LET BUY MARK LTD (hereinafter referred to as the “Company”) shall endeavour in complying with the applicable laws related to the General Data Protection Regulation (GDPR 2016/679) in countries where the Company operates.
This Policy sets forth the basic principles by which the Company collects, retains, transfers, discloses and disposes the Personal Data of consumers, customers, suppliers, business partners, employees, users, visitors to the website and other individuals (hereinafter referred to as the “Data Subjects”), and indicates the responsibilities of its business departments and employees while processing personal data.
This Policy applies to the Company and any future subsidiary companies whether directly or indirectly controlled within the European Economic Area (EEA) or processing Personal Data of Data Subjects within the EEA.
The Company has no intention of transferring data outside of the EU and EEA. However, the Company ensures that in the event that any Personal Data of Data Subjects is transferred outside of the EU and EEA countries or to an international organisation, the legal regime in the third country or international organisation is deemed to provide an “adequate” level of Personal Data protection as stipulated by the European Commission or that Controller and Processor provide appropriate safeguards or the personal data is transferred under binding corporate rules or that the transfer satisfies one of the conditions under Article 49.
The Company warrants that all Personal Data of the users of its services and visitors of the website www.letbuymark.com are processed under the applicable regulations governing the protection of Personal Data (GDPR 2016/679).
Personal Data is processed only when there is a legal basis for such an act: legal obligation, contractual relationship, and user consent, protection of key user interests or legitimate interest of the Company.
2 Why this Policy exists
This data protection policy ensures Let Buy Mark Ltd:
Complies with data protection law and follows good practice.
· Protects the rights of employees, self-employed estate agents, customers and business partners and affiliates.
Is open about how it stores and processes individuals’ data.
Protects itself from the risk of a data breach.
The following terms “Controller”,“Processor”, “Data Subject”,“Personal Data”,“Processing Activity/ies”,“Pseudonymisation”,“Cross-Border processing of Personal Data”, “Supervisory Authority” used in this document shall have the same meaning as in the European Union’s General Data Protection Regulation:
4 Basic Principles Regarding Personal Data Processing
The Company shall adhere to Article 5(2) of the GDPR which stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Personal Data must:
- Be processed fairly and lawfully;
- Be obtained only for specific, lawful purposes;
- Be adequate, relevant and not excessive;
- Be accurate and kept up to date;
- Not be held for any longer than necessary;
- Be protected in appropriate ways
- Be Accountable;
- Disclose information;
- Not to transfer Personal Data outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
- Process Data in accordance with the rights of Data Subjects;
i. Lawfulness, Fairness and Transparency
The Company shall ensure that the Personal Data in relation to Data Subjects is processed lawfully, fairly and in a transparent manner.
ii. Purpose Limitation
The Company shall collect Personal Data for specified, explicit and legitimate purposes and will not further process Personal Data in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be deemed incompatible with the initial purposes.
iii. Data Minimisation
The Company shall keep Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. The Company shall apply anonymization or pseudonymisation to Personal Data where possible to reduce the risks to the Data Subjects.
iv. Accuracy of Personal Data
The Company strives to keep Personal Data accurate, and, where necessary, is to be kept up to date. The Company shall take reasonable steps to ensure that Personal Data is accurate, having regard to the purposes for which it is processed, and any inaccurate Personal Data shall be erased or rectified without undue delay.
v. Personal Data Retention
The Company warrants that the Personal Data will not be kept for longer than is necessary and only kept for the purposes for which it is processed. Retention periods may vary from a few months in relation to enquiries to over ten years under applicable law or court orders. The Company stores Personal Data in an electronic password protected server and uploads Personal Data on a cloud service provider where access to download is restricted to the CEO and only limited to editing by employee and/or estate agents. The Company holds hard copy data files in relation to agreements and ensures adequate locked storage systems in the executive office.
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of Personal Data risks, the Company endeavours to use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of Personal Data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
The Company shall be responsible for and be able to demonstrate compliance with the principles outlined above.
viii. Disclosure of Information
In the event that the Company uses a third-party supplier, affiliate or business partner to process Personal Data on its behalf, the Company shall ensure that this processor will provide security measures to safeguard Personal Data that is appropriate to the associated risks.
The Company shall endeavour that the supplier, affiliate or business partner is to provide the same level of data protection. The Company shall ensure that the supplier or business partner shall process Personal Data only to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes.
When the Company processes Personal Data jointly with an independent third party, the Company will explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Data Processing Agreement.
ix. Cross-border Transfer of Personal Data
The Company shall ensure that before transferring Personal Data out of the European Union (EU) and European Economic Area (EEA), adequate safeguards will be used including but not limited to the signing of a Data Transfer Agreement/Addendum, as required by the European Union. Authorisation may be obtained from the relevant Data Protection Authority where required. Furthermore, the entity receiving the Personal Data shall comply with the principles of Personal Data processing set forth in Cross Border Data Transfer Procedure.
5 Rights of Access by Data Subjects
The Company acting as Data Controller shall provide Data Subjects with a reasonable access mechanism to enable the same to access their Personal Data. The Data Subject shall be allowed to update, rectify, erase, or transmit their Personal Data, if appropriate or as required by law.
i. Notices to Data Subjects
At the time of collection or before collecting Personal Data for any kind of Processing Activities including but not limited to selling products, services, or marketing activities, the Company shall inform the Data Subjects of the following:
the types of Personal Data collected;
- the purposes of the processing and the processing methods;
- the Data Subjects’ rights with respect to their Personal Data;
the retention period including any potential international data transfers;
- if data will be shared with third parties; and
- the Company’s security measures to protect Personal Data.
This information shall be provided through a Privacy Notice. All Data Subjects, regardless of the type and legal basis of processing, may file a complaint against Personal Data processing to this email address – email@example.com
Where Personal Data is being transferred to a third country, the Privacy Notice should reflect this and clearly state to where, and to which entity Personal Data is being transferred.
ii. Data Subject’s Consent
The Company shall ensure that whenever Personal Data is processed, such processing is carried out based on the Data Subject's consent, or other lawful grounds. The Company shall retain record of such consent.
The Company shall provide Data Subjects with different options to provide their consent and must inform and ensure that their consent (apart from whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
iii. Fair Processing Guidelines
Personal Data will only be processed when explicitly authorised by the Company.
It is in the Company’s remit to decide whether to perform the Data Protection Impact Assessment (DPIA) for each data processing activity following the Data Protection Impact Assessment Guidelines.
iv. Right to be forgotten
Upon request, Data Subjects have the right to have their Personal Data erased by the Company. The Company acting as a Controller will take all necessary actions (including technical measures) to inform any third-party Data Processors where applicable to comply with the request.
v. Data Portability
Data Subjects have the right to receive, upon request, a copy of the Personal Data they provided to the Company in a structured, commonly used and machine-readable format and to transmit such Data to another Controller, for free. The Company shall endeavour to ensure that such requests are processed within one month, subject that it is not excessive and does not affect the rights of other individuals’ Personal Data.
vi. Disposal of Personal Data
When the Company receives requests to dispose of Personal Data records by Data Subjects, The Company shall ensure that these requests are handled within a reasonable time frame. The Company shall keep record including a log of these requests.
The Company ensures that any archived Personal Data is disposed of by adequate disposal mechanisms on expiry of retention period. Any hard copies of Personal Data that the Company might have obtained from Data Subjects shall be physically destroyed when no longer relevant. The Company shall also strive in obtaining adequate disposal mechanisms to ensure no Personal Data is leaked outside of the organisation.
The Company shall maintain the accuracy, confidentiality and relevance of Personal Data based on the processing purpose. The Company shall ensure that adequate security mechanisms designed to protect Personal Data will be used to prevent Personal Data from being stolen, misused or abused, and to prevent Personal Data breaches.
The Company shall be responsible for the requirements in this section and that any present and future collection, retention, transfer, disclosure and disposal methods are compliant with relevant law, good practices and industry standards.
6 The Company’s Responsibilities
The Company shall ensure appropriate Personal Data processing from all its employees and all those who have access and process data on behalf of the Company.
Everyone who works for or with the Company has responsibility for ensuring that Personal Data is collected, stored and handled appropriately. Each team that handles Personal Data must ensure that it is handled and processed in line with this Policy and data protection principles.
However, these people have key areas of responsibility:
- The board of directors is ultimately responsible for ensuring that the Company meets its legal obligations.
- The Data Protection Officer or person in charge, is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues;
- Reviewing all data protection training and advice for the people covered by this Policy;
- Arranging data protection training and advice or the people covered by this Policy;
- Handling data protection questions from staff and anyone else covered by this Policy;
- Dealing with requests from individuals to see the data the Company holds about them (also called 'subjects access requests' [SAR]);
- Checking and approving any contracts or agreements with third parties that may handle the company's sensitive data.
7 Personal Data collected
Use of Web Page: www.letbuymark.com
The Company collects information from the visitors and users of the website in order to better understand the needs of users and to improve their products and services.
The following data is collected for the above stated purposes:
- Time and date of the page visit
- Visited pages
- Type and version of the Internet browser
- Visitor's IP address.
9 Data Subject’s Registration
While registering a user the Company shall collect the following information:
The Company may collect personal data from Data Subjects in a variety of ways, including, but not limited to, when Data Subjects visit the Company website, register on the site, make an enquiry, subscribe to the newsletter, respond to a survey, fill out a form, and in connection with other activities, services, features or resources the Company makes available on its website. Data Subjects may be asked for, as appropriate, name, email address, mailing address, phone number. Data Subjects may, however, visit the website anonymously. The Company may collect personal identification information from Data Subjects only if they voluntarily submit such information to the Company. Data Subjects can always refuse to supply personally identification information, except that it may prevent them from engaging in certain website related activities.
10 Data Subject’s Support
The Company shall provide its users with user support through an email. The data collected in this manner shall be processed exclusively for the purpose of providing user support.
The Company, in compliance with the given consent, may periodically notify Data Subjects of the new benefits of The Company. The Data Subject may always decide to decline from receiving the above notifications and may cancel the service by sending an e-mail to: firstname.lastname@example.org
12 Personal Data Users
No Personal Data is passed on to any entrusted partners/or third parties. However, in the event Personal Data is also passed on to trusted partners and/or third parties (Data Processors/Sub-Processors) for the purpose of providing user support, information system maintenance or similar needs. The Company shall keep the Data Subjects informed and ensure that these trusted partners and/or third parties will abide with the mandatory data protection measures.
During such data transmission the Company shall take all appropriate organizational, technical and legal protection measures.
13 Response to Personal Data Breach Incidents
When the Company learns of a suspected or actual Personal Data breach, the Company shall perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of Data Subjects, the Company will notify the relevant Supervisory Authorities without undue delay and, when possible, within 72 hours from when it learns of such breach.
14 Audit and Accountability
The administration department or other relevant department is responsible for auditing how well business departments implement this Policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
15 Governing Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the country in which the Company operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
16 Personal Data Protection Contact
Requests, complaints or inquiries relating to processing and protection of Personal Data can be sent to the e-mail address: email@example.com or by calling +356 777 999 22
In accordance with the applicable legal regulations governing the protection of Personal Data, each request/inquiry will be resolved without undue delay and at the latest within 30 days of receipt.
When contacting and posting such requests, we will invest reasonable efforts to confirm your identity and to prevent unauthorized Personal Data processing.
17 Changes to this Policy
As the Company evolves, there may be the need to update this Policy to keep pace with changes to the website, software, services, business and Applicable Laws. The Company will however, always maintain its commitment to respect the Data Subject's privacy. The Company ensures that it will notify the Data Subjects with any material changes under this Policy by email (the most recent email provided by the Data Subject) or post any other revisions to this Policy along with their effective date, in an easy-to-find area of the website.
This document was updated on 25th May 2018 and is effective from that date.
Contact: Mr. Mark Molnar
Company Address: 12/1, Forrest Street, St Julian’s STJ 2033, Malta