In its everyday business operations Second Home Ltd makes use of a variety of data about identifiable individuals, including data about:
In collecting and using this data, the organisation is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
The purpose of this policy is to set out the relevant legislation and to describe the steps Second Home Ltd is taking to ensure that it complies with it.
This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Second Home Ltd systems.
The following policies and procedures are relevant to this document:
2 Privacy and Personal Data Protection Policy
The General Data Protection Regulation 2016 (GDPR) is one of the most significant pieces of legislation affecting the way that Second Home Ltd carries out its information processing activities. Significant fines are applicable if a breach is deemed to have occurred under the GDPR, which is designed to protect the personal data of citizens of the European Union. It is Second Home Ltd’s policy to ensure that our compliance with the GDPR and other relevant legislation is clear and demonstrable at all times.
There are a total of 26 definitions listed within the GDPR and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to this policy are as follows:
‘Personal data’ is defined as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
There are a number of fundamental principles upon which the GDPR is based.
These are as follows:
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Second Home Ltd will ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.
The data subject also has rights under the GDPR. These consist of:
Each of these rights are supported by appropriate procedures within Second Home Ltd that allow the required action to be taken within the timescales stated in the GDPR.
These timescales are shown in Table 1.
Data Subject Request
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right to rectification||One month|
|The right to erasure||Without undue delay|
|The right to restrict processing||Without undue delay|
|The right to data portability||One month|
|The right to object||On receipt of objection|
|Rights in relation to automated decision making and profiling||Not specified|
Table 1 – Timescales for data subject requests
There are six alternative ways in which the lawfulness of a specific case of processing of personal data may be established under the GDPR. It is Second Home Ltd policy to identify the appropriate basis for processing and to document it, in accordance with the Regulation. The options are described in brief in the following sections.
Unless it is necessary for a reason allowable in the GDPR, Second Home Ltd will always obtain explicit consent from a data subject to collect and process their data. The Services are not directed to children under the age of 16 and we do not knowingly collect personal information from anyone under the age of 16. Where different age limitations apply, we comply with them. Transparent information about our usage of their personal data will be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge.
If the personal data are not obtained directly from the data subject then this information will be provided to the data subject within a reasonable period after the data are obtained and definitely within one month.
Where the personal data collected and processed are required to fulfil a contract with the data subject, explicit consent is not required. This will often be the case where the contract cannot be completed without the personal data in question e.g. a membership invoice cannot be sent without an email address to deliver to.
If the personal data is required to be collected and processed in order to comply with the law, then explicit consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.
In a case where the personal data are required to protect the vital interests of the data subject or of another natural person, then this may be used as the lawful basis of the processing. Second Home Ltd will retain reasonable, documented evidence that this is the case, whenever this reason is used as the lawful basis of the processing of personal data. As an example, this may be used in aspects of social care, particularly in the public sector.
Where Second Home Ltd needs to perform a task that it believes is in the public interest or as part of an official duty then the data subject’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.
If the processing of specific personal data is in the legitimate interests of Second Home Ltd and is judged not to affect the rights and freedoms of the data subject in a significant way, then this may be defined as the lawful reason for the processing.
As an example, when personal data is collected for attending an event at Second Home, we will add attendees to our newsletter about upcoming events. How to unsubscribe, change preferences and access/update data will be clearly defined and accessible on every email communication.
Again, the reasoning behind this view will be documented.
Second Home Ltd has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.
The data protection impact assessment will include:
Use of techniques such as data minimisation and pseudonymisation will be considered where applicable and appropriate.
Second Home Ltd will ensure that all relationships it enters into that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by the GDPR. For more information, see the GDPR Controller-Processor Agreement Policy.
Transfers of personal data outside the European Union will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time.
Intra-group international data transfers will be subject to legally binding agreements referred to as Binding Corporate Rules (BCR) which provide enforceable rights for data subjects.
A defined role of Data Protection Officer (DPO) is required under the GDPR if an organisation is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.
It is Second Home Ltd’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours . This will be managed in accordance with our Information Security Incident Response Pro cedure which sets out the overall process of handling information security incidents.
Under the GDPR the relevant DPA has the authority to impose a range of fines of up to four percent of annual worldwide turnover or twenty million Euros, whichever is the higher, for infringements of the regulations.
The following actions are undertaken to ensure that Second Home Ltd complies at all times with the accountability principle of the GDPR:
These actions are reviewed on a regular basis as part of the management process concerned with data protection.
Second Home’s buildings have CCTV installed to protect the safety of Second Home’s employees, members, and guests and their property, as well as to improve our products and services and to analyse how users navigate and use our spaces. Recordings may be accessed by Second Home in the UK, EU and US and elsewhere and may be shared with competent authorities in accordance with applicable laws (see section 2.5.3 – 2.5.5) . The recordings are retained for a limited period of time, but may be kept longer for the investigation of an incident or when competent authorities request us to retain them longer.
Privacy laws and guidelines are part of a constantly changing environment. We will notify you of material changes by e-mail or by posting a message on the relevant Services.
3 Cookies, Web Beacons, and Other Internet Technologies
A cookie is a small file that may be stored on your computer or other device. A cookie enables the entity that put the cookie on your device to recognise it across different websites, services, devices, and browsing sessions.
Our websites use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses so-called “cookies”, text files which are stored on the computer of the user and which help the website analyse how visitors use the site. The information generated by the cookies about the use of our websites will generally be transmitted to, and stored on, a Google server in the United States. On our websites, the IP-anonymization feature has been activated so that the IP address of Google users within the European Economic Area is truncated beforehand. Only in exceptional cases will the full IP address be transferred to Google in the United States and truncated there. Google will use this information on behalf of the website operator for the purpose of evaluating the use of the website by the users, compiling reports on the website activity and providing other services relating to the website activity and internet usage to the website operator. The IP address which your browser transmits in the framework of Google Analytics will not be associated with any other Google data. You may prevent the storage of the cookies by using a particular browser setting. Please note however that in this case you may not be able to fully use all the functions of our websites. Users may prevent the collection of the data generated by the cookie and related to their use of our websites (including their IP address) and its processing by Google by downloading and installing a Browser-Plugin.
Web beacons and similar technologies are small bits of code, which are embedded in web pages, advertisements, and e-mail, that communicate with third parties. We use web beacons, for example, to count the number of users who have visited a particular web page, to deliver or communicate with cookies, and to understand usage patterns. We also may include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.
There are other local storage and internet technologies, such as Local Shared Objects (also referred to as “Flash cookies”) and HTML5 local storage, that operate similarly to the cookies discussed above in that they are stored on your device and can be used to store certain information about your activities and preferences across different services and sessions. Please note that these technologies are distinct from cookies, and you may not be able to control them using standard browser tools and settings.
Our websites use these technologies for the following purposes:
Improving our services, including helping us measure and research the effectiveness of our content, features, advertisements, and other communications. For example, we measure which pages and features website visitors are accessing and how much time they are spending on our webpages. We may include web beacons in e-mails, for example, to understand whether messages have been opened, acted on, or forwarded.
Storing your sign-in credentials and preferences so that you do not have to enter those credentials and preferences every time you log on to a Service.
Helping us provide you with relevant content and advertising by collecting information about your use of our Services and other websites.
4 Questions or Comments
If you have any questions or comments regarding our Policy, please contact us at:
Effective Date: May 25th, 2018
5 Newsletter Sign-Up
This privacy notice tells you about the information we collect from you when you sign up to receive our newsletters via our websites (secondhome.io and libreria.io), or sign up for a Cultural Event via Eventbrite. In collecting this information, we are acting as a data controller and, by law, we are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.
We are not required to have a data protection officer, so any enquiries about our use of your personal data should be addressed to the contact details above.
When you subscribe to our newsletter or you sign up to one of our Cultural Events on Eventbrite, we ask you for your name and your email address.
We will use your information to send you our newsletters, which contain information about our products and events.
We ask for your consent to do this, and we will only send you our newsletter for as long as you continue to consent.
Your information is stored in our database and is not shared with any third parties. We will not use the information to make any automated decisions that might affect you.
Your information is kept for as long as you continue to consent to receive our newsletter.
By law, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate.
You can also ask for it to be erased and you can ask for us to give you a copy of the information.
You can also ask us to stop using your information – the simplest way to do this is to withdraw your consent, which you can do at any time, either by clicking the unsubscribe link at the end of any newsletter, amending your preferences, or by emailing, writing or telephoning us using the contact details above.
If you have a complaint about our use of your information, you can contact the Information Commissioner’s Office via their website at www.ico.org/concerns or write to them at:
As part of any recruitment process, Second Home collects and processes personal data relating to job applicants. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
Second Home collects a range of information about you. This includes: your name, address and contact details, including email address and telephone number; details of your qualifications, skills, experience and employment history; information about your current level of remuneration, including benefit entitlements; whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process; and information about your entitlement to work in the UK.
Second Home may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment. We may also collect personal data about you from third parties, such as references supplied by former employers. We will seek information from third parties only once a job offer to you has been made and will inform you that we are doing so. Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).
We need to process data to take steps at your request prior to entering into a contract with you. We may also need to process your data to enter into a contract with you. In some cases, we need to process data to ensure that we are complying with its legal obligations. For example, it is mandatory to check a successful applicant’s eligibility to work in the UK before employment starts.
Second Home has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.
Second Home may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics. We may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. We process such information to carry out its obligations and exercise specific rights in relation to employment. If your application is unsuccessful, Second Home may keep your personal data on file in case there are future employment opportunities for which you may be suited. We will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time.
Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy. We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks.
We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
If your application for employment is unsuccessful, the organisation will hold your data on file for 6 (six) months after the end of the relevant recruitment process. If you agree to allow us to keep your personal data on file, we will hold your data on file for a further 6 (six) months for consideration for future employment opportunities. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed. You will be asked when you submit your CV whether you give us consent to hold your details for the full 12 months in order to be considered for other positions or not.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic based) and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.
As a data subject, you have a number of rights. You can:
If you would like to exercise any of these rights, please contact our HR team at firstname.lastname@example.org.
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.
You are under no statutory or contractual obligation to provide data to Second Home during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.