Scottish Association of Landlords privacy policy

,Contents

  1. Introduction
  2. Legislation
  3. Data
  4. Processing of Personal Data
  5. Data Sharing
  6. Data Storage and Security
  7. Breaches
  8. Data Subject Rights
  9. Privacy Impact Assessments
  10. Cookies
  11. Archiving, Retention and Destruction of Data

1. Introduction

Scottish Association of Landlords (hereinafter “SAL”) is committed to ensuring the secure and safe management of data held by SAL in relation to customers, staff and other individuals. SAL’s staff members have a responsibility to ensure compliance with the terms of this policy, and to manage individuals’ data in accordance with the procedures outlined in this policy and documentation referred to herein.

SAL needs to gather and use certain information about individuals. These can include customers (tenants, factored owners etc.), employees and other individuals that SAL has a relationship with. SAL manages a significant amount of data, from a variety of sources. This data contains Personal Data and Sensitive Personal Data (known as Special Categories of Personal Data under the GDPR).

This Policy sets out SAL’s duties in processing that data, and the purpose of this Policy is to set out the procedures for the management of such data.

2. Legislation

It is a legal requirement that SAL processes data correctly; SAL must collect, handle and store personal information in accordance with the relevant legislation.

The relevant legislation in relation to the processing of data is:

(a) the UK General Data Protection Regulation (“the GDPR”);
(b) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); 
(c) the Data Protection Act 2018 (2018 Act);
(d) the Data (Use and Access) Act 2025 (2025 Act); and
(e) any other applicable law relating to the protection of personal data and the privacy of individuals.

3. Data

3.1 SAL holds a variety of data relating to individuals, including customers and employees (also referred to as data subjects) which is known as Personal Data. The Personal Data held and processed by SAL is detailed within SAL’s Fair Processing Notice which is distributed to you at the outset of collecting and processing your data.

3.1.1 “Personal Data” is that from which a living individual can be identified either by that data alone, or in conjunction with other data held by SAL.

3.1.2 SAL also holds Personal data that is sensitive in nature (i.e. relates to or reveals a data subject’s racial or ethnic origin, religious beliefs, political opinions, relates to health or sexual orientation). This is “Special Category Personal Data” or “Sensitive Personal Data”. The Secretary of State may designate further categories of “Special Category Personal Data” and if this occurs then we shall treat any designated data accordingly.

4. Processing of Personal Data

4.1 SAL is permitted to process Personal Data on behalf of data subjects provided it is doing so on one of the following grounds:

  • Processing with the consent of the data subject (see clause 4.4 hereof);
  • Processing is necessary for the performance of a contract between SAL and the data subject or for entering into a contract with the data subject;
  • Processing is necessary for SAL’s compliance with a legal obligation;
  • Processing is necessary to protect the vital interests of the data subject or another person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of SAL’s official authority; or
  • Processing is necessary for the purposes of legitimate interests.

4.2 Fair Processing Notice
4.2.1 SAL has produced a Fair Processing Notice (FPN) which it is required to provide to all customers whose Personal data is held by SAL. That FPN must be provided to the customer from the outset of processing their Personal Data and they should be advised of the terms of the FPN when it is provided to them.

4.2.2 The Fair Processing Notice sets out the Personal Data processed by SAL and the basis for that Processing. This document is provided to all of SAL’s customers at the outset of processing their data

4.3 Employees
4.3.1 Employee Personal data and, where applicable, Special Category Personal Data or Sensitive Personal Data, is held and processed by SAL. Details of the data held and processing of that data is contained within the Employee Fair Processing Notice which is provided to Employees at the same time as their Contract of Employment.
4.3.2 A copy of any employee’s Personal Data held by SAL is available upon written request by that employee from SAL’s Chief Executive.

4.4 Consent
Consent as a ground of processing will require to be used from time to time by SAL when processing Personal Data. It should be used by SAL where no other alternative ground for processing is available. In the event that SAL requires to obtain consent to process a data subject’s Personal Data, it shall obtain that consent in writing (unless extenuating circumstances apply). The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form if willing to consent (again, subject to extenuating circumstances such as the data subject being unable to write). Any consent to be obtained by SAL must be for a specific and defined purpose (i.e. general consent cannot be sought).

4.5 Processing of Special Category Personal Data or Criminal Offence Data
In the event that SAL processes Special Category Personal Data or Criminal Offence Data, SAL must do so in accordance with one of the grounds of processing in data protection law which include:

  • The data subject has given explicit consent to the processing of this data for a specified purpose;
  • Processing is necessary for carrying out obligations or exercising rights related to employment or social security;
  • Processing is necessary to protect the vital interest of the data subject or, if the data subject is incapable of giving consent, the vital interests of another person;
  • Processing is necessary for the establishment, exercise or defence of legal claims, or whenever court are acting in their judicial capacity; 
  • Processing relates to personal data manifestly made publich by the individual;
  • Processing is necessary for public interest in the area of health;
  • Processing is necessary for achieving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • Processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim and on the condition that it relates to members or former members who have regular contact with the entity; and
  • Processing is necessary for reasons of substantial public interest under law.

5. Data Sharing

5.1 SAL shares its data with various third parties for numerous reasons in order that its day to day activities are carried out in accordance with SAL’s relevant policies and procedures. In order that SAL can monitor compliance by these third parties with Data Protection laws, SAL may require the third party organisations to enter in to an Agreement with SAL governing the processing of data, security measures to be implemented and responsibility for breaches.

5.2 Data Sharing
5.2.1 Personal data is from time to time shared amongst SAL and third parties who require to process personal data that SAL process as well. Both SAL and the third party will be processing that data in their individual capacities as controllers.
5.2.2 Where SAL shares in the processing of personal data with a third party organisation (e.g. for processing of the employees’ pension), it shall require the third party organisation to enter in to a Data Sharing Agreement with SAL.

5.3 Processors
A processor is a third party entity that processes personal data on behalf of SAL, and are frequently engaged if certain of SAL’s work is outsourced (e.g. payroll, maintenance and repair works).

5.3.1 A processor must comply with Data Protection laws. SAL’s processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify SAL if a data breach is suffered.
5.3.2 If a processor wishes to sub-contact their processing, prior written consent of SAL must be obtained. Upon a sub-contracting of processing, the processor will be liable in full for the data protection breaches of their sub-contractors.
5.3.3 Where SAL contracts with a third party to process personal data held by SAL, it shall require the third party to enter in to a Data Processor Agreement with SAL.

6. Data Storage and Security

All Personal Data held by SAL must be stored securely, whether electronically or in paper format.

6.1 Paper Storage
If Personal Data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no Personal Data is left where unauthorised personnel can access it. When the Personal Data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the Personal Data requires to be retained on a physical file then the employee should ensure that it is affixed to the file which is then stored in accordance with SAL’s storage provisions.

6.2 Electronic Storage
Personal Data stored electronically must also be protected from unauthorised use and access. Personal Data should be password protected when being sent internally or externally to SAL’s processors or those with whom SAL has entered in to a Data Sharing Agreement. If Personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used. Personal Data should not be saved directly to mobile devices and should be stored on designated drivers and servers.

7. Breaches

7.1 A data breach can occur at any point when handling Personal Data and SAL has reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach require to be reported externally in accordance with Clause 7.3 hereof.

7.2 Internal Reporting
SAL takes the security of data very seriously and in the unlikely event of a breach will take the following steps:

  • As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the Chief Executive/DPO must be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s);
  • SAL must seek to contain the breach by whatever means available;
  • The Chief Executive must consider whether the breach is one which requires to be reported to the Information Commission (IC) and data subjects affected and do so in accordance with this clause 7;
  • Notify third parties in accordance with the terms of any applicable Data Sharing Agreements or equivalent contract terms.

7.3 Reporting to the IC and Data Subjects
SAL will require to report any breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach to the IC within 72 hours of the breach occurring or becoming aware of the breach. SAL will also consider whether it is appropriate to notify those data subjects affected by the breach.

Where a breach poses a high risk to the rights and freedoms of the data subjects impacted by the breach, SAL must, in addition to notifying the IC, promptly notify the data subjects in question.

8. Data Subject Rights

8.1 Certain rights are provided to data subjects under the GDPR. Data Subjects are entitled to view the personal data held about them by SAL, whether in written or electronic form.

8.2 Data subjects have a right to request a restriction of processing their data, a right to be forgotten, a right to object to SAL’s processing of their data and a right to complain to SAL about how it is processing their data. These rights are notified to SAL’s members and other customers in SAL’s Fair Processing Notice.

8.3 Subject Access Requests
Data Subjects are permitted to view their data held by SAL upon making a request to do so (a Subject Access Request). Upon receipt of a request by a data subject, SAL must respond to the Subject Access Request within one calendar month of the date of receipt of the request (except in limited circumstances).

SAL:
8.3.1 must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law.
8.3.2 where the personal data comprises data relating to other data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the Subject Access Request, or may determine it is reasonable to disclose said data without consent; or
8.3.3 where SAL does not hold the personal data sought by the data subject, must confirm that it does not hold any personal data sought to the data subject as soon as practicably possible, and in any event, not later than one calendar month from the date on which the request was made

8.4 The Right to be Forgotten
8.4.1 A data subject can exercise their right to be forgotten by submitting a request in writing to SAL seeking that SAL erase the data subject’s Personal Data in its entirety.
8.4.2 Each request received by SAL will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The Chief Executive will have responsibility for accepting or refusing the data subject’s request in accordance with clause 8.4 and will respond in writing to the request.

8.5 The Right to Restrict or Object to Processing
8.5.1 A data subject may request that SAL restrict its processing of the data subject’s Personal Data, or object to the processing of that data.
8.5.1.1 In the event that any direct marketing is undertaken from time to time by SAL, a data subject has an absolute right to object to processing of this nature by SAL, and if SAL receives a written request to cease processing for this purpose, then it must do so immediately.
8.5.2 Each request received by SAL will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The Chief Executive will have responsibility for accepting or refusing the data subject’s request in accordance with clause 8.5 and will respond in writing to the request.

8.6 The right to complain
8.6.1 A data subject may make a complaint to SAL if they  consider that their processing of their personal data is in breach of data protection law.
8.6.2 SAL must facilitate the making of such complaints by taking steps such as providing a data subjects’ complaints form which can be completed electronically and by other means, such as submitting a hard copy of the data subjects’ complaint form. SAL’s data subjects’ complaint form and information on how this can be submitted, can be downloaded here.
8.6.3 SAL must acknowledge the receipt of a data subject’s complaint within 30 days of the complaint being received.
8.6.4 When SAL receives a complaint under this section, they must also, without undue delay;
8.6.4.1 Take appropriate steps to respond to the complaint, including making enquiries into the subject matter of the complaint (to the extent appropriate);
8.6.4.2 Inform the data subject of the progress on the complaint; and
8.6.4.3 Inform the data subject of the outcome of the complaint.

9. Data Protection Impact Assessments (DPIAs)

9.1 These are a means of assisting SAL in identifying and reducing the risks that our operations have on personal privacy of data subjects.

9.2 SAL shall:

9.2.1 Carry out a DPIA before undertaking a project or processing activity which poses a “high risk” to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing Personal Data; and
9.2.2 In carrying out a DPIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that it will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data

9.3 SAL will require to consult the IC in the event that a DPIA identifies a high level of risk which cannot be reduced. The Chief Executive will be responsible for such reporting, and where a high level of risk is identified by those carrying out the DPIA they require to notify the DPO within five (5) working days.

10. Cookies

SAL uses a range of cookies to improve your experience of our site. We need to seek your consent to set these cookies.

What is a Cookie?

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

  • We use cookies to make our website easier for you to use
  • We use cookies to help stop our online-forms from being used to send spam-email
  • We use cookies to monitor usage so we can spot trends and make improvements
  • We DO NOT use cookies to identify individuals (and never will)
  • We DO NOT store personal information in cookies

We believe that our use of cookies is very necessary for the smooth functioning of the website. We do not believe that they pose any threat to your personal privacy or online security and we recommend that you indicate that you will “allow” cookies.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you may modify your browser setting to decline cookies if you prefer. This may, however, prevent you from taking full advantage of the website.

We use traffic log cookies to identify which pages are being used. In particular, portions of this website use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies to help the website analyse how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. This helps us analyse data about web page traffic and improve our website in order to tailor it to client needs. We only use this information for statistical analysis purposes and then the data is removed from the system. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the appropriate privacy policy applicable to the relevant website being used.

Your personal information

We will not sell, distribute or lease your personal information to third parties unless we are required by law to do so.

If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies. You can access them through some types of browser.

11. Archiving, Retention and Destruction of Data

SAL cannot store and retain Personal Data indefinitely. It must ensure that Personal data is only retained for the period necessary. SAL shall ensure that all Personal data is archived and destroyed in accordance with the terms of their retention guidelines

 

HOW TO CONTACT US

Telephone: 0131 564 0100

Email: info@scottishlandlords.com

Post:
Data Protection Officer
Scottish Association of Landlords
Hopetoun Gate
8b McDonald Road
Edinburgh
EH7 4LZ

Registered Company in Scotland number: SC216764