This policy was last updated in February 2023.
Gatehouse Investment Management is the data controller of your personal information in relation to the processing activities described below.
Our processing of your personal information
We will only collect information in line with relevant law and regulations. We will collect information about you when you interact with us, e.g. visit our website, work and contract with us, or call us.
Where you provide personal information to us about other individuals we will also be data controller of their personal information. You should refer them to this notice before supplying us with their data on their behalf.
The information we collect may include:
Contact - Your name, address, email address, landline and mobile numbers (which we’ll update with any changes you make)
Financial – information that may be needed about your or your organisation’s finances for regulatory or transactional due diligence, compliance checks, payments into your rent account, credit history and bank account details
Communications - Information that you give us by filling forms, or by communicating with us, whether face to face, by phone, email, or otherwise
Documentary Data - This could include documents like your photo ID, passport information, National Insurance number, National ID card, driver’s licence
Marketing and sales information - Details of services you receive and your preferences
Risk rating information - Information from Credit Reference agencies for Credit risk rating, underwriting information
Investigation data - Information that we need to support our regulatory obligations, e.g. due diligence checks, sanctions and anti-money laundering checks, external intelligence report, information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities.
How will we collect your personal information?
Information that you provide to us, e.g.
Information we collect or generate about you, e.g.
Information we collect from other sources, e.g.:
What will we use your personal information for?
When the information that we process is classed as “special categories of personal information", we must have an additional “legal ground". We will rely on the following legal grounds when we process your "special categories of personal information":
Processing activity, To provide our services to you. : Our reason Administer our services to you Legal Ground We will do this in order to perform our contract with you
Processing activity, To provide our property management services to you, your business or employer our reason, We will use your information to enable the provision and function of our services in line with regulation, laws and customer rights and interests, e.g. complaints management and exit management. Legal Ground The lawful reasons for processing these are legitimate interest.
Processing activity To prevent and detect crime including, e.g. fraud, terrorist financing and money laundering. Our reason, This will include monitoring, mitigation and risk management, carrying out customer due diligence, name screening, and customer risk identification. We may share your information with relevant agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. For further information on our use of fraud agencies please see below. Legal Ground We do this to comply with our legal and regulatory obligations. This may include special categories of personal data to comply with our regulatory requirements to investigate potential unlawful acts or dishonesty, malpractice or other seriously improper conduct.
Processing activity Risk management, Our reason We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk, operational risk.
For further information on our use of credit reference agencies see below. Legal Ground We will do this because we have a legitimate interest in ensuring that we carry out a proper risk assessment prior to providing some services.
Processing activity, Protecting our legal rights. Our reason, We may need to use your information to protect our legal rights, e.g. in the case of defending or the protection of legal rights and interests (e.g. enforcing
or protecting our security or defending rights of intellectual property); court action; managing complaints or disputes. This may be in connection with action taken against you or other persons,. Legal Ground We would do this on the basis that it’s in our legitimate interest or for the purposes of defending legal claims.
Profiling and Automated Decision Making
We will not undertake any automated decision making using your personal data.
Who we might share your information with
We may share your information for these purposes with others including:
How long do we keep personal information for?
We will keep your personal information for as long as reasonably necessary to comply with our legal and regulatory requirements or use it for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise.
We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on your relationship with us and the type of personal information. Indicative retention period is 6 years after the end of any contract.
What is our approach to sending your personal information overseas?
All personal data you provide to us is stored and handled in the UK.
If at any time we transfer your personal information to, or store it in, countries located outside of the UK/EEA (for example, if our hosting services provider changes) we will ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law. This is because some countries outside of the UK/EEA do not have adequate data protection laws equivalent to those in the UK/EEA.
You have a number of rights in relation to the information that we hold about you which we set out below. These rights might not apply in every circumstances. You can exercise your rights by contacting us at any time using the details set out in section 9. We will not usually charge you in relation to a request.
Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn't comply with our own legal or regulatory requirements. In these instances we will let you know why we cannot comply with your request.
In some circumstances, complying with your request may result in your product being cancelled. For example, if you request erasure of your personal information, we would not have the information required to administer your product. We will inform you of this at the time you make a request.
• The right to access your personal information: You are entitled to details about the personal information we hold about you and certain details of how we use it.
We will usually provide the details to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
• The right to rectification: We always take care to ensure that the information we hold about you is accurate and where necessary up to date. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.
• The right to restriction of processing: In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.
• The right to withdraw your consent: Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information.
Please note that for some purposes, we need your consent in order to provide your services. If you withdraw your consent, we may need to cancel your services. We will advise you of this at the point you seek to withdraw your consent.
• The right to erasure: This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdrawn consent.
Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a regulatory obligation to keep it.
• The right to data portability: In certain circumstances, you can request that we transfer personal information that you have provided to us to a third party. This is where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.
• The right to make a complaint with the Regulator: You have a right to complain to the Information Commissioner's Office (ICO) if you believe that we have breached data protection laws when using your personal information.
You can visit the ICO's website at https://ico.org.uk/ for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.
You can exercise your rights by contacting us using the details set out in the ‘Contacting us’ section below.
Our use of Fraud Prevention Agencies
We may carry out checks with fraud prevention agencies for the purposes of preventing fraud and money laundering, and to verify your identity before we provide some services to you. These checks require us to process personal information about you.
The personal information you provide or which we’ve collected from you, or received from third parties, will be used to carry out these checks in order to prevent fraud and money laundering, and to verify your identity.
We’ll process personal information such as your name, address, date of birth, contact details, financial information, and employment details, device identifiers including IP address and vehicle details and employment details.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity. This enables us to protect our business and to comply with laws that apply to us. This processing is also a contractual requirement of any of our products or services you use.
Fraud prevention agencies can hold your personal data for different periods of time. If they’re concerned about a possible fraud or money laundering risk, your data can be held by them for up to six years.
Consequences of Processing
If we, or a fraud prevention agency, have reason to believe there’s a fraud or money laundering risk, we may refuse to provide the services requested. We may also stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services or employment to you. The information we hold about you could make it easier or harder for you to get credit in the future.
To find out more about fraud prevention agencies and how they manage your information, please visit https://www.cifas.org.uk/privacy-notice.
How do we protect your information?
We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our website and any transmission is at your own risk. Once we have received your personal information, we put in place reasonable and appropriate controls to ensure that it remains secure against accidental or unlawful destruction, loss, alteration, or unauthorised access.
Our website may contain links to other websites run by other organisations. This policy does not apply to those other websites‚ so we encourage you to read their privacy statements. We cannot be responsible for the privacy policies and practices of other websites even if you access them using links that we provide. In addition, if you linked to our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.
What we need from you
You’re responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible. If you provide information for another person (e.g. a joint account holder, a beneficiary under an insurance policy or a dependant), you’ll need to direct them to this notice.
If you would like further information about any of the matters in this notice or if have any other questions about how we collect, store or use your personal information, you may contact our Data Protection Officer at our holding company by e-mailing us at email@example.com.
Updates to this notice
From time to time we may need to make changes to this notice, for example, as the result of changes to law, technologies, or other developments.