Data and GDPR Policy

07/06/2023

Open Property Data Assocation (OPDA) is committed to ensuring the protection and privacy of personal data in compliance with the data protection laws of the United Kingdom, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This Data and GDPR Policy outlines the principles and guidelines governing the collection, processing, storage, and sharing of personal data by the association.

This policy shall be reviewed annually to ensure its effectiveness and compliance with applicable data protection laws. Changes to this policy shall be communicated to all relevant personnel and stakeholders.

You can contact us by email on contact@openpropdata.org.uk or via the contact us link on the website.

Data Collection and Processing

We collect personal information solely for the purposes of running the business of OPDA:

Lawful basis: OPDA shall process personal data only where there is a lawful basis to do so, as defined in Article 6 of the GDPR, including consent, contract performance, compliance with legal obligations, protection of vital interests, public interest, or legitimate interests pursued by OPDA. Where consent is required, explicit and freely given consent shall be obtained from the data subject.

Purpose limitation: Personal data shall be collected and processed for specific, explicit, and legitimate purposes as defined by OPDA’s objectives and activities. Individuals shall be informed of the purpose(s) for data collection and any subsequent processing.

Data minimisation: OPDA shall collect and process personal data that is relevant, adequate, and limited to what is necessary for the stated purposes. Data shall be kept accurate and up to date, and efforts shall be made to rectify or erase inaccurate or outdated data.

Data Security and Storage

Security measures: We implement appropriate technical and organisation measures to protect personal data from unauthorised access, disclosure, alteration, and destruction. Access to personal data is restricted to authorised personnel and individuals with a legitimate need for such access.

Data retention: Personal data shall be retained only for a long as necessary to fulfil the purposes for which it was collected or as required by applicable laws or contractual obligations. We have established retention periods and regularly review data to ensure compliance with retention policy.

Data breach response: In the event of a data breach involving personal data, OPDA shall promptly assess the impact of the breach and take appropriate measures to mitigate any potential harm. Affected individuals and the Information Commissioner’s Office shall be notified as required under GDPR.

Data Sharing and 3rd Party Processing

Personal data shall not be shared or disclosed to third parties unless there is a lawful basis for doing so, or with the explicit consent of the data subject.

Contracts and agreements with third parties processing personal data on behalf of OPDA shall include appropriate data protection provisions.

Data Subject Rights

Right to access: Data subjects have the right to access their personal data held by OPDA and request information on its processing.

Right to rectification and erasure: Data subjects have the right to request the rectification of inaccurate or incomplete personal data or the erasure of their data in certain circumstances.

Right to object and restrict processing: Data subjects have the right to object to the processing of their personal data and request restrictions on its processing under specific conditions that continue to meet our collection and processing laws and obligations.

GDPR

OPDA has an appointed Data Protection Officer (DPO) who is responsible for overseeing data protection matters and GDPR compliance.

All personnel involved in the processing of personal data shall receive training on GDPR principles, data protection practices, and OPDA’s Data and GDPR policy.

We maintain records of our data processing activities as required under GDPR.