OAKRIDGE PRIVACY NOTICE JUNE 2018
Oakridge Group Limited is a privately owned property company based in
Dalkeith. The company is registered in Scotland with Company Number
SC381569 and has its registered office at 7A Dundas Street, EH3 6QG.
General Statement of Duties
Data Protection Law (the Data Protection Act 1998, the General Data
Protection Regulation (EU) 2016/679 and the Data Protection Act 2018, as
amended or superseded) places duties on organisations and individuals to
process personal information fairly and lawfully.
Oakridge Group Limited (‘the Company’) processes personal data of clients,
prospective clients, as well as employees and others involved with the
Company, as part of its operation and shall take all reasonable steps to do
so in accordance with this Notice. Processing may include obtaining,
recording, holding, disclosing, destroying or otherwise using data. In this
Notice any reference to clients includes current, past or prospective
Responsibility for Data Protection
The Company will endeavour to ensure that all personal data is processed by
its employees in accordance with this Notice and in compliance with Data
Protection Law. Any queries about this Notice and data protection should be
directed to the Finance Manager; Myra Amer, Oakridge Group Ltd, 17
Hardengreen Business Centre, Dalhousie Road, Eskbank, EH22 3NX,
The Company shall comply with the Data Protection Principles (‘the
Principles’) contained in Data Protection Law to ensure all data is:
- Processed lawfully, fairly and in a transparent manner (Lawfulness,
Fairness and Transparency).
- Collected only for specified, explicit and legitimate purposes (Purpose
- Adequate, relevant and limited to what is necessary in relation to the
purposes for which it is Processed (Data Minimisation).
- Accurate and where necessary kept up to date (Accuracy).
- Not kept in a form which permits identification of Data Subjects for
longer than is necessary for the purposes for which the data is
Processed (Storage Limitation).
- Processed in a manner that ensures its security using appropriate
technical and organisational measures to protect against unauthorised
or unlawful Processing and against accidental loss, destruction or
damage (Security, Integrity and Confidentiality).
The Company is responsible for and must be able to demonstrate compliance
with the Principles listed above (Accountability)
Types of Personal Data
Personal data is information from which a living individual can be
identified either directly or indirectly when taken together with other
information held by the Company. Personal data covers both facts and
opinions about an individual.
The Company may process a wide range of personal data of clients,
prospective clients, employees and others as part of its operation. This
personal data may include (but is not limited to); names and addresses,
bank details, employment records, references, and peoples images.
Processing Personal Data
The Company will need to carry out this processing in order to fulfil its
legal rights, duties or obligations – including those pursuant to contract
with its employees.
Other uses of personal data will be made in accordance with the Company’s
legitimate interests, or the legitimate interests of third parties,
provided that these are not outweighed by the impact on the individuals
concerned, and provided it does not involve special or sensitive types of
personal data. The Company expects that the following uses of personal data
may fall within that category of its “legitimate interests”:
- to inform clients or prospective clients of forthcoming developments
that might be of interest to them;
- for marketing purposes of properties that Oakridge Group Limited is
- to give and receive information and references about past, current and
prospective employees to/from other employers;
- to enable employees to take part in national or other assessments or
professional development training;
- to monitor use of the Company’s IT and communications systems;
- to fulfil its duty to HMRC and other national regulatory bodies and
give and receive information about past and current employees;
- to comply with requests from legal authorities on the completion of
sales; which includes but is not limited to Midlothian Council, Lothian
Valuation and Joint Board and the electricity, gas and water suppliers;
- to comply with all regulatory bodies;
- to enable the sale and purchase of properties in which the company has
or wishes to acquire an interest;
- to instruct lawyers to act on behalf of the Company in sale or purchase
of properties in which the company has an interest.
- to protect and safeguard the Company assets and meet any insurance
Sensitive Personal Data
The Company may, from time to time, be required to process sensitive
personal data regarding a client, prospective client, or employee and
others involved with the Company. Sensitive personal data includes medical
information, bank details and data relating to religion, race, or criminal
records and proceedings. Where sensitive personal data is processed by the
Company, the explicit consent of the appropriate individual will generally
be required in writing unless another condition for processing under Data
Protection Law is met, for example where disclosure is necessary for the
purposes of exercising or performing any right or legal obligation in
relation to employment; is necessary for the purpose of establishing,
exercising or defending legal rights; or is necessary for the exercise of
any function conferred on the Company by law.
The Company may, from time to time, need to share personal data relating to
clients, prospective clients, employees and others involved with the
Company with third parties. In considering whether to share personal data
the Company must first establish who is requesting the personal data and
for what purpose. In determining whether data should be shared with any
third party, the Company will consider the provisions of Data Protection
law and where relevant refer to Data Sharing checklists produced by the
Information Commissioner’s Office. The Company will consider the following:
- necessary and proportionate – how much information is needed and
whether the amount of information to be shared is proportionate to that
need and the level of risk attached to sharing the information,
- relevant – only information that is relevant will be shared with those
who need it,
- adequate – information must be of sufficient quality that it can be
understood and relied upon,
- accurate – information must distinguish between fact and opinion and
must be accurate and up to date,
- timely – the need for urgency must be considered and balanced with the
risk of delay in obtaining consent,
- secure – the means of sharing information must be secure and confined
to those for whom the information is intended
- recorded – decisions to share information or not to do so must be
recorded, with reasons given and a record taken of whom the information
has been shared with.
The Company may receive requests from third parties to disclose personal
data it holds about clients, prospective clients, employees or others. The
Company confirms that it will not generally disclose information unless the
individual has given their consent or one of the specific exemptions under
the Legal Framework applies. The Company will disclose such personal data
as is necessary to third parties for the following purposes:
- To give a confidential reference relating to a current or past employee
to any prospective employer.
- To instruct lawyers in the sale or purchase of properties in which the
Company has or wishes to acquire an interest.
- To HMRC and other regulatory bodies pursuant to a legal duty to
Rights of Access
Subject access request under Data Protection Law
Under Data Protection Law, individuals have a right of access to their
personal data processed by the Company (a subject access request or SAR).
Any individual wishing to access their personal data should put their
request in writing to the Finance Manager. The Company will endeavour to
respond to any such written requests as soon as is reasonably practicable.
Where appropriate the Company may require confirmation of identity (e.g.
passport copy), a signed mandate authorising a representative to exercise
the right on another’s behalf; or further information to locate the
requested personal data.
You should be aware that certain personal data is exempt from the right of
access under the Legal Framework. This may include information which
identifies other individuals or information which is subject to legal
The Company will also treat as confidential any reference given by the
Company for the purpose of the training or employment, or prospective
training or employment of any employee. The Company acknowledges that an
individual may have the right to access a reference relating to them
received by the Company. However, such a reference will only be disclosed
if such disclosure will not identify the source of the reference or where,
notwithstanding this, the referee has given their consent or if disclosure
is reasonable in all the circumstances.
As well as the right to access, individuals have the following rights under
Data Protection Law in relation to the processing of their personal data:
- The right to request that inaccurate data held about them is rectified
- The right to request the erasure of personal data
- The right to restriction of processing
- The right to object to processing, and
- The right to data portability.
Where the Company is relying on consent as a means to process personal
data, an individual may withdraw this consent at any time. Please be aware
however that the Company may have another lawful reason to process the
personal data in question without an individual’s consent. That reason will
usually have been asserted under this Notice, or may otherwise exist under
some form of contract or agreement with the individual (e.g. an employment
contract, or because a purchase of goods, services or membership of an
organisation has been requested).
For more information and guidance about any of these rights individuals
should go to the website of the Information Commissioner’s Office at https://ico.org.uk/.
The rights under Data Protection Law are the individual’s to whom the data
relates. Where consent is required, the Company will rely on the consent of
the individual to whom the data relates.
Use of Personal Information by the Company for promotional/marketing
The Company will, from time to time, make use of personal data relating to
clients or prospective clients in the following ways;
- For marketing or promotional purposes;
- To maintain relationships with clients or prospective clients or
maintaining contact with clients or prospective clients for marketing
or promotional purposes;
In these circumstances the Company will obtain specific consent to the
processing of relevant personal data.
The Company will endeavour to ensure that all personal data held in
relation to an individual is accurate. Individuals should notify the
Company of any changes to information held about them.
The Company will take reasonable steps to ensure that employees will only
have access to personal data relating to clients, prospective clients,
employees and others where it is necessary for them to do so. The Company
have put in place appropriate technical and organisational measures to
ensure the security of personal data about individuals. The Company has
information security measures in place to prevent unauthorised access to or
loss of personal data. Employees will be made aware of these measures and
their duties under Data Protection Law, including through regular training.
The Company will only retain personal data as long as necessary or for
historical or statistical archive purposes as permitted by the Legal
Framework. The Company’s data retention periods are informed by the
Company’s relevant legal obligations. All personal data will be disposed of
If an individual believes that the Company has not complied with this
Notice or acted otherwise than in accordance with Data Protection Law, they
should notify the Finance Manager giving details of their complaint and
what they expect from the Company to resolve the issue. A referral can also
be made, or a complaint can be lodged, with the Information Commissioner’s
Office (ICO), although the ICO recommends that steps are taken to resolve a
matter where possible directly, before involving the ICO.
This Notice will be reviewed annually by the Company.