Privacy Notice

Schedule 42 - Privacy Notice 2022

General

We respect individuals’ rights to privacy and to the protection of personal information. This Privacy Notice sets up why we collect your personal information, what information is collected and how it is processed and provides you with your rights in relation to that data.

‘Personal information’ (also referred to as ‘personal data’) means information about a living individual who can be identified from that information (either by itself or when it is combined with other information).

Through-out this privacy notice we use the term “processing” to cover all activities involving your personal information, including collecting, handling, storing, sharing, accessing, using, transferring, securing and disposing of information.

Graham + Sibbald is committed to ensuring that your privacy is protected. Any personal data provided to us by you or by a 3rd party shall only be used by us in accordance with this notice. Your data will be processed securely and in compliance with data protection law.

We may update this notice from time to time by updating the terms of our website (www.g-s.co.uk). We would encourage you to visit our website from time to time for any amendments. This policy is effective from 18 June 2018.

Topics:

  • Who we are
  • Data Controller
  • To whom does this privacy notice apply?
  • What personal information might we process?
  • How we obtain information?
  • What we do with your Personal Data?
  • Who do we share your Personal Data with?
  • Security
  • Marketing
  • Our Website
  • How long we keep your Personal Data?
  • Your rights
  • Exercising your rights
  • How to contact us

Who we are

Graham + Sibbald (collectively ‘Graham + Sibbald’ or ‘we’), are Graham + Sibbald Partnership with Graham + Sibbald LLP, Graham + Sibbald Technical Services LLP, Graham + Sibbald Property Management LLP, registered in Scotland under registration number(s) SO307130, SO307131, SO307132, whose registered office is at Seabraes House, 18 Greenmarket, Dundee, DD1 4QB. Graham + Sibbald UK LLP, registered in England under registration number OC442188, whose registered office is at 49 King Street, Manchester, M2 7AY.

Data Controller

The Firm’s Data Protection Officer is: Alison Rae, Group Operations Director

Contact details:

Email – datacontroller@g-s.co.uk

Address – 40 Torphichen Street, Edinburgh, EH3 8JB

Telephone – 0131 225 1559

To whom does this privacy notice apply?

  • All individuals who visit our website or who contact us by post, telephone, e-mail, social media or other means (including other electronic means); or
  • All individuals who are or have been our clients; or
  • All individuals who are our client contacts where you or your organisation are or have been our customer;
  • All individuals who are related to our clients (client-related individuals) such as tenants or leaseholders where our client is the landlord; or
  • All individuals who are our business contacts where you or your organisation supply goods or services to us, provide professional services, have expressed an interest in us or have any other business relationship with us (including where your organisation is a public authority, an industry body or regulatory authority or similar).

What information might we process?

We collect and process various categories of personal information at the start of and for the duration of your relationship with us. We will limit the collection and processing of information to information necessary to achieve one or more legitimate purposes as identified in this notice. Personal Information may include:

Relevant to ALL

  • Basic personal information, including name and address and contact details such as telephone number + email address (for example you have registered an interest in a property/ have requested particularly or to be provided with a quote to undertake a valuation on your property);

Customer + Suppliers

  • Financial information, including bank account details, account + transactional information and borrowing details;
  • Card payment details;

Customer(s)

  • Access details to ‘named’ property(ies);
  • Customer Due Diligence (CDD) ID documentation (for example on purchaser/ buyers/ leaseholders of Commercial Properties. Documents include Passport, Driving Licence, Utility Bill/ Mortgage/ Bank statement, etc.);
  • Lease information;
  • Planning consents;
  • General valuation data;
  • Full business accounts;
  • Services provided;

Website Users

  • Online profile

Please note that failure to provide us with certain information may affect our ability to deliver services to you or your organisation or to otherwise perform a contract with you or your organisation.

How we obtain information?

Your information is made up of all the personal information we collect and hold about you. It includes:

  • Information you give us
  • Information that we learn about you through our relationship
  • Information that we receive from 3rd parties (for example from mortgage lenders)
  • Information that we gather from the technology that you use to access our services (for example website usage such as demographic or statistical information such as IP geographic location and web client details)
  • Information that we gather from publicly available sources, such as companies house

What we do with your Personal Data?

We will only use and share your information where it is necessary for us to lawfully carry out our business activities. The personal data we hold about you is processed by us to enable us to:

– understand your needs or the needs of your organisation

– provide you with the services you or your organisation have engaged us to provide

– better those services

– managing relationships with business contacts

– collect payment for those services provided and,

– if you agree, email you about other services we think may be of interest to you.

We have described the purposes for which your information may be used in detail in Schedule 1 – Purposes of processing.

Who do we share your Personal Data with?

We will not share your information with anyone outside the Firm except:

– Where we have your permission;

– Where you are a client-related individual (for example where we are acting on behalf of a client and you are the tenant/ leaseholder), with our client where required for the purposes of providing services to our client;

– Where you are a client or client contact, as required for the purposes of providing a service to our client (for example to a planning committee for planning application submissions);

– Where we are required by law to share your personal information with law enforcement agencies, judicial bodies, government entities or regulatory bodies;

– With 3rd parties providing services to us such as agents and sub-contractors acting on our behalf, such as the companies we use to put up marketing boards, utility brokers, site contractors;

– With debt collection agencies, and legal and other professional advisors;

– Where permitted by law, it is necessary for our legitimate interests of those of a 3rd party, and it is not inconsistent with the purposes listed above. See Schedule 1

Graham + Sibbald will not share your information for marketing purposes outside the Firm.

Where we use any contractor to process your personal data, we ensure that they have entered into a binding legal contract with us ensuring that they will only process your data on our written instruction and in accordance with appropriate security provisions.

If you ask us to, we will share your personal information with any 3rd party on the basis you provide us with permission to do so. Please note, we’re not responsible for any such 3rd party’s use of your personal information, which will be governed by their agreement with you and any privacy statement they provide to you.

The personal information held by us will in the main be stored and processed within the United Kingdom. In the event that we transfer information to countries out with the UK, we will only do so where:

– The Information Commissioner’s Office (ICO) has decided that the country or the organisation we are sharing your information with will protect your information adequately;

– We have entered into a contract with the organisation with which we are sharing your information (on terms approved by the ICO) to ensure your information is adequately protected; or

– You have given us explicit consent to transfer information to a country out with the UK.

Security

We are committed to ensuring that your information is secure with us and the 3rd parties who act on our behalf. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we process. Periodic checks are undertaken to ensure that our security measures remain appropriate and up to date.

Marketing

If you are a customer, we will only provide you with direct marketing communications where you have consented to receive such communications or you have contacted us directly to request specific information about our products or services. You can subscribe to receive our regular marketing communications, and you can adjust your marketing preferences at any time by contacting our Marketing department, details below.

If you represent another business, we may provide you with direct marketing communications where we feel that this may be relevant to your business (provided that you have not opted out of such communications). When we use your personal data for such purposes, we do so on the basis that it is in our legitimate interest to pursue direct marketing, provided that is constitutes fair processing of your personal data to do so.

You can also opt-out or unsubscribe from all or some of these marketing communications at any time by contacting us, details below, or by clicking “unsubscribe” at the bottom of any marketing email.

Where you opt our of receiving these marketing communications, this opt-out will not apply to personal data provided to us for any other purpose.

We will still use your contact details to contact you in relation to the service that we are providing you.

Email – enquiries@g-s.co.uk

Address – Graham + Sibbald, Marketing Department, 40 Torphichen Street, Edinburgh, EH3 8JB

Telephone – 0131 225 1559

Our Website

Cookies

Cookies are text files placed on your computer to collect standard internet log + visitor behaviour information. This information is used to track visitor use of our website and to compile statistical reports on website activity allowing us to improve and tailor it to customers’ needs.

For further information visit www.aboutcookies.org.uk OR www.allaboutcookies.org

You can choose to accept or decline cookies and the above websites will tell you how to remove the cookies from your browser. However, in a few cases some of our website features may not function as a result.

Card payments made via our Website

We do not store debit or credit card details nor do we share customer details with an third parties.

Other websites

Our website may contain links to other websites of interest. This privacy policy only applies to our website so when you link to other websites you should exercise caution and read the privacy statement to the website in question.

How long we keep your Personal Data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity or the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In the absence of specific legal, regulatory or contractual requirements, our standard retention period for personal data is seven years after conclusion of any relationship between you and us.

After this time, it will be securely destroyed if it is no longer required for the purpose it was obtained.

Retention periods may be changed from time to time based on business or legal and regulatory requirements.

We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that the Firm will be able to produce records as evidence if they’re needed.

Your rights

We want to make sure you are aware of your rights in relation to the personal information we process about you. We have described those rights and the circumstances in which they apply below.

Right of Access – You have the right to access your personal information that we hold

Commonly known as a “subject access request”, you have the right to request access to the personal information we hold about you and to check that we are lawfully processing it. Please contact our Data Protection Officer if you wish to request such access.

Right of Erasure – You have the right to request that we delete your personal information

You may request that we delete your personal information if you believe that:

  • we no longer need to process your information for the purposes for which it was provided;
  • we have requested your permission to process your personal information and you wish to withdraw your consent; or
  • we are not using your information in a lawful manner

Note, however, that we may not always be able to comply with your request or erasure for specific legal reasons which will be notified to you, if applicable, following your request. The right of erasure does not apply to personal data which is processed because it is necessary for the performance of a contract with individual(s).

Please note that if you request us to delete your information, we may have to suspend the service(s) we provide to you.

Right of Rectification – You have the right to request us to amend any inaccurate data

You have the right to rectification and for any inaccurate data to be amended. Requests should be made verbally or in writing to our Data Protection Officer.

Right of Restriction – You have the right to request us to restrict the processing of your personal information

You may request us to restrict processing your personal information if you believe that:

  • you want us to establish the accuracy of your personal data;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you need us to hold the date even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Please note if you request us to restrict processing your information, we may have to suspend the service(s) we provide to you.

Right of Data Portability – You have a right to data portability

Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering into a contract with us, you have a right to receive the personal information you provided us in a portable format. If you would like to request the personal information you provided to us in a portable format, please contact our Data Protection Officer.

Right of Objection – You have a right to object to the processing of your personal information

Where we rely on our legitimate interests (or those of a 3rd party) as the basis for processing your personal information, you have a right to object to us processing your personal information (and to request us to restrict processing) based on your particular situation unless we can demonstrate compelling and legitimate or legal grounds for the processing, which may override your own interests or where we need to process your information to investigate and protect us or others from legal claims.

Depending on the circumstances, we may need to cease processing your personal information altogether, or where requested, delete your information. Please note that if you object to us processing your information, we may have to suspend the service(s) we provide to you.

Marketing – You have the right to object to direct marketing

You have the right to object at any time to processing of your personal information for direct marketing purposes. For more information please refer to section on ‘Marketing’ above.

Withdraw consent – You have a right to withdraw your consent

Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.

Exercising your rights

If you wish to exercise any of these rights outlined above, please contact our Data Protection Officer.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

How to contact us

We are committed to ensuring that your personal data is processed lawfully, fairly and securely. If you have any questions about our fair processing notice, the information we hold about you or concerns about our notice or the way in which we process your data please contact us:

  • By email datacontroller@g-s.co.uk
  • Or write to Data Protection Officer, Graham + Sibbald, 40 Torphichen Street, Edinburgh, EH3 8JB

You also have the right to complain to the Information Commissioner’s Office about how we are processing your personal information. If you remain unsatisfied you can contact the Information Commissioner’s Office at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113

www.ico.org.uk/concerns/

Schedule 1 – Purposes of Processing

We will only use and share your information where it is necessary for us to carry out our lawful business activities. We want to ensure that you fully understand how your information may be used and have therefore described the purposes for which your information may be used in detail below:

Contractual Necessity

Where you are a client, we may process your information where it is necessary to enter into a contract with you for the provision of our services to perform our obligations under that contract. Where you are a business contact supplying (or wishing to supply) goods or services to us (e.g. as a sole trader), we may process your personal information where it is necessary to enter into a contract with you for the supply of such goods or services to us or to perform our obligations under that contract.  Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to provide a service to you. This may include processing to:

  • Provide and administer those service(s) through-out your relationship with the Firm including executing your instructions, resolving any queries;
  • Manage and maintain our relationship with you and for ongoing customer service

Legal Obligation

In order to provide a number of our services we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested personal information, it may not be possible for us to continue to provide the service(s) to you. This may include processing to:

  • Confirm your identity to comply with laws relating to money laundering, fraud, terrorist financing and Transfer of Funds (Information on Payer) Regulations Act 2017, bribery and corruption and international sanctions. This may require us to share data with law enforcement and regulatory bodies;
  • Access affordability and suitability on behalf of client(s) (for example, for the purpose of making an offer on and signing a lease);
  • Share data with police, law enforcement or other government agencies where we have a legal obligation, including reporting suspicious activity and complying with production of court orders;
  • Investigate and resolve complaints;
  • Conduct investigations into breaches of conduct and the Firm’s policies by our employees;
  • Provide assurance that the Firm has effective processes in place to identify risks to the business.

Legitimate Interests

We may process your personal information where it is in our legitimate interests to do so as an organisation and without prejudicing your interests or fundamental rights and freedoms.

We may process your personal information in the day to day running of our business, to manage our business and financial affairs. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. This may include processing your information to:

  • Monitor, maintain and improve internal business processes, information and data, market knowledge, technology and services;
  • Identify + rule out Conflicts of Interest;
  • Deliver our services to your organisation (where you are a client contact);
  • Receive goods or services from a third-party supplier (where you are a business contact on behalf of another organisation);
  • Internal record keeping and staff training;
  • Ensure business continuity and disaster recovery and responding to business incidents and emergencies;
  • Protect our legal rights and interests.

It is in our interest as a business to ensure that we provide our clients with the most appropriate service and that we continually develop both our services and as a Firm. This may require processing your information to enable us to:

  • Identify new business opportunities, to develop enquiries and further develop our relationship with you;
  • Monitor the performance of our services;
  • Perform analysis on customer complaints for the purposes of preventing errors and improving customer service.

It is also in our interest as a business to manage our risk and to determine what services we can offer and the terms of those services. This may include processing your information to:

  • Carry out Customer due diligence (CDD) checks for and on behalf of clients;
  • To manage fees due to us;
  • To collect and recover money that is owed to us.