1. Booking Viewings - via 1Let website/phonecall/email

Data provided: Name, contact details (email/telephone), household income, preferred move-in date, preferences, viewing availability, and any other information provided at the time of booking viewing
Purpose: To schedule and arrange property viewings, match tenants with suitable properties, communicate availability and confirm appointments, and follow up on potential tenancies.
Legal basis: Legitimate Interest (to facilitate property rentals as core business activity) and Consent (for specific preferences and follow-up communications).
Data processor: Yes – contract/DPA in place per UK GDPR Article 28 - Reapit
Retention: 2 months after viewing (for follow-up and service improvement), or until tenancy agreement forms (then up to 7 years per HMRC record-keeping rules), whichever is longer. Data is securely deleted upon request.
International transfers: None. All data stays within the UK/EEA.
Link: Privacy policy | Reapit

2. Application Form for Tenants - Formstack
Data provided: Name, contact details (email/telephone), age, national insurance number, marital status, address, residential status, previous addresses, employment status, financial status, income details, financial references, proof of ID, credit checks, names/ages of children, bank details
Purpose: Tenant application form collection for tenancy referencing and approval
Legal basis: Contractual necessity (mandatory for tenancy application process)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of application process + 7 years (or 5 years if unsuccessful to defend against any accusations of discrimination)
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://www.formstack.com/privacy

3. Amiqus ID
Data provided: Name, DOB, present home address, email address
Purpose: Basic credit checks and identity verification on prospective tenants
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of application process + 5 years to defend against any accusations of discrimination.
International transfers: N/A - UK-based
Link: https://amiqus.co/policies/privacy

4. SME Professional
Data provided: Name, contact details (email/telephone), age, address, residential status, bank details
Purpose: Property management software for all tenancy communications
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

5. Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, tenancy correspondence, attachments
Purpose: Email, calendars, document storage for tenancy operations
Legal basis: Contractual necessity, legal obligation, legitimate interest
Data processor: Microsoft Corporation
Retention: Duration of relationship + 7 years
International transfers: Yes - processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

6. Pinstripe
Data provided: Name, contact details (email/telephone), address
Purpose: Check-in inventories and risk assessments
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.pinstripe.services/privacy-policy

7. Signable
Data provided: Name, email, telephone, tenant/guarantor addresses
Purpose: Electronic tenancy agreement signatures
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.signable.co.uk/privacy-policy/

8. Deposit Provider (Safe Deposit Scotland)
Data provided: Name, contact details, rental address, rent/deposit amount, tenancy dates
Purpose: Tenant deposit protection transfer
Legal basis: Legal obligation
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: http://www.safedepositsscotland.com/privacy-policy

9. Utility Providers and Edinburgh City Council
Data provided: Name, contact details, tenant address, tenancy dates, forwarding address
Purpose: Council tax and utilities transfer administration
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements
Retention: Duration of tenancy handover process + 10 years – To provide documentation in case of any issues
International transfers: N/A - UK-based
Link: N/A - public authorities

10. Just Move In (Ethical Introductions Ltd)
Data provided: Name, contact details, move-to/from addresses, tenancy details, council tax status
Purpose: Home setup services (utilities/council tax transfers)
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy transition + 1 year
International transfers: N/A - UK-based
Link: https://justmovein.com/privacy-policy

11. Mailchimp
Data provided: Name, email address, newsletter preferences
Purpose: Newsletters and property alerts (opt-in only)
Legal basis: Consent
Data processor: The Rocket Science Group LLC
Retention: While subscribed + 30 days post-unsubscribe
International transfers: Yes - US-based with Standard Contractual Clauses
Link: https://mailchimp.com/legal/privacy/

12. Debt Collectors
Data provided: Name, contact details, tenancy reference, outstanding balance, payment history
Purpose: Rent/debt recovery services
Legal basis: Contractual necessity, legitimate interest
Data processor: Confirmed via contract
Retention: Duration of recovery + 6 years
International transfers: N/A - UK-based
Link: Varies by provider

13. First-tier Tribunal (Housing and Property Chamber)
Data provided: Name, contact details, tenancy reference, payments, agreements, notices
Purpose: Tribunal dispute evidence submission
Legal basis: Legal obligation
Data processor: Public authority
Retention: Duration of proceedings + 7 years
International transfers: N/A - UK-based

14. Legal Advisors and Courts
Data provided: Name, contact details, tenancy reference, agreements, payment history
Purpose: Legal advice and court proceedings
Legal basis: Legal obligation, legitimate interest
Data processor: UK legal firms/courts
Retention: Duration of proceedings + 7 years
International transfers: N/A - UK-based

15. Law Enforcement, Regulatory Bodies, Government Authorities
Data provided: Name, contact details, tenancy reference, agreements, payment history
Purpose: Legal compliance and official requests
Legal basis: Legal obligation
Data processor: Public authorities
Retention: As required by law
International transfers: N/A - UK-based

16. Landlords (Tenants and Prospective Tenants)
Data provided: Name, contact details, tenancy reference, agreements, payment history
Purpose: Landlord tenancy approval/management
Legal basis: Contractual necessity
Data processor: Data controller (landlord)
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based

17. Tapi
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Repairs and maintenance coordination
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of works + 7 years
International transfers: N/A - UK-based
Link: https://terms.tapihq.com/privacy-policy

18. Approved Tradesmen
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Pre-approved repairs and maintenance
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements
Retention: Duration of works + 7 years
International transfers: N/A - UK-based

19. Tenant Content's Insurance Form - Insurance Provider (Howden Group)
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Tenant contents insurance quotations (tenant requested)
Legal basis: Consent
Data processor: Confirmed via contract
Retention: Duration of quotation process
International transfers: N/A - UK-based
Link: https://www.howdengroup.com/uk-en/privacy-data-protection-policy

20. Payprop
Data provided: Name, contact details, address, rent details, arrears/overpayments
Purpose: Rental payment management platform
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.payprop.com/uk/privacy

21. Propcall – Emergency Out-of-Hours Call Centre
Data provided: Name, contact details (email/telephone), address, emergency nature
Purpose: Out-of-hours property management call answering
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of emergency + 7 years
International transfers: N/A - UK-based
Link: https://propcall.com/privacy-policy/

22. Inventory Hive
Data provided: Name, contact details (email/telephone), address
Purpose: Property visits, inspections, inventories
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.inventoryhive.co.uk/privacy-policy

23. NatWest
Data provided: Name, sort code, account number
Purpose: Payroll, tenant/landlord payments, contractor invoices
Legal basis: Contractual necessity
Data processor: Confirmed via banking agreement
Retention: Duration of relationship + 7 years
International transfers: N/A - UK-based
Link: https://www.natwest.com/global/cookie-privacy.html

24. WhatsApp
Data provided: Name, contact details (telephone)
Purpose: Staff-tenant communication for property management updates and queries
Legal basis:  Legitimate interest (for efficient, real-time business communication)
Data processor: Yes – WhatsApp Business Platform (Meta)
Retention: Duration of communication thread or tenancy length + 7 years (or as required by UK audit/tax laws), after which data is securely deleted.
International transfers: N/A – UK-based
Link: WhatsApp Privacy | Secure and Private Messaging

1. Landlord Application Form - Formstack
Data provided: Name, contact details (email/telephone), address, rental property address, age, proof of ID, proof of address, proof of ownership, national insurance number
Purpose: Landlord onboarding form collection for property management verification
Legal basis: Contractual necessity (mandatory for property management services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of landlord relationship + 7 years
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://www.formstack.com/privacy

2. Amiqus ID 
Data provided: Name, contact details (email/telephone), address
Purpose: Identity and proof of ownership checks on prospective/current landlords
Legal basis: Contractual necessity (required for property management onboarding)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of landlord relationship + 7 years
International transfers: N/A – UK-based
Link: https://amiqus.co/policies/privacy

3. SME Professional 
Data provided: Name, contact details (email/telephone), address, bank details
Purpose: Property management platform holding landlord data for tenancy services
Legal basis: Contractual necessity (core property management operations)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy management + 7 years
International transfers: N/A – UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

4. Signable (Landlords)
Data provided: Name, title
Purpose: Electronic tenancy agreements for landlord signature/approval
Legal basis: Contractual necessity (executing tenancy management agreements)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.signable.co.uk/privacy-policy/

5. Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, property ownership details, tenancy agreements, correspondence, attachments, documents, images
Purpose: Email, calendars, secure document storage, file sharing for landlord/tenant operations
Legal basis: Contractual necessity, legal obligation, legitimate interest
Data processor: Microsoft Corporation
Retention: Duration of relationship + 7 years
International transfers: Yes – processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

6. Utility Providers and Edinburgh City Council
Data provided: Name, contact details (email/telephone), tenant address, tenancy start/end dates, forwarding address, tenancy agreement (on request)
Purpose: Council tax and utilities transfer administration
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements
Retention: Duration of tenancy handover process + 10 years – To provide documentation in case of any issues
International transfers: N/A – UK-based

7. Just Move In
Data provided: Name, contact details (email/telephone), address
Purpose: Transferring council tax/utilities into tenant names
Legal basis: Contractual necessity (tenancy transition services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy transition + 1 year
International transfers: N/A – UK-based
Link: https://justmovein.com/privacy-policy

8. NatWest
Data provided: Name, sort code, account number
Purpose: Payroll, tenant/landlord payments, contractor invoices
Legal basis: Contractual necessity
Data processor: Confirmed via banking agreement
Retention: Duration of relationship + 7 years
International transfers: N/A – UK-based
Link: https://www.natwest.com/global/cookie-privacy.html

9. Landlord Contact Details Shared with Tenants
Data provided: Names, email addresses, phone numbers, postal addresses
Purpose: Enable tenant-landlord contact for repairs/tenancy administration (tenant request only)
Legal basis: Contractual necessity, legitimate interest
Data processor: No – direct sharing with data controller (tenant)
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based

10. Mailchimp
Data provided: Name, email address, newsletter preferences
Purpose: Newsletters/property alerts to opted-in landlords
Legal basis: Consent
Data processor: The Rocket Science Group LLC
Retention: While subscribed + 30 days post-unsubscribe
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://mailchimp.com/legal/privacy/

11. Approved Tradesmen
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Arrange repairs/maintenance (landlord-requested tradesmen contact)
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements (pre-approved trades only)
Retention: Duration of works + 7 years
International transfers: N/A – UK-based

12. Landlord Insurance Form - Insurance Provider (Howden Group)
Data provided: Name, contact details (email/telephone), rental property address and any additional details you provide (e.g. property type, tenancy status) to generate an insurance quote.
Purpose: Landlord insurance quotations (landlord requested)
Legal basis: Consent
Data processor: Yes – contract/DPA in place per UK GDPR Article 28 - Your details are securely shared with Howden Group (or similar approved insurers) to obtain quotes. We do not share beyond this without explicit permission. Formstack (our form host) also processes submissions (as per the landlord form above)
Retention: Duration of quotation process
International transfers: N/A – UK-based
Link: https://www.howdengroup.com/uk-en/privacy-data-protection-policy

13. HMRC
Data provided: Name, contact details (email/telephone), address, bank details, rental income
Purpose: Mandatory tax reporting and income information
Legal basis: Legal obligation
Data processor: Public authority
Retention: As required by tax law (minimum 6 years)
International transfers: N/A – UK-based

14. Payprop
Data provided: Name, contact details (email/telephone), address, rent details, arrears/overpayments
Purpose: Rental payment management platform
Legal basis: Contractual necessity
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.payprop.com/uk/privacy

15. Propcall – Emergency Out-of-Hours Call Centre
Data provided: Name, contact details (email/telephone), address, emergency nature
Purpose: Out-of-hours property management call answering
Legal basis: Contractual necessity
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of emergency + 7 years
International transfers: N/A – UK-based
Link: https://propcall.com/privacy-policy/

16. Inventory Hive
Data provided: Name, contact details (email/telephone), address
Purpose: Mid-tenancy visits, end-of-tenancy inspections, move-in inventories
Legal basis: Contractual necessity
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.inventoryhive.co.uk/privacy-policy

17. Inspect Real Estate (IRE)
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Management of viewing enquiries and bookings
Legal basis: Contractual necessity (property marketing services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of marketing campaign + 1 year
International transfers: N/A – UK-based
Link: https://go.reapit.com/reapit-terms-and-conditions-01-01-2024.pdf

18. WhatsApp
Data provided: Name, contact details (telephone)
Purpose: Staff-landlord communication for property management updates and queries
Legal basis:  Legitimate interest (for efficient, real-time business communication with explicit landlord consent)
Data processor: Yes – WhatsApp Business Platform (Meta)
Retention: Duration of communication thread or landlord relationship + 7 years (or as required by UK audit/tax laws), after which data is securely deleted.
International transfers: N/A – UK-based
Link: WhatsApp Privacy | Secure and Private Messaging

1. Guarantor Application Form - Formstack
Data provided: Name, contact details (email/telephone), age, national insurance number, marital status, address, residential status, previous addresses, employment status, financial status, income details, financial references, proof of ID, credit checks
Purpose: Guarantor application form collection for tenancy financial underwriting
Legal basis: Contractual necessity (mandatory for tenancy approval with guarantor)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://www.formstack.com/privacy

2. SME Professional 
Data provided: Name, contact details (email/telephone), address, residential status, bank details
Purpose: Property management platform for guarantor communication and tenancy management
Legal basis: Contractual necessity (required for tenancy guarantee services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

3. Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, tenancy reference, correspondence, attachments, documents
Purpose: Email, calendars, document storage, collaboration for guarantors/tenants/landlords
Legal basis: Contractual necessity, legitimate interest
Data processor: Microsoft Corporation
Retention: Duration of relationship + 7 years
International transfers: Yes – processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

4. Amiqus ID
Data provided: Name, DOB, marital status, frequency paid, income (salary), residential status, present home address
Purpose: Basic credit checks on prospective guarantors for tenancy applications
Legal basis: Contractual necessity (required tenancy approval process)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of application + 7 years
International transfers: N/A – UK-based
Link: https://amiqus.co/policies/privacy

5. Legal Advisors and Courts
Data provided: Name, address, email address, tenancy reference, tenancy agreements, relevant documents
Purpose: Legal advice and court proceedings for tenancy disputes
Legal basis: Legal obligation, legitimate interest
Data processor: UK legal firms/courts
Retention: Duration of proceedings + 7 years
International transfers: N/A – UK-based

6. Law Enforcement, Regulatory Bodies, Government Authorities
Data provided: Name, address, email address, tenancy reference, tenancy agreements, relevant documents
Purpose: Compliance with legal/regulatory requests
Legal basis: Legal obligation
Data processor: Public authorities
Retention: As required by law
International transfers: N/A – UK-based

7. Landlords (Tenancy Approval)
Data provided: Name, address, email address, tenancy reference, tenancy agreements, relevant documents
Purpose: Landlord review/approval of guarantor details for tenancy agreements
Legal basis: Contractual necessity, legitimate interest
Data processor: Data controller (landlord)
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based

8. Utility Companies (Tenant Account Setup/Closure)
Data provided: Name, address, email address, tenancy reference
Purpose: Utility account setup/closure for tenants (landlord/tenant requested)
Legal basis: Contractual necessity, legitimate interest
Data processor: Confirmed via service agreements
Retention: Duration of tenancy + Ten years – To provide documentation in case of any issues
International transfers: N/A – UK-based

9. Signable
Data provided: Name, email address, telephone number, home address
Purpose: Electronic tenancy agreements requiring guarantor signature
Legal basis: Contractual necessity (executing tenancy agreements)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.signable.co.uk/privacy-policy/

10. Debt Collectors
Data provided: Name, contact details, tenancy reference, outstanding balance, payment history, correspondence, financial information
Purpose: Recovery of outstanding rent/debt per tenancy agreements
Legal basis: Contractual necessity, legitimate interest
Data processor: Confirmed via contract
Retention: Duration of recovery + 6 years
International transfers: N/A – UK-based

11. First-tier Tribunal (Housing and Property Chamber)
Data provided: Name, contact details, tenancy reference, rental payments, correspondence, tenancy agreements, notices
Purpose: Tribunal dispute evidence submission
Legal basis: Legal obligation, legitimate interest
Data processor: Public authority
Retention: Duration of proceedings + 7 years
International transfers: N/A – UK-based

12.  WhatsApp
Data provided: Name, contact details (telephone)
Purpose: Communication/collaboration for property management updates and queries
Legal basis:  Legitimate interest (for efficient, real-time business communication)
Data processor: Yes – WhatsApp Business Platform (Meta)
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: WhatsApp Privacy | Secure and Private Messaging

Neighbours
Data provided: Name, contact details (email/telephone), address
Purpose: Correspondence regarding property issues affecting neighbouring properties (noise complaints, maintenance coordination, communal repairs)
Legal basis: Legitimate interest (necessary for effective property management and neighbour relations)
Data processor: No – data collected directly by 1Let (controller)
Retention: Duration of issue resolution + 2 years
International transfers: N/A – UK-based

SME Professional 
Data provided: Name, contact details (email/telephone), address, bank details (communal repairs only)
Purpose: Property management platform storing neighbour data for property issue resolution
Legal basis: Legitimate interest (property management operations)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of issue + 2 years
International transfers: N/A – UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, correspondence, attachments, documents relating to property issues
Purpose: Email communications, document storage, collaboration for neighbour property issues
Legal basis: Legitimate interest (property management correspondence)
Data processor: Microsoft Corporation
Retention: Duration of issue + 2 years
International transfers: Yes – processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

WhatsApp
Data provided: Name, contact details (telephone)
Purpose: Communication/collaboration for property management updates, queries and communal repairs
Legal basis:  Legitimate interest (for efficient, real-time business communication)
Data processor: Yes – WhatsApp Business Platform (Meta)
Retention: Duration of issue + 2 years
International transfers: N/A – UK-based
Link: WhatsApp Privacy | Secure and Private Messaging

 

1Let is committed to protecting your personal data in accordance with the UK GDPR, the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025 ["DUAA"]), and relevant Scottish legislation.

This privacy notice explains:

• What personal information we collect about you as a member of staff
• Why and how we process it
• Your legal rights and how to exercise them
• How we keep your data secure

This notice is provided in a layered format: this document provides a concise summary. More detailed policies (e.g., Data Retention Policy, Passwaord Policy) are available on our internal SharePoint portal or on request. 

1. WHERE WE GET PERSONAL INFORMATION FROM

We collect your information from the following places:

• Directly from you

• Employment agency

• Referees (external or internal)

2. WHAT PERSONAL DATA WE PROCESS

We collect or use the following personal information as part of staff recruitment, administration and management:

• Contact details (eg name, address, telephone number or personal email address)

• Date of birth

• National Insurance number

• Gender

• Photographs (eg staff ID card)

• Copies of passports or other photo ID

• Copies of proof of address documents (eg bank statements or bills)

• Marital status

• Next of kin or emergency contact details

• Employment history (eg job application, employment references or secondary employment)

• Education history (eg qualifications)

• Right to work information

• Details of any criminal convictions (eg DBS checks)

• Political, conflict of interest or gift declarations

• Security clearance details (eg basic checks and higher security clearance)

• Performance records (eg reviews, disciplinary records, complaints or disciplinary action)

• Training history and development needs

• Monitoring employees’ IT use
• General health and wellbeing information

• Job role and employment contract (eg start and leave dates, salary, changes to employment contract or working patterns)

• Time spent working (eg timesheets or clocking in and out)

• Expense, overtime or other payments claimed

• Leave (eg sick leave, holidays or special leave)

• Maternity, paternity, shared parental and adoption leave and pay

• Pension details

• Bank account details

• Payroll records

• Tax status

3. LAWFUL BASIS FOR PROCESSING

Our lawful bases for collecting or using personal information as part of staff recruitment, administration and management are:

• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

• Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. For more information on our use of legitimate interests as a lawful basis, you can contact us using the contact details set out above.

• Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

Our lawful bases for collecting or using personal information as part of managing salaries and pensions are:

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information as part of managing staff health and wellbeing are:

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

• Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

4. DATA SHARING & THIRD-PARTY PLATFORMS

In some circumstances, we may share information with the following organisations:

• Training suppliers

• HMRC

• Employee benefit schemes

• Health and benefit suppliers

• External auditors

• Suppliers and service providers

• Professional consultants

5. DATA PROCESSORS

We use the following data processors for the following reasons:

Employment Hero

HR management system: personnel files, leave, performance records

Contract + Legitimate interests

Employment Hero Privacy Policy

Microsoft 365 (SharePoint/Teams)

Internal document storage, collaboration, email

Contract + Legitimate interests

Microsoft Privacy Statement

Whitelaw Wells

External payroll processing: salary, tax, bank details

Legal obligation + Contract

Whitelaw Wells Privacy

NEST

Workplace pension enrolment and contributions

Legal obligation (Pensions Act 2008)

NEST Privacy Policy

HMRC & Statutory Bodies

Tax reporting, right to work checks, statutory payments

Legal obligation

HMRC Privacy Notice

Finance Contractors

Payroll administration, expense processing

Contract + Legitimate interests

Provided on request (bound by Data Processing Agreement)

ICELANTIC

IT services and support: employee email hosting, system access management, cybersecurity monitoring
Contract + Legitimate interests
ICELANTIC IT Privacy Policy

Gravitate HR

HR consulting and support: employee relations, policy development, compliance advice
Contract + Legitimate interests
Gravitate HR Privacy Policy

Occupational Health Providers

Fitness for work assessments, reasonable adjustments

Explicit consent + Legal obligation

Provided on request

Legal Advisors

Defence of legal claims, employment disputes

Legitimate interests + Legal obligation

Provided on request

All third-party processors are bound by written Data Processing Agreements (DPAs) compliant with UK GDPR Article 28, requiring them to:

• Process data only on our instructions
• Implement appropriate security measures
• Assist us in responding to data subject requests
• Delete or return data at the end of the contract

6. INTERNATIONAL DATA TRANSFERS

Some of our service providers (e.g., cloud platforms) may process your data outside the UK. Where this occurs:

USA: Transfers are made to providers certified under the UK Extension to the EU-U.S. Data Privacy Framework. This ensures the level of protection for your data is not materially lower than under UK GDPR.
Other Countries: We use International Data Transfer Agreements (IDTAs) approved by the ICO, accompanied by a Transfer Risk Assessment (TRA) to confirm safeguards are in place.

We maintain a record of all international transfers and review them annually. For further details, contact our Data Protection Lead.

Following the Data (Use and Access) Act 2025, the UK applies a "data protection test" for international transfers: protection must not be materially lower than UK standards. See ICO guidance (January 2026) for details.

7. DATA RETENTION

We retain your personal data only for as long as necessary for the purposes for which it was collected, in line with the storage limitation principle (UK GDPR Article 5(1)(e)) and Scottish law.

Employment Records (contract, appraisals, disciplinary)

6 years after employment ends

Best practice to cover limitation periods for civil claims under the Prescription and Limitation (Scotland) Act 1973 (5 years for contract; 6 years adopted for consistency with UK-wide HR practice)

Secure digital deletion + certificate of destruction for paper

Recruitment Records (Unsuccessful)

1 year after the recruitment decision

Legitimate interests: To defend potential discrimination claims.

Secure digital deletion

Recruitment Records (With Consent)

Up to 2 years

Consent: To keep the candidate on file for future vacancies.

Secure digital deletion

Payroll, Tax, Pension Records

6 years after end of relevant tax year

HMRC requirements (TMA 1970, s. 12B)

Secure deletion

Right to Work Documentation

Duration of employment + 2 years

Immigration Act 2014; Home Office guidance

Secure deletion

Health & Safety / Accident Records

3 years from date of incident (or longer if claim anticipated)

Limitation period for personal injury claims in Scotland (3 years from date of knowledge)

Secure deletion

RIDDOR-Reportable Incidents

Minimum 3 years

Health and Safety at Work etc. Act 1974

Secure deletion

Dead Files (Paper/Digital)

Checked every 12 months

1Let Internal Policy: Securely destroyed if no longer required.

Shredding / Scotwaste collection

Annual Review: Our Data Protection Lead conducts an annual audit of data holdings against this schedule. Automated alerts in our HR/IT systems flag records approaching retention limits.

8. YOUR DATA PROTECTION RIGHTS

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you (Subject Access Request)

Email ken@1let.com with proof of identity

Right to Rectification

Request correction of inaccurate or incomplete data

Contact your manager or Data Protection Lead

Right to Erasure

Request deletion of your data (in limited circumstances, e.g., where consent was the basis and withdrawn)

Submit a request to the Data Protection Lead

Right to Restriction

Request we temporarily stop processing your data (e.g., while accuracy is verified)

Email ken@1let.com

Right to Data Portability

Receive your data in a structured, machine-readable format (where processing is based on consent/contract and by automated means)

Request via email

Right to Object

Object to processing based on legitimate interests or Recognised Legitimate Interests

Submit objection to Data Protection Lead; we will cease processing unless compelling grounds override

Rights in Relation to Automated Decision-Making

Request human review of decisions made solely by automation with legal/significant effects

Contact Data Protection Lead immediately

Right to Withdraw Consent

Withdraw consent at any time where processing relies on consent (does not affect prior lawful processing)

Notify your manager or Data Protection Lead

Response Times: We will respond to all requests within one calendar month. Under the DUAA 2025, this period may be paused ("stop the clock") if we reasonably require further information to verify your identity or locate your data. We will inform you if an extension is needed.

No Fee: Exercising your rights is free of charge, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act).

9. AUTOMATED DECISION-MAKING & PROFILING

We may use automated systems or Artificial Intelligence (AI) to support HR processes (e.g., initial CV screening, productivity analytics). However:

Human Oversight: No significant decision affecting your employment (e.g., recruitment, promotion, disciplinary action, termination) is made solely by automated means without meaningful human review.

Transparency: Where automated tools are used, you will receive meaningful information about the logic involved and the significance of the processing.
 

Your Safeguards: You have the right to:
 - Make representations about an automated decision
 - Request human review of the outcome
 - Contest the decision

Following the Data (Use and Access) Act 2025, restrictions on solely automated decisions with legal or similarly significant effects apply only where special category data (e.g., health information) is processed. All our significant employment decisions involve human judgment.

10. HOW TO EXERCISE YOUR RIGHTS OR MAKE A COMPLAINT

10.1 Contact Us Directly

To exercise any right or raise a concern:
Email: ken@1let.com
Phone: 0131 476 5500
Post: 20a Manor Place Edinburgh EH3 7DS

10.2 Complaints Procedure (DUAA 2025 Compliant)

If you believe we have not complied with data protection law email ken@1let.com with "GDPR Complaint" in the subject line.

We will:

• Acknowledge receipt promptly (typically within 3 working days)
• Investigate thoroughly and provide a substantive response without undue delay
• Inform you of the outcome and any actions taken

10.3 Escalate to the Regulator

If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
 ico.org.uk/concerns
 0303 123 1113
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Note: The ICO remains the UK's independent regulator for data protection. The Data (Use and Access) Act 2025 updated its governance but did not change its name or core functions.

11. ADDITIONAL INFORMATION

11.1 Provision of Data: Statutory & Contractual Requirements

Provision of certain personal data (e.g., National Insurance number, right to work documentation, bank details) is a statutory or contractual requirement for employment. Failure to provide this information may prevent us from entering into or performing your employment contract, or complying with legal obligations (e.g., tax reporting).

11.2 Data Obtained from Third Parties

Where we obtain personal data about you from third parties (e.g., employment references, qualification verification, background checks), we will provide you with this privacy information:

• Within one month of obtaining the data, OR
• At the time of first communication with you, OR
• Before disclosing the data to another recipient
  (whichever is earliest)

11.3 Children and Young Workers

Where we employ staff under the age of 18, we take account of their specific needs and ensure privacy information is provided in clear, age-appropriate language, in line with our duties under the Data (Use and Access) Act 2025.

11.4 Data Protection by Design and Default

We embed data protection considerations into the design of our HR systems, processes, and policies. By default, we ensure that only personal data necessary for each specific purpose is processed, and that appropriate technical and organisational measures (e.g., encryption, access controls, staff training) are implemented.

11.5 Policy Review & Updates

This notice is reviewed annually or following significant changes to our processing activities, technology, or the law. The latest version is always available on our internal SharePoint portal. Staff will be notified of material changes via email and team briefings.

12. SPECIFIC PROVISIONS FOR JOB SEEKERS

12.1 Sources of Data We collect data from you via your application, CV, and interview. We may also obtain data from third parties, such as recruitment agencies, LinkedIn, or designated referees.

12.2 Purpose of Processing Your data is processed solely to:

• Assess your suitability for the role.
• Communicate with you during the recruitment process.
• Comply with legal requirements (e.g., Right to Work checks).

12.3 Pre-Employment Screening If we make a conditional offer, we will conduct background checks (e.g., criminal record checks via Disclosure Scotland, qualification verification). We will always inform you before initiating these checks.

13. SPECIFIC PROVISIONS FOR EX-EMPLOYEES

13.1 References After your employment ends, 1Let will typically provide a standard reference (confirming job title and dates of employment) to future employers or landlords. We process this under Legitimate Interests. If a detailed character reference is requested, we will seek your consent before disclosure.

13.2 Post-Employment Access Ex-employees retain the Right of Access to their personnel records for the duration of the 6-year retention period. Requests should be directed to the Data Protection Lead (ken@1let.com).

13.3 "The Right to be Forgotten" While you have the right to request erasure, please note that 1Let will generally decline requests to delete core employment records (contracts, payroll, disciplinary) until the 6-year period has elapsed. This is to ensure we can comply with our legal duties and defend against potential legal claims.