GDPR Policy

Homeflo is committed to providing a quality service for its members and working in an open and accountable way that builds the trust and respect of all.

GDPR Policy

Last updated on 5th December, 2020

About this Policy

What is Personal Data

This policy relates to ‘personal data’. Personal data means any information relating to an identified or identifiable natural person ("Data Subject") who may be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, online information (e.g. an IP address) or to one or more factors relating to that person.

Sensitive Personal Data is any data which by its nature is particularly sensitive including personal data relating to or including racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data Processing Principles

Under Article 5(2) of the GDPR, we are required to be able to demonstrate compliance with the data protection principles.

The data protection principles are:

How we ensure that data is processed fairly

Privacy Notices

Authority for Processing Data

Sensitive Personal Data



Data Subject Rights

Data Subjects are entitled to the following rights and we agree to honour those rights and comply with requests made by data subjects under those rights:

We are required to provide data subjects with a reasonable access mechanism to enable them to access their personal data and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law.

When requests to access, correct, amend or destroy personal data records are received, the data protection manager must ensure that these requests are handled within a reasonable time frame. The data protection manager must also record the requests and keep a log of these.

Transfer of Data to Third Parties

If we are using any third-party supplier or business partner to process personal data on our behalf, the data protection manager is responsible for ensuring that the processor has agreed to adopt security measures to safeguard personal data that are appropriate to the associated risks.

We will also require in the contract with that supplier that:

If we are processing personal data jointly with an independent third party, we must explicitly agree with that third party our and their respective responsibilities in the relevant contract.

Transfer of Data outside of the EEA

Before transferring personal data out of the European Economic Area (EEA) we must ensure that adequate safeguards are in place which may include the signing of a relevant agreement or ensuring that an adequacy notice is in place.

Before transferring personal data outside of the EEA you must check with the data protection manager whether or not the relevant transfer meets relevant requirements.

Data Retention

Data Retention Schedule

Please note that these are default retention periods and there may be circumstances in which the records are kept for a shorter or longer period.

Data Security

The need to ensure that personal data is kept securely means that precautions must be taken against loss or damage of data, accordingly, both access and disclosure must be restricted.

We will take steps to ensure that there are adequate technical measures to secure personal data held by us and the [IT manager] will be responsible for maintaining and reviewing our technical measures. We will also take steps as an organisation to ensure that staff are aware of our and their obligations in relation to personal data generally and to take security precautions.

Employees are responsible for ensuring that they take steps to secure personal data which is under their control.

Please refer to our cyber-security policy which sets out in more detail the relevant precautions you are required to take.

All staff are responsible for ensuring that:

Data Breaches and Notification

A data breach includes but is not limited to the following:

If any member of staff learns of a suspected or actual personal data breach, it must be reported to the data protection manager immediately. The report should include full details of the incident, when the breach occurred (dates and times), the nature of the information concerned, and how many individuals are involved.

The data protection manager will perform an internal investigation and take appropriate remedial measures in a timely manner.

Where there is any risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.