What is the UK GDPR?


The UK General Data Protection Regulations (UK GDPR) is a law that governs how UK organisations and some non-UK organisations process personal data. We've got a full guide on this here.


Is Fixflo compliant with UK GDPR?

Fixflo works hard to ensure that we are UK GDPR compliant. We have been advised by and have followed the advice of an external Legal Counsel and believe that under our legal advisors interpretation of regulations, we are fully UK GDPR compliant.


What is a Data Protection Impact Assessment (DPIA)?

A DPIA is designed to assist organisations to identify, assess and mitigate or minimise privacy risks with data processing activities. Such an assessment should be carried out if organisations process data on a large scale or process data of vulnerable data subjects.


We are aware that our clients may need to do a DPIA for use of the Fixflo system and so we have prepared a template to help with this. To access this you will need to be an Admin of your Fixflo account.


Simply go to Setup > Settings > T&Cs to access your DPIA:


What is a data controller?


A data controller is the person who determines the purposes and means of processing personal data. This means that the data controller decides who to collect data from, and why and how that data will be used. In the context of Fixflo, our clients are the data controllers.


What is a data processor?


A data processor provides a service; they receive data from the data controller, process it and then generate output. This means that the data processor does not decide how or why the data is used. In the context of Fixflo, we are the data processor.

On what basis does Fixflo process personal data on behalf of its clients?


Under the UK GDPR, if a business wants to process personal data it can only do so if it can satisfy at least one of the conditions provided. These include:


  • Legitimate interests – processing is necessary for purposes of legitimate interests
  • Contractual – processing is necessary for the performance of a contract
  • Consent – the individual concerned has consented to the processing.
  • Fixflo relies on the legitimate interests condition. This is on the basis that it is in a landlord’s legitimate interest to maintain its property or properties that are managed using Fixflo.


Do we need the occupier’s consent before we can send them text messages through the Fixflo system?


As the basis for processing personal data is legitimate interests and not consent, you do not need the occupier’s consent to send them text messages through the Fixflo system.


However, you do need to have informed them of the basis on which their personal data is being processed. This can be done via the tenant application form or the tenancy agreement.


Who can access my data?


We will not pass on data to any third party without your consent unless we are required to do so by law or by lawful authority (e.g. court order).



Will data ever be transferred outside of the EU?


Data is not transferred outside of the EU however, we intend to use Subprocessors to delegate some of our processing activities. A full list of these sub-processers can be found here [https://www.fixflo.com/privacy-policy]. We will ensure that written agreements substantially on that on Subprocessor's standard terms of business are entered into accordance with the Data Protection Requirements.


How long does Fixflo keep personal data for?


We intend to store personal data for the full Term of a Customer's agreement. This is to tie back to your (and your landlords') interest in retaining records during the limitation period for claims.


If you decide to end your contract with us then you will have 30 days to review personal data and up to 60 days to request copies. We will anonymise personal data as soon as reasonably possible after 60 days unless an extension is requested.

Do you have a Data Protection Officer?


Yes and they can be contacted at dpo@fixflo.com.


What data controls and risk management processes does Fixflo have in place?


We have relatively sophisticated controls and processes in place. A copy of our IT and data protection policy can be provided on request.

Can I audit your security and technical measures on the protection of data?


Yes, although we cannot grant access to premises we do not control e.g. Microsoft’s data centre.


Do you have a security breach notification process in place?

Yes, we have a process in place which has been reviewed and approved by our external legal advisor as being GDPR compliant.

Please note that whilst every effort has been made to ensure the accuracy of the information provided, it does not constitute legal advice and cannot be relied upon as such.