The Data Protection Act 2018 (DPA 2018) sets out the data protection framework in the UK and incorporates the Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) into the national law. Its purpose is to protect the “rights and freedoms” of natural persons (living individuals), and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
The Macgregor office is located at:
15 Belgrave Place, Edinburgh, EH4 3AW
Contact number: 0131 283 2833
Macgregor works for property developers and house builders to sell new and refurbished property to the general public and institutions.
Definitions used by the organisation (drawn from the GDPR)
Material scope (Article 2 GDPR) – the GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.
Territorial scope (Article 3 GDPR) – the GDPR applies to all controllers that are established in the EU (European Union) who process the personal data of data subjects, in the context of that establishment. It also applies to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.
Article 4 GDPR – Definitions
Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.
Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data subject – any living individual who is the subject of personal data held by an organisation.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
Data subject consent – means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Child – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
- Types of Information Collected.
Personal data means any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual’s actions or behaviour, or information that may otherwise impact that individual in a personal, or business capacity.
Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. (The rest is ordinary personal data).
Categories of personal information collected and processed by Macgregor include, but are not limited, to:
- Residential status – including present and past addresses
- Date of Birth
- Marital status
- Residential status
- Dependent information
- National Insurance number
- Employment history – including current and former employer information
- Copies of identification
- Financial information – such as salary, bank details, mortgage statements, credit card details, load details
- Contact information
- Third party contact information
- Online identifier information
Macgregor may also collect and process special category and criminal offence data, including, but not limited to:
- Health and medical history
- Ethnicity and race
- Criminal offences / convictions
- Child data
- Methods of Collection
Personal information we process about you may be directly provided to us by yourself in the course of you:
- Using or applying for a Macgregor product or service
- Making a complaint or enquiry to ourselves
- Subscribing or unsubscribing to marketing material
- Participating in a promotion, offer or programme
- Entering or attempting to enter into a business or employment relationship with ourselves
- Call recordings or participation in shared online web conferencing facilities
Information may also be provided to us indirectly by, including but not limited, to:
- Next of kin / delegated authorities
- Business associates
- ‘Trusted Sources’:
- Government / Land / Police registers
- Credit / Default Agencies
- Financial Institutes (Banks, Building Societies, Loan Agencies, Credit Cardcompanies)
- Insurance Companies
- Other Law firms
- Health providers
- Third party service affiliates or suppliers who have sought your consent
This information may be provided via the use of:
- Forms and documentation
- Online submission portals
- Email, postal or telephone correspondence
We will always attempt to provide you with our Privacy Notice in regards to information received from other sources than yourself if it is not deemed to be disproportionate or prejudicial. We, our service providers and partners collect certain information by using automated means, such as cookies, when you interact with our advertisements, mobile applications, or visit our websites, pages or other digital assets. The information we collect in this manner may include:
- IP address
- Browser type
- Operating system
- Referring URLs and information on actions taken or interaction with our digital assets.
- Purposes of Processing
Generally, we will collect, use and hold your information for the purposes of:
- Assessing applications for and providing Macgregor products and services
- Conducting business and developing relationships with Macgregor and affiliates
- Processing payments and transactions including: Accounting, Authorisation, Clearing, Chargebacks, Auditing, Billing, Reconciliation, Collection, Credit Checks and related dispute resolution activities
- Protecting against and preventing fraud, unauthorised transactions, money laundering, tax evasion, claims and other liabilities
- Creating and managing any accounts or associated authentication criteria (such as ID logons and passwords) you may have with Macgregor
- Communicating and marketing Macgregor products, services, offers, programs and promotions
- Compiling business directories, including business contact information
- Operating, monitoring and improving our products, services, websites, mobile applications and other digital assets as well as developing new products and services
- Processing job applications
- Complying with industry standards and Macgregor policies
- Processing complaints, enquiries and data subject rights requests
- For training, communication and awareness
- Confirming appointments and meetings
- Publishing of customer feedback and reviews
- Lawful basis of processing
The legal basis we use to process your personal data may differ for each processing activity. Dependent upon the purpose for processing, as outlined above, and the business area processing your data Macgregor relies upon the following lawful basis of processing:
- Article 6 (1) (a) GDPR Consent: Where your permission and consent has been provided to allow processing to be undertaken. For example;
- Using video, messaging or other communication applications to provide a service, where you have requested, actively chosen to use or approved the use of the application as a form of contact between yourself and the business
- Article 6 (1) (b) GDPR Performance of a contract: where you have or will enter into a contract with Macgregor and we need to process your information as part of this contract
- Article 6 (1) (c) GDPR Compliance with a legal obligation: Where Macgregor are bound by further laws and regulations to process your information, affecting areas such as:
- Data Protection,
- Crime and anti-money laundering,
- Financial Services,
- Property and estate management,
- Welfare and health and safety
- Article 6 (1) (d) GDPR Public interest: Information concerning relocations is processed in accordance with public interest
- Article 6 (1) (e) GDPR Legitimate interests: These include:
- Fraud prevention and detection,
- Risk assessment,
- Due diligence,
- Network and Information Security,
- Suppression lists and managing communication opt-out requests,
- Training, communication and awareness,
- Direct marketing,
- Monitoring and web analytics,
- Cloud storage,
- Management Information,
- Compliance self-assessments,
- Utility switches
Should we be provided with information defined as ‘special category’ our lawful basis for processing is:
- Article 9 (2) (a) GDPR Explicit Consent: Your permission has been granted and documented directly to us
- Article 9 (2) (b) GDPR For the purposes of employment and social security: Such as complying with employment laws
- Article 9 (2) (e) GDPR Data has been made public by the data subject: Such as the Electoral Roll
- Article 9 (2) (f) GDPR Establishing, exercising or defending a legal claim: Such as litigation against a business or employee
- Schedule 1, Part 2, Paragraph 15 DPA 2018 Suspicion of money laundering: In line with Section 339ZB of the Proceeds of Crime Act 2002
- Schedule 1, Part 2, Paragraph 20 DPA 2018 Insurance: Advising on, underwriting, arranging or administering an insurance contract
- Schedule 1, Part 2, Paragraph 21 DPA 2018 Occupational Pensions: Next of kin information of employees signed up to the pension scheme.
We may also process Criminal conviction data under:
- Schedule 1, Part 3, Paragraph 33 DPA 2018 Legal claims: In connection with legal, or potential legal proceedings, obtaining legal advice or establishing, defending and /or exercising legal rights.
- InformationWe Share
We do not sell or otherwise disclose personal information we collect about you, except as described in this Privacy Notice or as indicated via the consent process at the time the data is collected. We may share the information we collect, where applicable, with:
- Landlords and landlord associates and sub processors
- Vetted affiliates and partners
- Financial Institutions
- Insurance Companies
- Formally contracted service providers for: Hosting Data centres, Infrastructure and Applications development and support,
- Cloud Services
- Helpdesk and Call Centres etc.
- Councils, local authorities, and health and care providers
- Water and other utility companies
- Law firms and EPC providers
- Credit agencies
- Land Registry Office
- Her Majesty’s Revenue and Customs (HMRC),
- Relevant regulatory bodies and authorities
Macgregor may also disclose personal information to other employees in the course of providing you with our services. Macgregor does not permit these parties to use such information for any other purpose than to perform the services they have been instructed to provide by us. We may also share information about you, if required legally, to prevent harm or financial / reputation loss, for investigation of suspected or actual fraudulent or illegal activities. We contractually require service providers and processors to safeguard the privacy and security of personal information they process on our behalf in line with data protection obligations and authorise them to use or disclose the information only as necessary to perform services on our behalf and under our instruction or to comply with legal obligations and requirements.
On websites, features can be accessed where we partner with other entities that are not affiliated with Macgregor. These include social networking and geo-location tools etc. and are operated by third parties who may use or share personal information in accordance with their own privacy policies. It is recommended that you review the third parties’ privacy notice if you use the relevant features. In the event of a sale or transfer of our business or assets (wholly or partly) Macgregor reserve the right to transfer your information to the acquirer. You can exercise your rights and gain clarification concerning the protection and processing of your information by the acquirer by contacting them directly.
Macgregor Property Ltd employs third party suppliers to provide services including utilising the services of a credit reference agency (https://www.transunion.co.uk/legal-information/bureau-privacy-notice).
Macgregor may use direct or anonymised information to engage in data analysis, data matching and profiling activities for a variety of purposes, including, but not limited to:
- Business conduct
- Investigation and identification of fraud, money laundering and other potential unauthorised activities,
- Financial Viability analysis / reports
- Business partner / client portfolio position, performance, risk positions
- Anti-money laundering
- Tax reporting
- Credit defaulting / exposure
- International Data Transfers
Some of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. Under Data Protection Law, international transfers of personal data may take place if the third country ensures an adequate level of protection, and both controller and processor, provides appropriate safeguards though means such as standard data protection clauses or binding corporate rules. Furthermore, the legislation provide for derogation clauses allowing for the transfer to take place even where neither an adequate level of protection nor appropriate safeguards are in place. For any transfer of personal data outside the EEA, we aim to evidence a similar degree of data protection is applied by ensuring at least one of the following safeguards is implemented:
(a) We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (Adequacy Decision).
(b) Where we use certain service providers, we may use specific contracts approved by the European Commission or by the Supervisory Authority, which give personal data the same level of protection it has in Europe (Standard Data Protection Clauses for the transfer of personal data to third countries).
(c) Where we use providers based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the USA (Privacy Shield).
(d) Where we use providers within Macgregor, we may transfer data to them under the mechanism of binding corporate rules approved by the Supervisory Authority (BCRs).
Where we are unable to rely on one of the safeguards outlined above, we will rely on the derogation under Article 49 of the GDPR (when the transfer relates to the performance of a contract and for your benefit), and you hereby allow us to do so. Where your personal data is transferred outside the EEA in these instances, controls on data protection may not be as wide as the legal requirements within the EEA.
We keep your personal information in line with our Data Retention & Destruction Policy. In certain circumstances we have a statutory obligation to keep your personal information for a set period of time, for example, financial information (normally 7 years) for financial auditing purposes. Information is always retained in line with its purpose of processing and only for as long as necessary usually, information is kept for 7 years after last contact with you. However, this period may be extended dependent upon any legal or contractual obligations Macgregor may be required to comply with, as well as any overriding business legitimate interests.
- Your Rights and Choices
Under Data Protection law and regulation, you have a number of rights. The applicability of these rights are dependent upon our purpose and lawful basis of processing, therefore not all of these rights may be available to you. You can exercise your rights either verbally or in writing. However, should you make a request verbally we recommend that you follow this up in writing to provide a clear correspondence trail. We have an obligation to respond within one month of receiving your request. Should we deem the request to be complex the response time can be extended by up to two months. Should this be required, you will be informed of the extended response date, alongside an explanation, within the original one month time frame. Should we feel the need to verify your identity, identification will be requested within the one month time frame and only limited to what is necessary for confirmation. Once we are satisfied we will then process your request. Should we refuse to comply with a request we will inform you of this within the one month time frame and provide an explanation outlining our justification, our internal complaints procedure and your right to complain to a supervisory authority and to enforce your rights through a judicial remedy.
- Your Right of Access
You have the right to request and receive copies of the personal information we hold that directly relates to you. This right is applicable at all times; however, due to exemptions within the legislation you may not always receive all the information we process. If this is applicable an explanation will be provided to you within our response. If you are requesting information on behalf of someone else we require you to provide proof that you are entitled to act on behalf of the data subject and will require written confirmation of this authority. If we are not satisfied you have the right to act as a delegated authority we reserve the right to refuse the request.
- Your Right to Rectification
You have the right to request that inaccurate information is rectified and incomplete information completed. Please provide an overview of the information you wish to be rectified / completed. Upon receipt of your request an investigation will be undertaken and a response determining our decision will be provided to you. Please be aware that we may need to take certain steps to verify the accuracy of the new information before the change can be applied.
- Your Right to Erasure
You have the right to request your personal information is deleted by us; however, this only applies in certain circumstances. To exercise this right, please provide us with an overview of the information you would like deleted and your reasoning. Upon receipt this matter will be investigated and a response determining our decision provided to you. In certain circumstances we may be unable to physically delete your data, however, we may put in place steps to ensure the data is ‘put beyond use’, anonymised or pseudonymised and you will be notified of this.
- Your Right to Restrict Processing
You have the right to request we restrict the processing of your personal information, however, this only applies in certain circumstances. To exercise this right please provide us with an overview of the information you would like restricted and your reasoning for this request. Upon receipt this matter will be investigated and our decision provided to you. Processing of your personal data will not resume without you being notified that the restriction is to be lifted.
- Your Right to Object
You have the right to object to us processing your data whereby we are processing your information in the public interest or for our legitimate interests. To exercise this right, please provide us with an overview of the information you are objecting to and your reasoning for this. Upon receipt, this matter will be investigated and our decision provided to you. You also have an absolute right to object to us using your data for direct marketing. You can exercise this right by:
- e-mailing email@example.com
- Unsubscribing via the “unsubscribe link” within the marketing e-mails you receive from us, or
- Contacting Macgregor as indicated below in Section 3.
2.9.1 Cookies Policy
- Your Right to Data Portability
You have the right to request us to transfer the information you have provided to us to another organisation or to you directly. This right only applies if we are processing information based on your consent or in regards to a contract and the processing is automated. Requests to exercise this right will be reviewed and a decision provided to you.
- Your Right to Automated Decision Making and Profiling
If automated decision making and profiling have been used you have a right to obtain human intervention and challenge a decision made as a result of this process. Requests to exercise this right will be investigated and a decision provided to you.
- Withdrawal of Consent
If we obtain your information by consent you have the right to withdraw your consent at any time. However, the right to consent removal may be limited in some circumstances by local law requirements. Should this apply you will be informed appropriately.
- Contact Information
You can exercise your rights, raise a query or concern, report a breach or make a complaint by contacting the applicable business unit or:
Writing to: Michael Hodgson, Macgregor, 15 Belgrave Place, Edinburgh, EH4 3AW.
To assist us in responding to your request in a timely and satisfactory manner please provide as much detail as possible during your contact with us.
- How to Lodge a Complaint
If you remain unsatisfied with the way in which Macgregor have handled your data or dealt with your request / complaint you have a right to raise this with the relevant Supervisory Authority and to seek to enforce your rights through a judicial remedy.
The Property Ombudsman
43-44 Milford Street
Tel: 01722 335 458
- How we Protect Personal Information
The security of your personal information is of the utmost importance and Macgregor is committed to protecting the personal data we process. We maintain administrative, technical and physical safeguards designed to protect against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. We use SSL encryption on a number of our websites from which we transfer certain personal information. We take measures to destroy or permanently de-identify personal information if required by law or the personal information is no longer required for the purpose for which we collected it. In addition, access to personal data is restricted only to those who have a legitimate business need and data processed by third parties is only done so under strict instruction from Macgregor, as per the terms of their contract. Procedures are in place to ensure breaches, or suspected breaches, are dealt with in a timely and secure manner and applicable notification applied within the required timeframes.
- Updating this Privacy Notice
Macgregor reserve the right to amend and update this Privacy Notice when required therefore it is advisable you review this notice at regular intervals.
Macgregor Anti Money Laundering Statement
In addition to providing you with a property related service we are obliged to comply with certain regulations, such as, the “Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (referred to as “the Regulations).” In order to comply with these regulations, Macgregor and other subsidiaries are required to obtain certain information from you. The information provided will only be used by Macgregor. in relation to complying with the Regulations and will not be shared with any other party outside of the companies wholly owned by Macgregor. unless we are required to do so under law. We will require two separate Identification documents (one primary and one secondary) even if it appears on both lists. The information may be required at various stages of the process depending whether you are purchasing or selling.
Primary documents – proof of ID
- Valid Passport with MRZ
- Valid full UK photo driving licence
- Valid full UK Driving licence (Non photo, paper) issued before 1998
- Valid EU/EEA/Switzerland photo driving licence.
- Valid EU/EEA/Switzerland national Identity Card.
- Valid UK Armed Forces ID Card.
- Valid UK Biometric Residence Permit (copy of both sides.)
- Valid Blue disabled drivers pass. (With photo)
- Valid Freedom Pass
- Valid Local Authority Bus pass.
- Department for Works & Pensions letter confirming pension details including National Insurance Number dated within the last 12 months.
Secondary documents – proof of residence
- Valid full UK photo driving licence.
- Valid full UK Driving licence (Non photo, paper) issued before 1998
- Local authority council tax bill (dated within the last 12 months).
- UK Bank / Building societies statements/bills showing activity, dated within the last six months. Including account number and sort code. (Internet printed acceptable.)
- UK mortgage statement (dated within the last 12 months.) (Internet printed acceptable.)
- Utility bill dated within the last 6 months including – Electricity bill (with MPAN number), Landline, Gas, Satellite TV, Water. (Internet printed acceptable.) (Not mobile phone bills.)
- Her Majesty’s Revenue and Customs (HMRC) Inland Revenue (IR) Coding / assessment / statement (dated within the last 12 months) with National Insurance number.
- Department for Works & Pensions letter confirming pension details and NI Number. (Dated within the last 12 months) Macgregor reserve the right to employ third party electronic verification for the purpose of verifying identity. This search will not affect your credit rating.