This is the website privacy policy for York Estates. It explains how and why we use personal data and what we do to ensure information is kept safe and secure.

This policy explains:

  1. Who we are, and how to contact us

  2. When we collect personal data

  3. What personal data we collect, and who it relates to

  4. Why we process personal data

  5. Information for job applicants

  6. Communications

  7. Cookies and our website

  8. Recipients of personal data

  9. How long we store personal data for

  10. How we keep personal data safe

  11. International transfers

  12. Your rights as a data subject

  13. Changes to this policy

1.        Who We Are and How to Contact Us

We are Yorkbridge Limited (trading as York Estates), a limited company with registered number 02062196, having our registered office at 5th Floor, 89 New Bond Street, London, W1S 1DA. We are registered as a data controller with the Information Commissioner’s Office (ICO) with registration number ZA152611.

If you have questions about this policy or your personal data, please contact our Data Protection Team by writing to our office address or by emailing julia@yorkestates.co.uk with the subject line “Data Protection”.

For the purposes of applicable data protection and privacy laws (Data Protection Laws) we are a controller of your personal data. This means we are responsible for deciding how and why we use personal data, and for keeping it safe.

2.        When We Collect Personal Data

We collect personal data (meaning information which relates to an identifiable individual) in a number of ways. These are described in more detail below.

Personal Data We Collect From You

Often the personal data we hold is provided to us by the individual it relates to, for example when someone:

  • Enquires about our services (for example, by telephone or email or in person) or fills in a form on our website;

  • Registers or becomes a client (including a landlord, seller, buyer or tenant);

  • Provides us with their contact details and asks to receive news or correspondence.

We also process personal data relating to our dealings with an individual, which can include:

  • Information generated in the course of providing estate agency services (including letting and management of properties);

  • Contact details included in correspondence (for example, email signature information);

  • Bank details relating to payments we receive.

Personal Data Received From Third Parties

We are sometimes provided with personal data by third parties. For example, if you apply for a tenancy, we will collect information from referees on behalf of the landlord before you enter into a lease (we will also share copies of your references to the landlord for the purposes of being approved for a proposed tenancy).  

3.        What Personal Data We Collect and Who It Relates To

Depending on our relationship with you, the personal data we process may include:

  • Personal details and contact information (such as name, address, telephone and email address);

  • Information about relationships to others (e.g. guarantors);

  • Bank details;

  • Correspondence and communication between you and us;

  • Feedback or complaints you provide about our services;

  • Personal and professional references;

  • Identity documents (such as passport, driving licence); and

  • Information about your home and property.

We may, on occasion, process other types of personal data, including additional categories of “sensitive personal data”. For example, if a client has made us aware of a medical condition they suffer from.

We also process personal data on individual contacts at businesses and other organisations (such as professional advisers). We use this information for the purpose of our legitimate interests in running our business and building relationships with suppliers and other organisations.

4.        Why We Process Personal Data

We will either use personal data on the basis of someone’s consent (provided it is freely given, specific, informed, unambiguous and positively given) or because we need to for one or more of the following reasons:

  • Perform a contractual obligation we owe that individual (e.g. if we agree to sell someone’s property for them);

  • In order to comply with legal and professional obligations (such as record keeping requirements, permitting regulatory audits, or disclosing information where required by Data Protection Laws or other applicable laws); and

  • To pursue our legitimate interests in operating and promoting the success of our business (such as using contact details for marketing purposes).

5.        Information for Job Applicants

We collect, store and use personal data about individuals who apply to join York Estates. This may include information:

  • Provided to us (such as in CVs, application forms, and through correspondence);

  • Provided during an interview;

  • Obtained from previous employers and referees;

  • Provided to us by recruitment agencies; and

  • Received as a result of our carrying out background checks.

We may carry out a check for criminal convictions in order to satisfy ourselves that there is nothing in an applicant’s history which makes him or her unsuitable for the role. We do this because working with us involves a high degree of trust.

We only carry out criminal records checks and ask for references at the last stage of the application process, when making an offer of employment.

How We Use Applicant Information

We use the personal data we collect to:

  • Assess an applicant’s skills, qualifications, and suitability for a role;

  • Carry out background and reference checks;

  • Communicate with an applicant about the recruitment process;

  • Keep records related to our hiring process; and

  • Comply with legal or regulatory requirements.

We do all of this either because it is necessary in order for us to enter into a contract of employment or because we have a legitimate interest in ensuring an applicant is suitable for a particular role. Without this personal data, we will not be able to process an application successfully.

If we need to process sensitive personal data about a job applicant, for example disability information in order to consider whether we need to provide appropriate adjustments during the recruitment process, we will ask for explicit consent to do this at the time at which we request the data.

Retention of Applicant Information

We normally retain personal data about unsuccessful applicant for between 3 and 6 months from the time we inform them of our hiring decision. We retain personal data for this period so we can demonstrate, in the event of a legal claim, that we have not discriminated against an applicant and that the recruitment process was fair and transparent. After this period, we will securely destroy the applicant’s personal data. If we wish to retain personal data on file, in case future opportunities arise, we will contact the applicant and ask for his or her consent to do so.

If an applicant is successful, some of the personal data provided in the application process will be stored as part of the staff member’s personnel file, and any unnecessary information will be securely destroyed.

6.        Communications

We use personal data to contact people from time to time. This might be because we are providing that person with services for example:

  • When selling or letting a property we would contact the seller or landlord to update them on viewings and enquiries;

  • We would contact a tenant about renewal or expiry of a tenancy, or for the purposes of arranging repairs or safety checks in order to comply with legislation; and

  • We would notify a prospective buyer or tenant registered with us if a suitable property came onto the market.

Marketing

We sometimes send out news and marketing communications. We will only contact individuals in a personal capacity with email or SMS text marketing if they have specifically asked to receive marketing emails or texts.

We may contact people by post (either personally or by way of a leaflet drop) or by telephone (provided they are not registered with the telephone preference service).

We sometimes send emails to other companies and organisations without their prior consent. We do this in order to promote our services and build relationships. If we have contacted you like this, it is because we think these communications may be of interest or relevance to you (usually on the basis of our previous dealings with you or a recommendation from a third party).

You can change how you hear from us or unsubscribe from marketing at any time by clicking the “unsubscribe” link on any of our emails, or by emailing julia@yorkestates.co.uk with the subject line “unsubscribe.”

7.        Cookies and Our Website

We do not normally collect personal data about visitors to our website unless they choose to provide such information (such by filling in a website form).

We may collect anonymous information about visitors to our website in order to optimise and improve the website. This might include IP addresses, browser or device details and the connection type (e.g. the Internet service provider used). However, none of this information will by itself directly identify any particular user.

Hyperlinks to Other Sites

Our website may contain hyperlinks to third-party websites. We are not responsible for the content or functionality of any of those external websites.  If an external website requests personal data from you the information you provide will not be covered by this policy. We suggest you read the privacy policy of any website before providing any personal data.

8.        Recipients of Personal Data

Personal data you provide to us will be kept private and confidential, and we will not disclose or share it with other data controllers for our own purposes other than in exceptional situations. For example:

  • If we are legally required to disclose personal data, such as where we are required to provide information to law enforcement, or pursuant to a request from a regulator or a court order;

  • If necessary with our professional advisers such as lawyers or accountants; or

  • If connection with a corporate transaction (for example a merger or investment).

We sometimes share personal data with third parties who provide services to us (for example, IT providers).  However, these service providers will only process personal data on our behalf, for specified purposes, and in accordance with our strict instructions.

We only use third party service providers who have provided sufficient guarantees that your personal data will be kept safe, and we always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to us.

We sometimes have to share personal data 3rd parties as part of the services we provide. For example:

  • If you buy or sell a property with us we may need to share information with your solicitors; or

  • If you are a tenant in a property we let or manage we will share your details (including references) with the landlord and may need to share your name and contact details with contractors such as plumbers and electricians.

9.        How Long We Store Personal Data For

We only store personal data for as long as is necessary for the purpose(s) it was collected for, or for related compatible purposes (such as record keeping, in order to comply with legal and regulatory and requirements or because information may be required if a claim later arises).

We usually only process personal data for the duration of the services we provide (such as the completion of a transaction, or the management of a tenancy) and then a further period of 7 years (for accounting requirements and to protect ourselves in case of a potential claim).

When deciding how long to retain personal data for, we will determine the appropriate retention period for personal data by considering the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Once personal data is no longer required it will be securely destroyed.

10.    How We Keep Personal Data Safe

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. These include both physical security measures (such as keeping paper files in secure premises and shredding them when no longer required) and electronic security technologies (such as device encryption, anti-virus protection and secure backups).

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to strict legal and contractual confidentiality obligations.

We have put in place procedures to deal with any suspected personal data breach and will notify you, the ICO and any other relevant regulatory body of a breach when legally required to do so.

11.    International Transfers

We normally only store personal data within the European Economic Area (EEA). However, some of the third-party services we use from time to time may be provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we will take steps to make sure that any personal data they process on our behalf is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:

  • Ensuring the recipient is in a country which the EU Commission has deemed provides adequate protection for personal data;

  • Implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the appropriate data protection supervisory authorities; or

  • (If the recipient is based in the USA) transferring personal data to recipients who are certified under the EU-US Privacy Shield scheme.

If none of the above apply, we will only transfer personal data pursuant to a derogation under Data Protection Law which allows us to do so.

12.    Your Rights as a Data Subject

Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:

  • The right to access your personal data. This enables you to receive a copy of the personal data we hold about you.

  • The right to request correction or completion of personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.

  • The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data (though this may not apply where we have a good, lawful reason to continue using the information in question). You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

  • The right to object to processing of your personal data. You can object to us processing personal data for legitimate interests purposes or for direct marketing.

  • The right to restrict how your personal data are used. You can limit how we use your information (primarily to storage or for use in legal claims).

  • The right to have a portable copy or transfer your personal data. We will provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to automated information we process on the basis of your consent or in order to perform a contract.

  • The right to withdraw consent. If we are relying on consent to process your personal data you have the right to withdraw that consent at any time.

Responding

We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.

We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.

Fees for Making a Request

You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

How to Make a Request

If you want to exercise any of the rights described above, please contact our Data Protection. Team by writing please contact our Data Protection Team by writing to our office address or by emailing julia@yorkestates.co.uk with the subject line “Data Protection”.

Your Right to Complain to a Supervisory Authority

You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.

13.    Updates to This Policy

We will update this policy from time to time, so please check back. The current version will always be posted on our website. This policy was last updated on 2 May 2018.