I recently experienced this with my letting agent.
In the process of reviewing my tenancy extension document I noticed a specific GDPR clause.
The clause stated:
“GENERAL DATA PROTECTION REGULATION (GDPR)
Information supplied by the landlord and the Tenant will be held in accordance with General Data Protection Regulation (EU 2016/679) (GDPR) and any UK national implementing laws and / or any UK legislation, secondary legislation, or regulations as may be implemented, amended or updated from time to time (“Data Protection Laws”). This Information may be used or shared with utility providers, utility notifiers, local authorities, and credit reference providers for account administration, including debt tracing and collection, credit, insurance and rental decisions, legal advisers, contractors, any other interested third party, HMRC or any person investigating a crime. The Landlord’s Agent may in certain circumstances record special categories of data, as defined in the GDPR. Any party is entitled to ask for a copy of any information held. Information may be amended upon request if it is found to be incorrect.”
This is an example of clauses that have been introduced since the advent of GDPR. Before working at MyLife Digital I would have happily signed an agreement containing this exact statement, mostly because I did not understand it.
However, with my newfound knowledge, I realised I had to ask questions to ensure I had clarity around the use of my data.
My two questions were:
- What was the purpose of “Other Interested Third Parties” given they had basically listed interested parties already?
- Why was a letting agency required to collect special categories of data?
(As a reminder, special categories of data include ethnic origin, health, sexual orientation and a few others outside of the general name and address which can be found on the ICO site here).
My journey to those answers was very enlightening but a somewhat stressful experience. After several dozen email exchanges which included the responses “It’s an ARLA approved standard agreement”. “You signed the same thing last year” and “It’s a GDPR requirement” we finally reached an impasse where I was asking the agent to remove two points before I signed, but the agency were refusing to make amendments to their clause with no clear reason why they had to remain.
At this point I felt my only choices were to sign away all information about myself, to be shared with people I had no visibility of, or to vacate my rental property. At that moment in time I was seriously considering moving out of the property. I decided I had to find out what information it was that they were collecting, so I made a formal data request.
Suddenly, it was like I had said some magic words, I received a new response which had clearly been provided by the compliance department. The reply contained exactly the information I was looking for, they were collecting my data for legal purposes only, the special categories of data related to potential disability in the event it needed to be considered and catered for in the property I was renting.
It had taken countless emails and much stress, but we finally got to the actual permission consent they were asking for and it was perfectly reasonable use of my data.
Customers should not have to go through so many hoops to get an answer to the questions, what data about me are you collecting? And for what purpose?
We should not have to rely on a specialist group to share that information with customers. All organisations should lead with data transparency, to reinforce trust.
Consentric is designed to structure requests for consent, driven by the concepts of what is the data and purpose, enabling companies to communicate in terms anyone can understand.
For more information about Consentric please visit https://mylifedigital.co.uk/consent-preference-management/