you do not need the occupier’s consent to send them text messages through the Fixflo system.
However, you do need to have informed them of the basis on which their personal data is being processed. This can be done via the tenant application form or the tenancy agreement.
Who can access my data?
We will not pass on data to any third party without your consent unless we are required to do so by law or by lawful authority (e.g. court order).
Is data stored within the EU?
All of our data is stored within the EU. A list of our sub-processors is available in our privacy notice on our website.
Will data ever be transferred outside of the EU?
For clients that are based in the EU, we will never transfer data outside of the EU.
How long does Fixflo keep personal data for?
We intend to store personal data for a period of 6 years from completion of the relevant transaction (being completion of a repair request in the case of Fixflo and completion of a repair in the case of Fixflo Plus). This is to tie back to your (and your landlords’) interest in retaining full records during the limitation period for claims.
If you decide to end your contract with us then you will have 30 days to review personal data and up to 60 days to request copies. We will anonymise personal data as soon as reasonably possible after 60 days.
Do you have a Data Protection Officer?
Yes, Katie Buxton is our Data Protection Officer and can be contacted on firstname.lastname@example.org
What data controls and risk management processes does Fixflo have in place?
We have relatively sophisticated controls and processes in place. A copy of our IT and data protection policy can be provided on request.
Can I audit your security and technical measures on the protection of data?
Yes, although we cannot grant access to premises we do not control e.g. Microsoft’s data centre.
Do you have a security breach notification process in place?
Yes, we have a process in place which has been reviewed and approved by our external legal advisor as being GDPR compliant.
Please note that whilst every effort has been made to ensure the accuracy of the information provided, it does not constitute legal advice and cannot be relied upon as such.