- Privacy Statement
- Data Breach Action Guideline
- Processor Agreement
- Drone Policy
- Data Protection Acts 1988 and 2003
- European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. 336. Click HERE for Commissioner’s law list
- GDPR 2016/679
- The Data Protection Act 2018
- Property Services (Regulation) Act 2011
Data Protection Principles
GDPR 2016/679 Art 5 states;
Personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary
6. Processed in a manner that ensures appropriate security
The existence of each of data subject’s rights
Individuals (data subjects) are provided (GDPR 2016/679 Arts 12-22) with the following rights to (summary):
• Transparent information and clear communication regarding their data
• Information as to how the subject’s data was collected
• Information as to how the subject’s data was collected but not from the subject him or her self
• Access by the data subject
• Rectification of data
• Erasure of data (Right to be forgotten)
• Restriction of processing
• Notification of rectification, erasure or processing
• Data portability
• Object to processing
Object to automated processing/decision-making including profiling
Lawfulness of Processing:
GDPR 2016/679 Art 6 states
Processing shall be lawful only if and to the extent that at least one of the following applies:
1. Consent of the data subject
2. Necessary for the performance of a contract
3. Necessary for compliance with a legal obligation
4. Necessary to protect the vital interests of a data
5. Necessary for the performance of a task carried out in the public interest or in the exercise of official authority
6. Necessary for the purposes of legitimate interests
Security (Art 32 GDPR)
A key principle of the GDPR 2016/679 is that personal data securely processed by means of ‘appropriate technical and organisational measures’.
SCHILLER & SCHILLER undertake to satisfy the following security measures as appropriate.
Article 5(1) (f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be:
'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'
SCHILLER & SCHILLER give attentive consideration to the following;
- Security risk analysis applied to organisational policies
- Appropriate physical and technical measures
- Any additional measures needed including where engaging with processors.
- Balance the state of the art and costs of implementation when deciding appropriate measures both to SCHILLER & SCHILLER circumstances and the risk your processing poses
- Where appropriate, SCHILLER & SCHILLER use measures such as pseudonymisation and encryption.
- SCHILLER & SCHILLER constantly strive to ensure the ‘confidentiality, integrity and availability’ of personal data we process.
- SCHILLER & SCHILLER also strives to enable restoration of access and availability to personal data in a timely manner in the event of a physical or technical incident.
- SCHILLER & SCHILLER strive to ensure appropriate processes in place to test the effectiveness of measures, and to undertake any required improvements through engagement of competent IT services
Breach notification (Art 33 GDPR)
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data.
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. • SCHILLER & SCHILLER will do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, SCHILLER & SCHILLER will also inform those individuals without undue delay.
SCHILLER & SCHILLER strives to ensure maintenance of robust breach detection, investigation and internal reporting procedures. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
SCHILLER & SCHILLER will keep a record of any known personal data breaches, regardless of whether SCHILLER & SCHILLER are required to notify the DPC.
Where a purported or actual breach occurs contact SCHILLER
without delay. See the SCHILLER & SCHILLER data breach action plan document.
Access requests (Art 12 GDPR)
SCHILLER & SCHILLER shall take appropriate measures to provide any information and communication referred to in valid relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language
SCHILLER & SCHILLER will generally respond to requests from the data subject without undue delay and at the latest within one month and will give reasons where SCHILLER & SCHILLER does not intend to comply with any such requests, for example; where the identity of the requestor cannot be reasonably established or restrictions of rights and principles (Recital 73 GDPR) apply.
SCHILLER & SCHILLER will provide a copy of the information, where appropriate, free of charge. However, SCHILLER & SCHILLER will charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
An individual is entitled to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- other supplementary information – this largely corresponds to the information that in our privacy statement (see Article 15 GDPR also)
Access requests are the responsibility of SCHILLER
Data Retention/Destruction and Minimisation
SCHILLER & SCHILLER seeks to minimise the volume of personal data held. To facilitate this, unnecessary and/or superfluous data will be deleted/discarded in a secure manner. Where information must be held e.g. under a legal obligation such as S.61 and S.41 Property Services (Regulation) Act 2011 (as well as data protection obligations)) where the Act provides for records that must be retained for a period not less than 6 yrs. in certain circumstances. All files (electronic and hard-copy) are protected securely by SCHILLER & SCHILLER.