Data protection policy
1. Context and overview
1.1 Key details
- Policy became operational on: 25 May 2018
Ejerforeningen Aldersrogade 37-39 (now known as “the Homeowner’s Association”) needs to gather and use certain information about individuals.
These can include residents, partners, suppliers, board members, and other people the Homeowner’s Association has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the Homeowner’s Association’s data protection standards – and to comply with the law.
This document was created in part using a template from SEQ Legal (https://seqlegal.com) and IT Donut (https://www.itdonut.co.uk/).
1.4 Why this policy exists
This data protection policy ensures the Homeowner’s Association:
- Complies with the General Data Protection Regulations (GDPR) and follow good practice
- Protects the rights of residents, partners, suppliers, and board members
- Is open about how it stores and processes individual’s data
- Protects itself from the risks of a data breach
1.5 General Data Protection Regulation (GDPR)
The GDPR describes how organisations – including Ejerforeningen Aldersrogade 37-39 – must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The GDPR is underpinned by some important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
2. People, risks and responsibilities
2.1 Policy scope
This policy applies to:
- The Homeowner’s Association Ejerforeningen Aldersrogade 37-39
- All board members of the Homeowner’s Association
- All contractors, suppliers and other people working on behalf of the Homeowner’s Association
It applies to all data that the Homeowner’s Association holds relating to identifiable individuals, even if that information technically falls outside of the GDPR. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- …plus any other information relating to individuals
2.2 Data protection risks
This policy helps to protect the Homeowner’s Association from some very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the Homeowner’s Association uses data relating to them.
- Reputational damage. For instance, the Homeowner’s Association could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with the Homeowner’s Association has some responsibility for ensuring data is collected, stored and handled appropriately. Those who handle personal data must ensure that it is handled and processed in line with this policy and data protection principles.
Board members are ultimately responsible for ensuring that the Homeowner’s Association meets its legal obligations.
3. How we use your personal data
Only personal data that is necessary will be collected and used.
3.1 The Homeowner’s Association may process personal data of individuals that are provided in the course of the use of services such as booking the party room and requesting for a parking permit (‘service data’). The service data may include full name, address, telephone number, email address, and car registration number. This data may be shared with our partners and suppliers such as IP Administrator (for billing purposes) and Q-Park (for supplying the parking service). The legal basis for this processing is the performance of a contract between the individual and the Homeowner’s Association and/or taking steps, at the individual’s request, to enter into such a contract.
3.2 The Homeowner’s Association may process information contained in or relating to any communication that individuals send to the board (‘correspondence data’). The correspondence data may include the communication content and metadata associated with the communications made using the website online forms. The correspondence data may be processed for the purpose of communicating with the individual and record-keeping. The legal basis for this processing is legitimate interests, namely the proper administration of the Homeowner’s Association’s website and communications with individuals.
3.3 The Homeowner’s Association may process information that individuals provide to it for the purpose of subscribing to its newsletters (‘notification data’). The notification data may be processed for the purpose of sending individuals the relevant newsletters. The legal basis for this processing is consent.
3.4 The Homeowner’s Association may process information that is recorded on the video surveillance cameras found around the estate for the purpose of ensuring the safety of individuals around the estate, to deter and assist in the prevention or detection of crime, to monitor security, and to identify actions which might result in penalties according to the Homeowner’s Association’s by-laws. Where necessary, such data will be retained for record-keeping and may be handed over to law enforcement agencies. The legal basis for this processing is legitimate interests.
3.5 In addition to the specific purposes for which the Homeowner’s Association may process an individual’s personal data set out in this Section 3, it may also process any of his/her personal data where such processing is necessary for compliance with a legal obligation to which the Homeowner’s Association is subject, or in order to protect the individual’s vital interests or the vital interests of another natural person.
3.6 Please do not supply any other person’s personal data to the Homeowner’s Association, unless prompted to do so.
4. Individual rights
The GDPR includes the following principal rights for individuals:
4.1 The right to be informed
Individuals have the right to confirmation as to whether or not the Homeowner’s Association processes their personal data and, where it does, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data.
4.2 The right of access (see section 5)
4.3 The right to rectification
Individuals have the right to have any inaccurate personal data about them rectified and, taking into account the purposes of the processing, to have any incomplete personal data about them completed.
4.4 The right to erasure
In some circumstances individuals have the right to the erasure of their personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; individuals may withdraw consent to consent-based processing; individuals may object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: (for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims).
4.5 The right to restrict processing
In some circumstances individuals have the right to restrict the processing of their personal data. Those circumstances are: the individual contests the accuracy of the personal data; processing is unlawful but the individual oppose erasure; the Homeowner’s Association no longer needs the personal data for the purposes of its processing, but the individual requires personal data for the establishment, exercise or defense of legal claims; and the individual has objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, the Homeowner’s Association may continue to store the individual’s personal data. However, the Homeowner’s Association will only otherwise process it: with the individual’s consent; for the establishment, exercise or defense of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
4.6 The right to object to processing
Individuals have the right to object to our processing of their personal data on grounds relating to their particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in the Homeowner’s Association; or the purposes of the legitimate interests pursued by the Homeowner’s Association or by a third party. If individuals make such an objection, the Homeowner’s Association will cease to process the personal information unless it can demonstrate compelling legitimate grounds for the processing which override the individual’s interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.
Individuals have the right to object to the Homeowner’s Association’s processing of their personal data for direct marketing purposes (including profiling for direct marketing purposes). If individuals make such an objection, the Homeowner’s Association will cease to process their personal data for this purpose.
Individuals have the right to object to the Homeowner’s Association’s processing of their personal data for scientific or historical research purposes or statistical purposes on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
4.7 The right to data portability
To the extent that the legal basis for the Homeowner’s Association’s processing of the individual’s personal data is:
(a) consent; or
(b) that the processing is necessary for the performance of a contract to which individuals are party or in order to take steps at their request prior to entering into a contract,
and such processing is carried out by automated means, individuals have the right to receive their personal data from the Homeowner’s Association in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
4.8 The right to withdraw consent
To the extent that the legal basis for our processing of the individual’s personal information is consent, he/she has the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
4.9 The right to complain to a supervisory authority
If individuals consider that the Homeowner’s Association’s processing of their personal information infringes data protection laws, they have a legal right to lodge a complaint with a supervisory authority responsible for data protection. They may do so in the EU member state of their habitual residence, or the place of the alleged infringement.
Individuals may exercise any of their rights in relation to their personal data by written notice to the Homeowner’s Association at email@example.com, in addition to other methods specified in this Section 4
5. Subject access requests
Providing the rights and freedoms of others are not affected, all individuals who are the subject of personal data held by the Homeowner’s Association are entitled to:
- Ask what information the Homeowner’s Association holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the Homeowner’s Association is meeting its data protection obligations.
If an individual contacts the Homeowner’s Association requesting this information, this is called a subject access request.
Subject access requests from individuals should be made to the board by email at firstname.lastname@example.org.
The board will aim to provide the relevant data within 30 days.
The board will always verify the identity of anyone making a subject access request before handing over any information.
The board reserves the right to refuse or charge for requests that are manifestly unfounded or excessive. If the board refuses a subject access request, it will tell the individual why, and the individual will have the right to complain to a judicial remedy. Any refusal or charges will be made known to the individual within 30 days.
6. General board member guidelines
- The only people able to access data covered by this policy should be those who need it for their work within the board.
- Data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Board members should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the Homeowner’s Association or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Board members should request help if they are unsure about any aspect of data protection.
7. Data storage
These rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Board members should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly.
- If data is stored on removable media (like a thumb drive), these should be kept locked away securely when not being used.
- Data should only be uploaded to approved cloud computing services.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
8. Data access
All members of the board have access to the personal data used, and this may be shared to some extent with third parties that include the Association’s appointed Administrator (IP Administration) and janitor service provider (IP Ejendomservice), as well as to partners such as Q-Park, where necessary.
9. Disclosing data for other reasons
In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, the Homeowner’s Association will disclose requested data. However, the board will ensure the request is legitimate, seeking assistance from legal advisers where necessary.