9. Your rights
The Honourable Society of the Middle Temple (‘the Inn’) respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data with regards to administering and managing tenancies. It is for tenants and residents, including prospective and former tenants and residents, and where applicable, guarantors or referees.
The document is provided in a layered format so that you can click through to the specific areas set out below.
This privacy notice should be read in conjunction with the document “Tenant Privacy Notice: Further Information” (available at https://www.middletemple.org.uk/about-us/data-protection/privacy-policies-and-notices), which provides more detailed information about the personal data that the Inn uses in relation to tenant activities. Schedules 1-4 that are referred to in this privacy notice can be found in the Further Information document.
This privacy notice should also be read in conjunction with the Inn’s other Data Protection policies and notices which can be viewed on the Inn’s website: https://www.middletemple.org.uk/about-us/data-protection. These other documents provide more general information about how the Inn uses and stores your data. If you would like more information please contact the Inn’s Data Protection Officer at firstname.lastname@example.org
1. Important information and who we are
The Inn is a Data Controller and is therefore responsible for your personal data (referred to as, “we”, “us” or “our” in this privacy notice).
We have appointed a Data Protection Officer (DPO), who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
DPO Contact DetailsSarah Cates Data Governance Manager The Honourable Society of the Middle Temple Middle Temple Treasury Ashley Building Middle Temple Lane London EC4Y 9BT Tel: 020 74274800 Email: Data.Protection@middletemple.org.uk
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.
Changes to the Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
This version was last updated on 27 May 2022 and historic versions can be obtained by contacting us.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
2. How we collect and use your information
Collection of your data
When you enter a tenancy with the Inn or make an application to do so, we will collect, obtain and hold a range of data about you that may be able to identify you directly or indirectly (personal data). We cannot administer our relationship with you without your personal data. If and when you cease to be a tenant, or if your application for a tenancy is rejected, we will continue to hold some data for a predefined period of time in order to fulfil our remaining tasks and obligations.
We may also collect data on referees that you provide in order to take out a tenancy, guarantors (if applicable) and individuals that you provide as emergency contacts.
We may collect, use, store and transfer different kinds of personal data about you, which includes: personal information (e.g. name, date of birth, contact details); financial information (e.g. payment details, rent payments); background information in order to determine whether you should be given a tenancy (e.g. employment, previous tenancies); information about your tenancy (e.g. maintenance requests, utilities payments); and membership information if you are also a member of the Inn (e.g. membership number).
Further details of the personal data we collect are set out in Schedule 1 in the Tenant Privacy Notice: Further Information document.
Much of this data is data that you provide to us directly when you enter into a tenancy with us and when you correspond with us in the course of your tenancy.
For example, this includes personal data that you provide when you:
- Complete online enquiry forms;
- Apply for a tenancy at the Inn;
- Log maintenance requests with the Inn;
- Create an account on our websites;
- Update your details through our online update forms and communication preferences;
- Subscribe to any of our membership services or publications including our newsletters;
- Request marketing to be sent to you;
- Complete a survey; or
- Provide feedback.
If we do not receive information directly from you, we either generate it ourselves, or we receive it from third parties, such as:
- Third-party background check providers and identity verification agencies;
- Individuals or organisations that you name as a referee;
- If you are a referee or next of kin we receive your details from the tenant.
If you are a member of the Inn we use information that you provided when you became a member in order to verify your details.
The purposes of processing your information
We process your personal data for particular purposes in connection with your tenancy, or prospective tenancy, and the management and administration of the Inn’s business.
We are required by law to always have a permitted reason or justification (called a “lawful basis”) for processing your personal data. There are six such permitted lawful bases for processing personal data. The table at Schedule 3 in the Tenant Privacy Notice: Further Information document sets out the different purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.
Most commonly we will use your personal information in the following circumstances:
- Where we need to perform a contract we have entered into with you, e.g. a tenancy agreement;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- Where we need to comply with a legal or regulatory obligation.
We may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests);
- Where it is needed in the public interest.
Please note that if you fail to provide certain information when requested, we may not be able to take the necessary steps prior to entering into a contract with you, or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of members or our staff).
3. Special category personal data
Sensitive personal data, called “Special Category” data in the legislation, receives extra protection under data protection law. The Inn can only process it if we have an additional lawful basis to rely on and meet higher standards for safeguarding it.
We will process these special categories of personal information:
- In limited circumstances, with your explicit written consent;
- Where we need to carry out our legal obligations;
- Where it is needed in the public interest, such as for equal opportunities monitoring or public health concerns.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
The table at Schedule 4 in the Tenant Privacy Notice: Further Information document sets out the different purposes for which we process your Special Category personal data and the relevant lawful basis on which we rely for that processing. For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.
We will use these special categories of personal information in the following ways:
- We will use information about your physical or mental health, or disability status, to ensure your and other individual’s health and safety and to make any reasonable adjustments needed; and
- We will use information voluntarily provided by you about your race or national or ethnic origin, or your disability status, to ensure meaningful equal opportunity monitoring and reporting.
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain special categories of personal information. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your entering into a contract with us that you agree to any request for consent from us and once given, you may withdraw your consent at any time.
4. Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports.
5. Who your information is shared with
We share your personal information with third parties only as necessary, including third-party service providers. As a principle, only minimal information will be shared as necessary and only where we have identified a lawful basis or exemption for doing so, and the data is proportionate to the need. These third parties will process your personal data on our behalf (as our Data Processor). We will disclose your personal data to these parties so that they can perform those functions, however we will enter into a written contract imposing appropriate security standards on them to ensure that they process your personal data in accordance with Data Protection legislation.
We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. “Third parties” includes third-party service providers (including contractors) who may be required to conduct maintenance on your property; the local authority for council tax purposes; your emergency contact or emergency services in an emergency; debt collectors or tracing agents; a tenancy deposit protection body if you have been asked to provide a deposit. If needed to comply with law and regulations, we will also need to share your personal information with governmental agencies.
We will share your contact details with the Temple Residents Association (TRA) which plays an active role in looking after the interests of our residents, in order for them to contact you with information relevant to residents. You can request for this information not to be shared with the TRA at any time.
We may also share your personal data with third parties, as authorised by you, for example with your future landlord if you ask us to provide a reference.
6. International transfers
If any of our processing activities require your personal data to be transferred outside of the United Kingdom, we will only make that transfer if:
- The country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
- We have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient;
- The transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
- You explicitly consent to the transfer.
7. How long do we keep your personal data for?
If you are a tenant, or apply for a tenancy, we will keep your personal data during the period of your tenancy or application and then, after your tenancy or application ends, for as long as is necessary in connection with both our and your legal rights and obligations. This may mean that we keep some types of personal data for longer than others. Full details of our data retention periods are contained in Schedule 2 in the Tenant Privacy Notice: Further Information document.
We will only retain the majority of your personal data for a limited period of time. This will depend on a number of factors, including:
- Any laws or regulations that we are required to follow;
- Whether we are in a legal or other type of dispute with each other or any third party;
- The type of information that we hold about you; and
- Whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
When it is no longer required in line with its retention period, personal information is securely and permanently destroyed.
Some information about our members is transferred to the Inn’s Archives for permanent preservation so that it can be professionally managed in order to facilitate future historical research enquiries. All relevant safeguards are met in relation to this archival processing.
8. How do we protect your data?
We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Please see the Inn’s Data Protection Policy on the Inn’s website https://www.middletemple.org.uk/about-us/data-protection for more detailed information about security of data.
9. Your rights
You have certain legal rights, which are briefly summarised below, in relation to any personal data about you which we hold.
What does it mean?
Limitations and conditions of your right
Right of access
Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).
If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.
We must be able to verify your identity.
Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff.
Right to data portability
Subject to certain conditions, (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/) you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine-readable format.
If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.
This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal data that has been provided to us by you.
Rights in relation to inaccurate personal or incomplete data
You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, telephone number or immigration status.
This right only applies to your own personal data. When exercising this right, please be as specific as possible.
Right to object to or restrict our data processing
Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.
This right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.
Right to erasure
Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.
We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
Right to withdrawal of consent
Where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.
If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
If you wish to exercise any of your rights please contact our Data Protection Officer at email@example.com in the first instance. You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.