General Data Protection Regulation (2018) Policy
Avery & Co are residential surveyors and valuers covering the North West of England and North Wales carrying out surveys and valuations of residential properties for both private clients and on behalf of suppliers such as; mortgage lenders or referral sources. We are an RICS regulated firm and understand the importance of protecting our client’s data and all other data necessary to conduct our business. We take and store all data in accordance with General Data Protection Regulations (GDPR – 2018). It is our commitment to both our employees, clients, and all other people we communicate with that we will honour and comply with GDPR and continue to ensure data is safe and not misused.
Notice and Consent
Avery & Co collect, or are provided with the data needed to conduct the relevant service as instructed by the client. All data held is necessary and securely stored. We receive affirmative consent from the client by ensuring they sign our Terms of Engagement. The Terms of Engagement have a Privacy Notice, and a Privacy Declaration to be signed by the client. Our Terms of Engagement state:
By signing the GDPR declaration on the final page of this document, you agree with us storing the necessary data relating to you and you are happy to be contacted by Avery & Co in the future. If you do not wish to sign the declaration unfortunately, we have no alternative but to decline your instructions.
Where instructions are sent to Avery & Co and Terms of Engagement cannot be issued i.e. for mortgage valuations, it is assumed that the mortgage lender takes the necessary steps to comply with GDPR when collecting and providing any personal data. As a Controller of data, Avery & Co then follow GDPR to ensure all processes are compliant.
Access/vendor details for a residential property requiring a valuation or survey is data which permission can not be asked for. However, it is necessary for Avery & Co to undertake the service requested and that Avery & Co retain such data within cases files for purposes including; complaints, criminal or fraudulent activity surrounding the case.
Avery & Co have processes and procedures in place for elements of the business that are affected by GDPR such as:
- Instructions – are taken using an Instruction Form by administration staff, this data is securely keyed onto a computer system. The instruction sheet is then scanned and saved securely. All paper copies relating to the instruction are then deleted/shredded.
- Reports – both valuation and survey reports contain personal data. These reports are saved securely on a computer system. They are also securely signed so that they cannot be altered or amended. No paper copies of reports are kept. Avery & Co retain all reports for 15 years from the date of inspection.
- Files – contain all necessary data and information relating to each case, including clients contact details, site notes and photographs. As stated in the Terms of Engagement under the Privacy Notice, Avery & Co store such data for 15 years under the Limitation Act 1980 to enable a response to any potential claims or issues relating to a case in the future. Although this data is securely stored both digitally and within secure and organised filing cabinets/storage facility, the data is not used for anything other than in the instance of complaint or case issue i.e. it is not passed onto third parties or used for marketing purposes.
- Telephone conversations – are recorded for training and quality purposes. They are stored for 30 days by our telephone provider. At the beginning of each call, the caller is made aware of this.
Suppliers of services
Avery & Co have contracts with several suppliers of services. Where possible Avery & Co have received confirmation from these suppliers stating that they comply with GDPR. Otherwise, it is assumed that these suppliers are compliant.
Access, modification, and deletion
A client’s personal data that is held by Avery & Co can be accessed or modified/deleted as it is their right under GDPR to do this. However, Avery & Co can refuse this contractually due to the Limitation Act 1980.
If a client withdraws their consent to use, hold and store their personal data before the instruction is implemented (property inspection takes place) or before the Terms of Engagement are signed, Avery & Co will cancel the instruction and the client’s details will be appropriated deleted.
Limits on retention
Avery & Co will not store data indefinitely or longer than is required. Avery & Co have a retention period of 15 years from the date of inspection of a property in which data is held. This limitation period falls under the Limitation Act 1980. Data must be stored securely during this time. After 15 years from the data of inspection, the data is to be deleted appropriately.
A client cannot withdraw consent once the inspection of a property has taken place or, once they have signed Avery & Co’s Terms of Engagement.
Security and data breaches
Avery & Co implement vital and appropriate security measures such as encryption, regular password changes and other security checks such as checking the security of filing cabinets.
If there is a security breach, Avery & Co will send out breach notification within 72 hours to the client informing them. The reason for this breach will then be analysed and measures will be put into place to ensure it does not happen again.
All staff at Avery & Co receive annual training on Data Protection.