Data Processing Addendum

For Customer Data containing personal data — such as tenant and applicant records — the Customer is the controller and The Letting Desk is the processor. Each party will comply with its obligations under UK data protection law in respect of its role.

The Letting Desk will process personal data only on the Customer’s documented instructions, including as set out in this DPA and the Terms of Service, and as necessary to provide and support the Service. The Letting Desk will inform the Customer if, in its opinion, an instruction infringes UK data protection law.

Subject matter and duration

The provision of HMO property management services for the duration of the Customer’s subscription, plus any agreed retention period.

Nature and purpose

Hosting, storage, organisation, retrieval, transmission and deletion of personal data to enable the Customer to manage properties, tenancies, rent, compliance, maintenance and communications.

Categories of data subjects

Tenants, prospective tenants and applicants, guarantors, property owners, suppliers, and the Customer’s own staff and users.

Types of personal data

Contact details, tenancy and property details, financial and rent payment information, correspondence, and compliance-related records.

The Letting Desk will ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations and have received suitable data protection training.

The Letting Desk will implement appropriate technical and organisational measures to protect personal data, taking into account the state of the art and the risks of processing. These include:

• encryption of data in transit and at rest where appropriate;
• role-based access controls and the principle of least privilege;
• logging, monitoring and regular review of security controls; and
• resilience, backup and recovery measures.

The Customer provides general authorisation for The Letting Desk to engage sub-processors to support the Service, such as cloud hosting, payment processing, and email delivery providers. The Letting Desk will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. We will give the Customer reasonable notice of any intended change to sub-processors so the Customer may object on reasonable data protection grounds.

Taking into account the nature of the processing, The Letting Desk will provide reasonable assistance to the Customer through appropriate technical and organisational measures to help the Customer respond to requests from data subjects exercising their rights under UK GDPR.

The Letting Desk will provide reasonable assistance to the Customer with data protection impact assessments and prior consultation with the ICO where required. The Letting Desk will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data, and will provide information reasonably necessary to enable the Customer to meet its own notification obligations.

Where processing involves transferring personal data outside the UK, The Letting Desk will ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement or the UK addendum to the EU Standard Contractual Clauses.

On termination or expiry of the Service, The Letting Desk will, at the Customer’s choice, delete or return the personal data it processes on the Customer’s behalf, and delete existing copies unless retention is required by law. The Customer may export its data during the retention window described in the Privacy Policy.

The Letting Desk will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits conducted by the Customer or an appointed auditor, subject to reasonable confidentiality and security safeguards.

Questions about this DPA or our data processing practices can be sent to support@thelettingdesk.com.