Under the UK GDPR, the legal requirement to provide a Privacy Notice falls on a “Controller” of personal data. As a property management company, in the vast majority of instances, Fidum is not the Controller of personal data of tenants at sites that it manages on behalf of its clients. Instead, the Controller of tenants’ personal data will be the landlord or freeholder. Where Fidum manages property on behalf of its clients, Fidum will be the “Processor” of personal data relating to tenants. This means that it handles it on the landlord’s instructions and only for their purposes, i.e. to manage their property.

However, rarely, in limited circumstances Fidum may need to collect and use personal information of tenants for its own independent purposes. On these rare occasions it will be a Controller of that personal data for those specific purposes only. This Privacy Notice and the information below sets out the limited purposes where Fidum envisages that it may process personal data of its client’s tenant’s as a Controller.

 

14. Personal Data we Collect relating to our Client’s Tenants

Rarely, Fidum may process personal data relating to its tenants’ clients, for its own individual purposes. For example, in order to meet its own legal obligations or exercise or defend legal rights and legal claims. When this happens Fidum anticipates it may collect the following categories of personal data relating to its clients’ tenants:

• Identity Data includes first name, last name, any previous names, title, nationality, country of residence, username or similar identifier, marital status, title, date of birth, and gender.
• Contact Data includes postal address, email address and telephone numbers. For example, if you send us an email or contact us via an online “Contact Us” form.
• Correspondence between us such as website enquiries/ “Contact Us” enquiries, emails, letters, recorded telephone calls and correspondence relating to queries, incidents or complaints.

Special Categories of Personal Data

Fidum does not expect to routinely collect or process any special categories of personal data relating to its clients’ tenants. However, rarely,  we may collect and process the following special categories of personal data, where data protection law permits:

• Information about your racial or ethnic origin, religious or philosophical beliefs, and political opinions;
• Information relating to physical or mental health or condition;
  • For example, we may collect and process information about your health or medical conditions if you tell us about a disability you have in order for us to make reasonable adjustments or where we need to process this information in order to defend or exercise a legal claim.
• Special Category Personal Data relates to information about racial or ethnic origin, trade union membership, health and medical conditions, genetics, biometric information (but only where this is used for identification purposes), political opinions, sex life, sexual orientation and religious beliefs.

Criminal Offence Data

Fidum does not routinely collect or process criminal offence data of its clients’ tenants. However, where necessary, we may also collect and process information about criminal records and offences (Criminal Offence Data) but only if the law allows us to do this. For example, where we make a report to the police regarding potential criminal activity involving a tenant as part of our legal obligations owed to our employees.

Where we do process special category personal data or criminal offence data, we ensure that we have an appropriate legal basis to do so under UK data protection law and only retain the information for the minimum amount of time necessary before securely deleting it.

15. Where We Source Your Personal Data

Most of the personal data we process relating to our clients’ tenants will be provided to us directly to us from the tenants themselves. However, in a few cases, we may collect it from a third party. Your personal data is collected in the following ways including through:

• Your interactions with us: You may give us your personal data directly when you correspond with our employees, provide us with feedback, lodge a complaint or otherwise generally interact with us.
• Third parties or publicly available sources: Depending on the circumstances, we may collect or receive personal data about you from various third parties such as your legal representatives, relatives, associates and our clients/your landlord, regulatory bodies such as a local authority. In some cases, we may collect information about you from public sources such as the internet.

 

16. If Your Fail to Provide Your Personal Data

Where we are under a statutory or contractual requirement to collect your personal data and you fail to provide that data when requested, we may not be able to comply with our statutory obligations, carry out your instructions or perform the contract we have or are trying to enter into with you. In this case, we may have to cancel our engagement or contract you have with us, but we will notify you if this is the case at the time.

17. Our Purposes and Legal Bases for Processing your Personal Data: Tenants’ Personal Data

Fidum will only process your personal data providing data protection law permits or requires it.

When processing your personal data, data protection law requires us to have a legal reason (legal basis) for collecting and using it. The table below describes our purposes for processing personal data of our clients’ tenants, and the corresponding legal bases we rely on to do so. Where we rely on the legal basis of “legitimate interests”, we have also identified what those “legitimate interests” are.

Purpose/Use of Personal Data	Category/ Type of data	Legal basis under UK GDPR
Legal and Regulatory Compliance: In order to comply with our legal and regulatory compliance obligations including in connection with employment.	(a) Identity (b) Contact (c) Correspondence (d) Potentially, special category personal data	(a)    Necessary for our legitimate interests (Article 6(1)(f) UK GDPR). It is in our legitimate interests for our business to ensure that it complies with all relevant regulatory and legal obligations including in connection with employment. (b)    Legal Obligation: (Article 6(1)(c) UK GDPR). We are under a legal obligation to process personal data in certain circumstances, for example, we may have to share personal data with third party regulatory organisations if are under a legal obligation to do so, for example under Health and Safety law.
Legal Claims: To establish, exercise or defend legal rights and claims including in the context of complaints and claims brought against Fidum or any of its employees or contractors, or wherever the courts are acting in a judicial capacity.	(a) Identity (b) Contact (c) Technical (d)    Potentially special category personal data	(a)    Necessary for our legitimate interests (Article 6(1)(f) UK GDPR). We process personal data where it is in our legitimate interests to establish, exercise or defend legal rights or claims in order to protect our business, its reputation and our employees. (b)    To the extent that the above activities involve processing your special category personal data, we anticipate that we will rely on the condition relating to “necessary for the establishment, defence or exercise of a legal claim” etc. (Article 9(2)(f) UK GDPR).

18. Your Legal Right To Object to Processing of Your Personal Data

Where your personal data is processed by us for the legal reason (lawful basis) of “legitimate interests”, you have the legal right to object. You can find a list of the purposes where your information is processed under the legal basis of “legitimate interests” above in the table,

“Our Purposes and Legal Bases for Processing your Personal Data: Tenant’s Personal Data”

In some cases, the right to object is absolute; this means that Fidum must comply with your objection and stop using your personal information. For example, you have the absolute right to object to your personal data being processed for the purpose of direct marketing.

In other cases, the right to object is not absolute.  This means that you have the legal right to object and Fidum must stop using your personal data unless it can demonstrate that its legitimate interest is more compelling than the impact of the processing has on you. Fidum will generally have one calendar month in which to respond to your objection.

If you want to object to your personal data being processed by Fidum for the legal reason of “legitimate interests”, please contact our Data Protection Manager using any of the contact details set out in “Contact” [https://www.fidumpm.com/contact/].

19. Who we may Share your Personal Data With

To deliver our services and comply with our legal obligations may share your personal data with the parties set out below for the purposes set out in the table Our Purposes and Legal Bases for Processing your Personal Data: If you require more detail,  please contact our Data Protection Manager.

• External Third Party Controllers: Fidum may need to share your personal data with third party organisations to be further processed by them as independent Controllers for their own independent purposes. For example, public authority regulators who need to access your personal information in order to exercise their statutory functions. For example, HMRC, local authorities, NHS, the Information Commissioner’s Office, the Police etc.

• External Third party professional advisors: such as our legal advisors, consultants, auditors, insurers and any organisation or individual appointed by us to carry out an independent investigation.

In most cases, even though they may be providing Fidum with a service, the external third party advisor will be an independent Controller of your personal data.

• External Third party Service Providers (Processors): Processors are external service providers that have access to your personal data. Fidum remains the Controller of your personal data and in charge of it.

Where this happens, your personal data is shared securely, in compliance with data protection law and where a GDPR-compliant data processing contractual arrangement has been entered into. Processors are legally bound to only process your personal data on our instructions and to take appropriate measures to keep it secure. They may not use your personal data for their own purposes.

By way of example, depending on the context, your personal data may be shared with the following Processors:

• Website Hosting Service Providers such as GoDaddy.
• IT Service Providers such as Comis Technology Ltd (IT Support), 162-168 Regent Street, London, W1B 5TD.
• Property software management systems including Yardi Systems Limited, C9 Glyme Court Oxford Office Village, Langford Lane, Kidlington, Oxford, England, OX5 1LQ.
• Facilities management software systems providers including Trackplan Ltd, 46/47 Catherine Street, Limerick, V94 T2V3, Ireland.

• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets: Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.