Rent Reporting Association - GDPR Statement

Introduction and Commitment

​

The Rent Reporting Association (RRA) acknowledges the importance of protecting personal data and respecting the privacy of our users, partners, and stakeholders. We are fully committed to aligning our data protection practices with the General Data Protection Regulation (GDPR), a European Union (EU) regulation that took effect on May 25, 2018, and other relevant UK data protection legislation.

Scope of the Statement

​

This GDPR Statement outlines how the RRA collects, processes, stores, and protects user data. It also details the rights of our users and our responsibilities as a data controller and processor.

Data Collection and Purpose

​

We collect personal data that is relevant to the operation of our services. This data includes, but is not limited to, names, addresses, contact information, rental histories, and payment details. Data is collected directly from users or from authorised third parties. It is used to:

​

• Provide, maintain, and improve our services.

• Communicate with users regarding our services, updates, and promotional offers.

• Address and resolve technical issues and concerns.

• Ensure the security of our operations.

• Comply with our legal obligations.

​

User Rights

Under GDPR, individuals have specific rights concerning their personal data. These rights include:

1. Right to Information - Users have the right to know how their data is being processed, the duration for which it will be stored, and the purpose of the storage.

2. Right to Access - Users can request access to their personal data held by the RRA.

3. Right to Rectification - Users can request the correction of inaccurate personal data.

4. Right to Erasure ("Right to be Forgotten") - Under specific conditions, users can request the deletion of their personal data.

5. Right to Restriction - Users can request the restriction of the processing of their personal data.

6. Right to Data Portability - Users can ask for the transmission of their personal data to another organisation.

7. Right to Object - Users can object to the processing of their personal data for specific purposes.

8. Rights related to Automated Decision Making and Profiling - Users have the right not to be subject to decisions solely based on automated processing.

Data Protection Measures

The RRA implements strict data protection measures. These include:

• Technical Measures: Encryption of personal data, use of secure communication channels, regular security updates, and systematic back-ups.

• Organisational Measures: Training of personnel, implementation of strict access controls, and regular review of our policies and procedures.

Data Sharing and Transfers

We do not sell, lease, or trade personal data. Personal data may be shared with trusted third-party service providers for business operations, but only under strict confidentiality and data protection agreements. If data transfers outside the EU are necessary, we ensure that they meet GDPR compliance requirements.

Data Retention

The RRA retains personal data for as long as necessary to fulfil its operational purposes or to comply with legal obligations. Once this purpose is achieved, the data is securely deleted or anonymised.

Changes to the Statement

​

This GDPR Statement may be updated periodically to reflect any changes in our practices or services and to remain compliant with any updates to GDPR and UK-specific data protection regulations. We will notify users of any significant changes.

​

Data Breaches

​

In the unlikely event of a data breach, the RRA commits to:

1. Notification: Inform the affected individuals and the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

2. Investigation: Promptly investigate the breach, identifying its cause and taking steps to prevent a recurrence.

3. Mitigation: Take immediate action to minimise the impact on affected individuals.

Consent

For data processing activities that require consent, the RRA ensures:

1. Clear Consent Requests: We seek consent in clear and simple terms, avoiding jargon.

2. Freedom to Refuse: Users are not pressured into giving consent, and services are not withheld due to refusal.

3. Withdrawal: Users can withdraw their consent at any time, and the process for withdrawal is straightforward.

Third-Party Processors

The RRA may utilise third-party processors to handle certain data processing activities. In such cases, we ensure that:

​

1. A formal, written contract is in place.

2. The third party is compliant with GDPR and follows robust security measures.

3. Regular audits and reviews are conducted to ensure compliance.

Training and Awareness

1. Employee Training: All RRA employees undergo regular training to ensure understanding and compliance with GDPR principles and practices.

2. Awareness Campaigns: We periodically run internal campaigns to reinforce the importance of data protection.

Complaints

Users who believe that their data protection rights have been infringed upon by the RRA can:

1. Contact our designated Data Protection Officer to address their concerns.

2. Lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection issues.

Contact Information

For any queries related to GDPR and our data protection practices, users can contact:

Data Protection Officer

Rent Reporting Association

Tel: 01865 291 621

E-mail: Home@RentReporting.co.uk

​

Conclusion

​

The RRA is steadfast in its commitment to GDPR compliance, ensuring that the personal data of our users, partners, and stakeholders is handled with utmost care and integrity. We invite feedback and queries from our user base, as continuous improvement in data protection is a shared responsibility.

This completes our GDPR Statement. We urge all our users and partners to familiarise themselves with this statement, ensuring a collaborative approach to data protection and privacy.