Prop247 Data Protection Policy

Last updated 1st January 2026

1. Introduction

At Prop247, we are committed to protecting the privacy and security of personal data. This Data Protection Policy outlines how we collect, use, store, share, and protect personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

As a letting and property management business, we process a significant amount of personal data belonging to landlords, tenants, guarantors, contractors, and our own staff. We recognise our responsibilities as a 'Data Controller' and, in some cases, a 'Data Processor', and are committed to upholding the rights of individuals regarding their personal data.

2. Scope

This policy applies to all personal data processed by Prop247, regardless of how it is collected, stored, or used. It covers all employees, contractors, agents, and any third parties who process data on our behalf.

3. Data Protection Principles (UK GDPR)

We adhere to the seven core principles of UK GDPR:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
    • Compliance: This is the foundational principle, requiring clear communication via Privacy Notices.
  • Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes.
    • Compliance: Ensures data is not used for unrelated activities.
  • Data Minimisation: We collect only adequate, relevant, and limited data necessary for the purposes for which it is processed. We do not collect excessive information.
    • Compliance: Reduces risk by limiting the amount of personal data held.
  • Accuracy: We take every reasonable step to ensure personal data is accurate and, where necessary, kept up to date. Inaccurate data will be rectified or erased without delay.
  • Best Practice: Crucial for efficient operations and preventing errors (e.g., incorrect contact details for emergency repairs).
  • Storage Limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
    • Compliance: A core UK GDPR requirement that necessitates a Data Retention Schedule.
  • Integrity and Confidentiality (Security): We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
    • Compliance: Requires robust security measures and incident response.
  • Accountability: We are responsible for, and must be able to demonstrate compliance with, the above principles. This includes maintaining records of processing activities.
    • Compliance: Requires documenting policies, procedures, and actions.

4. ICO Registration

Prop247 is registered with the Information Commissioner's Office (ICO), which is the UK's independent authority set up to uphold information rights in the public interest. Our ICO registration number is ZB755528.

    • Compliance: Mandatory for businesses processing personal data in the UK.

5.Roles and Responsibilities

  • Senior Management: Responsible for ensuring the company complies with data protection legislation and for approving this policy.
  • Data Protection Officer (DPO) / Designated Data Protection Lead:
  • [Name/Role, e.g., "The Director" or "Operations Manager"].
    • Responsibilities: Overseeing data protection strategy and implementation, advising on GDPR compliance, handling Subject Access Requests, managing data breaches, and liaising with the ICO.
    • Compliance: While a full DPO is only mandatory for certain organisations (public authorities or those processing large-scale special category data), designating a lead for a property business is a strong best practice and often implied by ICO guidance for smaller organisations.
  • All Staff: All employees and contractors are responsible for understanding and adhering to this policy and for reporting any suspected data breaches.

6. Types of Personal Data we Collect

We collect various types of personal data to provide our services. This may include (but is not limited to):

  • Landlords: Name, address, contact details (phone, email), bank details, property details, mortgage information, insurance details, tax status, identity documents (passport, driving licence), utility provider details.
  • Tenants/Applicants: Name, address, contact details, date of birth, previous addresses, employment history, income details, bank details, credit history, references (employer, previous landlord), identity documents (passport, visa/Right to Rent), next of kin/emergency contact details, special needs/accessibility requirements (where relevant and with explicit consent), pets.
  • Guarantors: Name, address, contact details, employment/income details, bank details, credit history, identity documents.
  • Contractors: Name, company details, contact details, bank details, insurance details, qualifications, VAT number.
  • Employees: As per standard HR policies, including sensitive data like health information, next of kin, bank details, tax information, etc.

7. How We Collect Personal Data

We collect personal data through various methods, including:

  • Directly from individuals (e.g., application forms, phone calls, emails, in-person meetings, website enquiries).
  • From third-party referencing agencies (with consent).
  • From previous landlords or employers (with consent).
  • Through publicly available sources (e.g., property portals, Companies House, electoral roll – only where lawful basis exists).
  • From utility companies or local authorities (as necessary for tenancy management)

8. Lawful Basis for Processing Personal Data

We process personal data only when we have a legitimate lawful basis for doing so under UK GDPR. Our primary lawful bases include:

  • Contract: Processing is necessary for the performance of a contract with the data subject (e.g., a tenancy agreement, a management agreement with a landlord) or to take steps at their request before entering into a contract (e.g., processing an application).
  • Legal Obligation: Processing is necessary to comply with a legal obligation (e.g., Right to Rent checks, Anti-Money Laundering (AML) checks, sharing data with HMRC, local authorities, or tenancy deposit schemes).
  • Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, provided these interests do not override the data subject's fundamental rights and freedoms (e.g., using a referencing agency, pursuing unpaid rent, marketing activities where specific consent isn't required). We conduct Legitimate Interest Assessments (LIAs) where appropriate.
  • Consent: Where none of the above apply, we will obtain explicit, informed, and unambiguous consent from the data subject for specific processing activities (e.g., for non-essential marketing, or processing special category data like health information for accommodation adjustments). Individuals have the right to withdraw consent at any time.
    • Compliance: Detailing lawful bases is a core UK GDPR requirement and crucial for justifying data processing.

9. How We Use Personal Data

We use personal data for the following purposes:

  • Property Lettings: Assessing suitability of applicants, conducting referencing, drawing up tenancy agreements, managing deposits.
  • Property Management: Collecting rent, arranging repairs and maintenance, conducting inspections, liaising with utility providers, managing tenancy renewals/terminations.
  • Compliance: Fulfilling legal obligations such as Right to Rent checks, AML checks, providing data to tenancy deposit schemes, and responding to lawful requests from authorities.
  • Communication: Corresponding with landlords, tenants, guarantors, and contractors regarding properties, tenancies, and services.
  • Financial Administration: Processing payments, managing accounts, producing statements.
  • Dispute Resolution: Handling complaints and disputes (e.g., via The Property Ombudsman or Property Redress Scheme).
  • Marketing (where appropriate): Sending relevant property alerts or service updates (with consent where required).
  • Internal Operations: Staff management, training, business planning, and record keeping.

10. Sharing Personal Data

We may share personal data with trusted third parties where necessary for the provision of our services, or where legally required. All third parties are subject to strict data protection agreements and are only permitted to process data for specified purposes.

  • Landlords: To inform them of tenancy details, repairs, etc.
  • Tenants/Applicants: (For let-only or managed properties) to landlords, guarantors, referencing agencies.
  • Referencing Agencies: To conduct necessary checks on applicants and guarantors.
  • Tenancy Deposit Schemes: To register and manage tenancy deposits.
  • Utility Providers and Local Authorities: To notify them of changes in occupancy and ensure correct billing.
  • Maintenance Contractors: To arrange and carry out repairs and maintenance.
  • Professional Advisers: Solicitors, accountants, insurance providers.
  • Redress Schemes: The Property Ombudsman (TPO) or Property Redress Scheme (PRS) for dispute resolution.
  • Government Bodies/Law Enforcement: HMRC, local councils, police, immigration authorities, courts (where legally obliged).
  • Third-Party IT Service Providers: For secure data storage, email hosting, software support (e.g., CRM systems).
    • Compliance: All sharing must have a lawful basis and be transparent via the Privacy Notice. Data Processor agreements must be in place.

11. International Data Transfers

We generally do not transfer personal data outside the UK or the European Economic Area (EEA). If such a transfer becomes necessary, we will ensure that appropriate safeguards are in place to protect personal data, such as standard contractual clauses, or reliance on adequacy decisions. Any such transfers will be detailed in our Privacy Notice.

  • Access Controls: Restricting access to personal data on a 'need-to-know' basis.
  • Password Policies: Enforcing strong, unique passwords and multi-factor authentication where available.
  • Encryption: Using encryption for sensitive data both in transit (e.g., via secure email) and at rest (e.g., on encrypted hard drives or cloud storage).
  • Network Security: Firewalls, anti-virus software, and regular security updates.
  • Physical Security: Secure storage of hard copy documents (locked filing cabinets) and restricted access to office premises.
  • Staff Training: Regular training for all staff on data protection best practices and security awareness.
  • Secure Disposal: Secure shredding of paper documents and secure deletion/overwriting of electronic data.
  • Backup and Recovery: Regular backups of data to prevent loss, with tested recovery procedures.
  • Best Practice: Detailing specific security measures enhances accountability and demonstrates commitment.

12. Data Security

We implement robust technical and organisational measures to protect personal data from unauthorised access, unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Access Controls: Restricting access to personal data on a 'need-to-know' basis.
  • Password Policies: Enforcing strong, unique passwords and multi-authentication where available.
  • Encryption: Using encryption for sensitive data both in transit (e.g., via secure email) and at rest (e.g., on encrypted hard drives or cloud storage).
  • Network Security: Firewalls, anti-virus software, and regular security updates.
  • Physical Security: Secure storage of hard copy documents (locked filing cabinets) and restricted access to office premises.
  • Staff Training: Regular training for all staff on data protection best practices and security awareness.
  • Secure Disposal: Secure shredding of paper documents and secure deletion/overwriting of electronic data.
  • Backup and Recovery: Regular backups of data to prevent loss, with tested recovery procedures.
    • • Best Practice: Detailing specific security measures enhances accountability and demonstrates commitment.

13. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. Our Data Retention Schedule (a separate internal document) outlines specific retention periods for different categories of data.

Examples of typical retention periods in property management include:

  • Tenancy Agreements & Related Documents (including references, Right to Rent checks):Generally, 7 years after the end of the tenancy, due to potential legal claims and HMRC requirements. Right to Rent documents must be kept for at least 2 years after the tenancy ends.
  • Financial Records: 6 years plus the current year for HMRC purposes.
  • AML Documentation: 5 years after the end of the business relationship.
  • Enquiry Data (for unsuccessful applicants): Usually 6-12 months, unless specific consent for longer retention for future opportunities.
  • HR Records: Specific periods apply as per employment law.
    • • Compliance: The "storage limitation" principle of UK GDPR mandates clear retention periods and regular review.

14.Your Data Protection Rights (Data Subject Rights)

Under UK GDPR, individuals have specific rights regarding their personal data. We are committed to upholding these rights:

  • Right to be Informed: You have the right to be informed about how we collect and use your personal data. This policy and our Privacy Notice serve this purpose.
  • Right of Access (Subject Access Request - SAR): You have the right to request a copy of the personal data we hold about you.
    • Procedure: Requests should be made in writing via email or post to [Your Designated DPO/Data Protection Lead Email/Address]. We will verify your identity to ensure data security. We will respond to your request without undue delay and within one calendar month from the date of receipt. In complex cases, this period can be extended by a further two months, but we will inform you of the delay and the reasons within the initial month. We will generally provide the information free of charge, but may charge a reasonable fee if the request is manifestly unfounded, excessive, or repetitive.
    • Compliance: This is a fundamental right. The ICO provides detailed guidance on SARs, including response times and permissible fees.
  • Right to Rectification: You have the right to request that inaccurate personal data we hold about you is corrected without undue delay.
  • Right to Erasure (Right to be Forgotten): You have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This right is not absolute and does not apply if we have a legal obligation or a compelling legitimate interest to retain the data.
  • Right to Restriction of Processing: You have the right to 'block' or suppress the processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services.
  • Right to Object: You have the right to object to the processing of your personal data where we are relying on legitimate interests or direct marketing.
  • Rights in relation to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
    • • Compliance: All these rights are explicitly defined by UK GDPR. Businesses must have procedures to handle requests

15.Your Data Protection Rights (Data Subject Rights)

n the event of a personal data breach (e.g., unauthorised access, loss, destruction, or alteration of personal data), we will: - Containment: Take immediate steps to contain the breach and prevent further damage. - Assessment: Assess the risks to individuals' rights and freedoms. - Notification to ICO: If the breach is likely to result in a high risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach. - Notification to Data Subjects: If the breach is likely to result in a high risk to individuals, we will inform the affected individuals directly without undue delay. - Investigation and Rectification: Conduct a thorough investigation into the cause of the breach and implement measures to prevent recurrence. - Record Keeping: Maintain a comprehensive record of all data breaches, regardless of whether they are reported to the ICO or individuals. • Compliance: The ICO has strict guidelines on data breach management and reporting

15. Data Breach Procedure

In the event of a personal data breach (e.g., unauthorised access, loss, destruction, or alteration of personal data), we will:

  • Containment: Take immediate steps to contain the breach and prevent further damage.
  • Assessment: Assess the risks to individuals' rights and freedoms.
  • Notification to ICO: If the breach is likely to result in a high risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach.
  • Notification to Data Subjects: If the breach is likely to result in a high risk to individuals, we will inform the affected individuals directly without undue delay.
  • Investigation and Rectification: Conduct a thorough investigation into the cause of the breach and implement measures to prevent recurrence.
  • Record Keeping: Maintain a comprehensive record of all data breaches, regardless of whether they are reported to the ICO or individuals.
    • Compliance: The ICO has strict guidelines on data breach management and reporting

16. Training and Awareness

All staff members receive regular training on data protection principles, this policy, and their responsibilities in handling personal data. New staff members receive training as part of their induction. This ensures a high level of awareness and compliance across the organisation.

  • Best Practice: Essential for fostering a data-protection-aware culture and a key aspect of accountability.

17. Review and Updates

This Data Protection Policy will be reviewed regularly, at least annually, and updated as necessary to reflect changes in legislation, best practice, or our business operations.

  • Best Practice: Ensures ongoing compliance in a dynamic regulatory environment.

18. Contact Information

If you have any questions about this Data Protection Policy or how we handle your personal data, please contact our Data Protection Lead: Irvine Conner Prop 247 Email: [email protected] and use Subject: Data Protection

19. Right to Complain to the ICO

If you are dissatisfied with how we have handled your personal data or your data protection rights, you have the right to make a complaint to the Information Commissioner's Office (ICO). Information Commissioner's Office (ICO) Website: www.ico.org.uk Helpline: 0303 123 1113