1LET Privacy Notice

1. Application Form for Tenants - Formstack
Data provided: Name, contact details (email/telephone), age, national insurance number, marital status, address, residential status, previous addresses, employment status, financial status, income details, financial references, proof of ID, credit checks, names/ages of children, bank details
Purpose: Tenant application form collection for tenancy referencing and approval
Legal basis: Contractual necessity (mandatory for tenancy application process)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of application process + 7 years (or 1 year if unsuccessful)
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://www.formstack.com/privacy

2. Amiqus ID
Data provided: Name, DOB, present home address, email address
Purpose: Basic credit checks and identity verification on prospective tenants
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of application process + 1 year
International transfers: N/A - UK-based
Link: https://amiqus.co/policies/privacy

3. SME Professional
Data provided: Name, contact details (email/telephone), age, address, residential status, bank details
Purpose: Property management software for all tenancy communications
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

4. Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, tenancy correspondence, attachments
Purpose: Email, calendars, document storage for tenancy operations
Legal basis: Contractual necessity, legal obligation, legitimate interest
Data processor: Microsoft Corporation
Retention: Duration of relationship + 7 years
International transfers: Yes - processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

5. Pinstripe
Data provided: Name, contact details (email/telephone), address
Purpose: Check-in inventories and risk assessments
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.pinstripe.services/privacy-policy

6. Signable
Data provided: Name, email, telephone, tenant/guarantor addresses
Purpose: Electronic tenancy agreement signatures
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.signable.co.uk/privacy-policy/

7. Deposit Provider (Safe Deposit Scotland)
Data provided: Name, contact details, rental address, rent/deposit amount, tenancy dates
Purpose: Tenant deposit protection transfer
Legal basis: Legal obligation
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: http://www.safedepositsscotland.com/privacy-policy

8. Utility Providers and Edinburgh City Council
Data provided: Name, contact details, tenant address, tenancy dates, forwarding address
Purpose: Council tax and utilities transfer administration
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements
Retention: Duration of tenancy handover process
International transfers: N/A - UK-based
Link: N/A - public authorities

9. Just Move In (Ethical Introductions Ltd)
Data provided: Name, contact details, move-to/from addresses, tenancy details, council tax status
Purpose: Home setup services (utilities/council tax transfers)
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy transition + 1 year
International transfers: N/A - UK-based
Link: https://justmovein.com/privacy-policy

10. Mailchimp
Data provided: Name, email address, newsletter preferences
Purpose: Newsletters and property alerts (opt-in only)
Legal basis: Consent
Data processor: The Rocket Science Group LLC
Retention: While subscribed + 30 days post-unsubscribe
International transfers: Yes - US-based with Standard Contractual Clauses
Link: https://mailchimp.com/legal/privacy/

11. Debt Collectors
Data provided: Name, contact details, tenancy reference, outstanding balance, payment history
Purpose: Rent/debt recovery services
Legal basis: Contractual necessity, legitimate interest
Data processor: Confirmed via contract
Retention: Duration of recovery + 6 years
International transfers: N/A - UK-based
Link: Varies by provider

12. First-tier Tribunal (Housing and Property Chamber)
Data provided: Name, contact details, tenancy reference, payments, agreements, notices
Purpose: Tribunal dispute evidence submission
Legal basis: Legal obligation
Data processor: Public authority
Retention: Duration of proceedings + 7 years
International transfers: N/A - UK-based

13. Legal Advisors and Courts
Data provided: Name, contact details, tenancy reference, agreements, payment history
Purpose: Legal advice and court proceedings
Legal basis: Legal obligation, legitimate interest
Data processor: UK legal firms/courts
Retention: Duration of proceedings + 7 years
International transfers: N/A - UK-based

14. Law Enforcement, Regulatory Bodies, Government Authorities
Data provided: Name, contact details, tenancy reference, agreements, payment history
Purpose: Legal compliance and official requests
Legal basis: Legal obligation
Data processor: Public authorities
Retention: As required by law
International transfers: N/A - UK-based

15. Landlords (Tenants and Prospective Tenants)
Data provided: Name, contact details, tenancy reference, agreements, payment history
Purpose: Landlord tenancy approval/management
Legal basis: Contractual necessity
Data processor: Data controller (landlord)
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based

16. Tapi
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Repairs and maintenance coordination
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of works + 7 years
International transfers: N/A - UK-based
Link: https://terms.tapihq.com/privacy-policy

17. Approved Tradesmen
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Pre-approved repairs and maintenance
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements
Retention: Duration of works + 7 years
International transfers: N/A - UK-based

18. Insurance Provider (Howden Group)
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Tenant contents insurance quotations (tenant requested)
Legal basis: Consent
Data processor: Confirmed via contract
Retention: Duration of quotation process
International transfers: N/A - UK-based
Link: https://www.howdengroup.com/uk-en/privacy-data-protection-policy

19. Payprop
Data provided: Name, contact details, address, rent details, arrears/overpayments
Purpose: Rental payment management platform
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.payprop.com/uk/privacy

20. Propcall – Emergency Out-of-Hours Call Centre
Data provided: Name, contact details (email/telephone), address, emergency nature
Purpose: Out-of-hours property management call answering
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of emergency + 7 years
International transfers: N/A - UK-based
Link: https://propcall.com/privacy-policy/

21. Inventory Hive
Data provided: Name, contact details (email/telephone), address
Purpose: Property visits, inspections, inventories
Legal basis: Contractual necessity
Data processor: Confirmed via contract
Retention: Duration of tenancy + 7 years
International transfers: N/A - UK-based
Link: https://www.inventoryhive.co.uk/privacy-policy

22. NatWest
Data provided: Name, sort code, account number
Purpose: Payroll, tenant/landlord payments, contractor invoices
Legal basis: Contractual necessity
Data processor: Confirmed via banking agreement
Retention: Duration of relationship + 7 years
International transfers: N/A - UK-based
Link: https://www.natwest.com/global/cookie-privacy.html

1. Landlord Application Form - Formstack
Data provided: Name, contact details (email/telephone), address, rental property address, age, proof of ID, proof of address, proof of ownership, national insurance number
Purpose: Landlord onboarding form collection for property management verification
Legal basis: Contractual necessity (mandatory for property management services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of landlord relationship + 7 years
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://www.formstack.com/privacy

2. Amiqus ID 
Data provided: Name, contact details (email/telephone), address
Purpose: Identity and proof of ownership checks on prospective/current landlords
Legal basis: Contractual necessity (required for property management onboarding)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of landlord relationship + 7 years
International transfers: N/A – UK-based
Link: https://amiqus.co/policies/privacy

3. SME Professional 
Data provided: Name, contact details (email/telephone), address, bank details
Purpose: Property management platform holding landlord data for tenancy services
Legal basis: Contractual necessity (core property management operations)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy management + 7 years
International transfers: N/A – UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

4. Signable (Landlords)
Data provided: Name, title
Purpose: Electronic tenancy agreements for landlord signature/approval
Legal basis: Contractual necessity (executing tenancy management agreements)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.signable.co.uk/privacy-policy/

5. Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, property ownership details, tenancy agreements, correspondence, attachments, documents, images
Purpose: Email, calendars, secure document storage, file sharing for landlord/tenant operations
Legal basis: Contractual necessity, legal obligation, legitimate interest
Data processor: Microsoft Corporation
Retention: Duration of relationship + 7 years
International transfers: Yes – processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

6. Utility Providers and Edinburgh City Council
Data provided: Name, contact details (email/telephone), tenant address, tenancy start/end dates, forwarding address, tenancy agreement (on request)
Purpose: Council tax and utilities transfer administration
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements
Retention: Duration of tenancy handover process
International transfers: N/A – UK-based

7. Just Move In
Data provided: Name, contact details (email/telephone), address
Purpose: Transferring council tax/utilities into tenant names
Legal basis: Contractual necessity (tenancy transition services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy transition + 1 year
International transfers: N/A – UK-based
Link: https://justmovein.com/privacy-policy

8. NatWest
Data provided: Name, sort code, account number
Purpose: Payroll, tenant/landlord payments, contractor invoices
Legal basis: Contractual necessity
Data processor: Confirmed via banking agreement
Retention: Duration of relationship + 7 years
International transfers: N/A – UK-based
Link: https://www.natwest.com/global/cookie-privacy.html

9. Landlord Contact Details Shared with Tenants
Data provided: Names, email addresses, phone numbers, postal addresses
Purpose: Enable tenant-landlord contact for repairs/tenancy administration (tenant request only)
Legal basis: Contractual necessity, legitimate interest
Data processor: No – direct sharing with data controller (tenant)
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based

10. Mailchimp
Data provided: Name, email address, newsletter preferences
Purpose: Newsletters/property alerts to opted-in landlords
Legal basis: Consent
Data processor: The Rocket Science Group LLC
Retention: While subscribed + 30 days post-unsubscribe
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://mailchimp.com/legal/privacy/

11. Approved Tradesmen
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Arrange repairs/maintenance (landlord-requested tradesmen contact)
Legal basis: Contractual necessity
Data processor: Confirmed via service agreements (pre-approved trades only)
Retention: Duration of works + 7 years
International transfers: N/A – UK-based

12. Insurance Provider (Howden Group)
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Landlord insurance quotations (landlord requested)
Legal basis: Consent
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of quotation process
International transfers: N/A – UK-based
Link: https://www.howdengroup.com/uk-en/privacy-data-protection-policy

13. HMRC
Data provided: Name, contact details (email/telephone), address, bank details, rental income
Purpose: Mandatory tax reporting and income information
Legal basis: Legal obligation
Data processor: Public authority
Retention: As required by tax law (minimum 6 years)
International transfers: N/A – UK-based

14. Payprop
Data provided: Name, contact details (email/telephone), address, rent details, arrears/overpayments
Purpose: Rental payment management platform
Legal basis: Contractual necessity
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.payprop.com/uk/privacy

15. Propcall – Emergency Out-of-Hours Call Centre
Data provided: Name, contact details (email/telephone), address, emergency nature
Purpose: Out-of-hours property management call answering
Legal basis: Contractual necessity
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of emergency + 7 years
International transfers: N/A – UK-based
Link: https://propcall.com/privacy-policy/

16. Inventory Hive
Data provided: Name, contact details (email/telephone), address
Purpose: Mid-tenancy visits, end-of-tenancy inspections, move-in inventories
Legal basis: Contractual necessity
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.inventoryhive.co.uk/privacy-policy

17. Inspect Real Estate (IRE)
Data provided: Name, contact details (email/telephone), rental property address
Purpose: Management of viewing enquiries and bookings
Legal basis: Contractual necessity (property marketing services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of marketing campaign + 1 year
International transfers: N/A – UK-based
Link: https://go.reapit.com/reapit-terms-and-conditions-01-01-2024.pdf

 

1. Guarantor Application Form - Formstack
Data provided: Name, contact details (email/telephone), age, national insurance number, marital status, address, residential status, previous addresses, employment status, financial status, income details, financial references, proof of ID, credit checks
Purpose: Guarantor application form collection for tenancy financial underwriting
Legal basis: Contractual necessity (mandatory for tenancy approval with guarantor)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: Yes – US-based with Standard Contractual Clauses
Link: https://www.formstack.com/privacy

2. SME Professional 
Data provided: Name, contact details (email/telephone), address, residential status, bank details
Purpose: Property management platform for guarantor communication and tenancy management
Legal basis: Contractual necessity (required for tenancy guarantee services)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

3. Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, tenancy reference, correspondence, attachments, documents
Purpose: Email, calendars, document storage, collaboration for guarantors/tenants/landlords
Legal basis: Contractual necessity, legitimate interest
Data processor: Microsoft Corporation
Retention: Duration of relationship + 7 years
International transfers: Yes – processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

4. Amiqus ID
Data provided: Name, DOB, marital status, frequency paid, income (salary), residential status, present home address
Purpose: Basic credit checks on prospective guarantors for tenancy applications
Legal basis: Contractual necessity (required tenancy approval process)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of application + 7 years
International transfers: N/A – UK-based
Link: https://amiqus.co/policies/privacy

5. Legal Advisors and Courts
Data provided: Name, address, email address, tenancy reference, tenancy agreements, relevant documents
Purpose: Legal advice and court proceedings for tenancy disputes
Legal basis: Legal obligation, legitimate interest
Data processor: UK legal firms/courts
Retention: Duration of proceedings + 7 years
International transfers: N/A – UK-based

6. Law Enforcement, Regulatory Bodies, Government Authorities
Data provided: Name, address, email address, tenancy reference, tenancy agreements, relevant documents
Purpose: Compliance with legal/regulatory requests
Legal basis: Legal obligation
Data processor: Public authorities
Retention: As required by law
International transfers: N/A – UK-based

7. Landlords (Tenancy Approval)
Data provided: Name, address, email address, tenancy reference, tenancy agreements, relevant documents
Purpose: Landlord review/approval of guarantor details for tenancy agreements
Legal basis: Contractual necessity, legitimate interest
Data processor: Data controller (landlord)
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based

8. Utility Companies (Tenant Account Setup/Closure)
Data provided: Name, address, email address, tenancy reference
Purpose: Utility account setup/closure for tenants (landlord/tenant requested)
Legal basis: Contractual necessity, legitimate interest
Data processor: Confirmed via service agreements
Retention: Duration of tenancy
International transfers: N/A – UK-based

9. Signable
Data provided: Name, email address, telephone number, home address
Purpose: Electronic tenancy agreements requiring guarantor signature
Legal basis: Contractual necessity (executing tenancy agreements)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of tenancy + 7 years
International transfers: N/A – UK-based
Link: https://www.signable.co.uk/privacy-policy/

10. Debt Collectors
Data provided: Name, contact details, tenancy reference, outstanding balance, payment history, correspondence, financial information
Purpose: Recovery of outstanding rent/debt per tenancy agreements
Legal basis: Contractual necessity, legitimate interest
Data processor: Confirmed via contract
Retention: Duration of recovery + 6 years
International transfers: N/A – UK-based

11. First-tier Tribunal (Housing and Property Chamber)
Data provided: Name, contact details, tenancy reference, rental payments, correspondence, tenancy agreements, notices
Purpose: Tribunal dispute evidence submission
Legal basis: Legal obligation, legitimate interest
Data processor: Public authority
Retention: Duration of proceedings + 7 years
International transfers: N/A – UK-based

Neighbours
Data provided: Name, contact details (email/telephone), address
Purpose: Correspondence regarding property issues affecting neighbouring properties (noise complaints, maintenance coordination, communal repairs)
Legal basis: Legitimate interest (necessary for effective property management and neighbour relations)
Data processor: No – data collected directly by 1Let (controller)
Retention: Duration of issue resolution + 2 years
International transfers: N/A – UK-based

SME Professional 
Data provided: Name, contact details (email/telephone), address, bank details (communal repairs only)
Purpose: Property management platform storing neighbour data for property issue resolution
Legal basis: Legitimate interest (property management operations)
Data processor: Yes – contract/DPA in place per UK GDPR Article 28
Retention: Duration of issue + 2 years
International transfers: N/A – UK-based
Link: https://www.smeprofessional.co.uk/privacy-statement/

Microsoft Outlook (Microsoft 365 including SharePoint)
Data provided: Names, email addresses, phone numbers, postal addresses, correspondence, attachments, documents relating to property issues
Purpose: Email communications, document storage, collaboration for neighbour property issues
Legal basis: Legitimate interest (property management correspondence)
Data processor: Microsoft Corporation
Retention: Duration of issue + 2 years
International transfers: Yes – processed/stored outside UK/EEA with Standard Contractual Clauses
Link: https://privacy.microsoft.com/en-gb/privacystatement

 

 

1Let is committed to protecting your personal data in accordance with the UK GDPR, the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025 ["DUAA"]), and relevant Scottish legislation.

This privacy notice explains:

• What personal information we collect about you as a member of staff
• Why and how we process it
• Your legal rights and how to exercise them
• How we keep your data secure

This notice is provided in a layered format: this document provides a concise summary. More detailed policies (e.g., Data Retention Policy, IT Security Policy) are available on our internal SharePoint portal or on request.

If you require this notice in an alternative format (e.g., large print, audio, Easy Read), please contact our Data Protection Lead.

 

3. WHAT PERSONAL DATA WE PROCESS

We collect and process the following categories of staff

Category

Examples

Identity & Contact

Name, home address, personal email, phone number, date of birth, National Insurance number, photograph, passport/driving licence copies

Employment Details

Contract of employment, start/leave dates, job title, department, salary, bank details, tax code, pension enrolment, right to work documentation

Performance & Training

Appraisals, objectives, disciplinary records, grievance records, training history, qualifications, professional memberships

Health & Safety

Sickness absence records, fit notes, occupational health reports, accident/incident reports, risk assessments, reasonable adjustments

Monitoring & IT Usage

Login/logout times, system access logs, email metadata (not content without justification), CCTV footage (office premises), door access records

Equal Opportunities

Voluntary monitoring data on ethnicity, sexual orientation, disability status (processed anonymously for reporting unless explicit consent given)

Special Category Data

Health information (for sickness/adjustments), trade union membership, biometric data (if used for access control)

 Note on Monitoring: Any digital monitoring (e.g., keystroke logging, screen capture) is only conducted where necessary and proportionate for a legitimate business purpose (e.g., investigating misconduct), following a Data Protection Impact Assessment (DPIA), and with prior staff consultation.

 

4. LAWFUL BASIS FOR PROCESSING

Under UK GDPR Article 6 and the DUAA 2025, we rely on the following lawful bases:

Purpose of Processing

Lawful Basis (UK GDPR Article)

Additional Condition (Special Category Data)

Administering your employment contract

Contract (Art. 6(1)(b))

Employment, social security and social protection law (DPA 2018, Sch. 1, Part 1, Para 1)

Complying with legal obligations (tax, pensions, right to work, health & safety)

Legal obligation (Art. 6(1)(c))

As above

Managing performance, training, and career development

Legitimate interests (Art. 6(1)(f))

N/A

Preventing, detecting, or investigating crime or fraud

Recognised Legitimate Interest (DUAA 2025, s. 12) – Crime prevention/detection

Substantial public interest (DPA 2018, Sch. 1)

Safeguarding vulnerable individuals (e.g., tenants, staff)

Recognised Legitimate Interest (DUAA 2025) – Safeguarding

Substantial public interest + explicit consent where required

Responding to emergencies (e.g., building evacuation, medical incident)

Recognised Legitimate Interest (DUAA 2025) – Civil Contingencies Act 2004

Vital interests (Art. 9(2)(c))

Processing health data for reasonable adjustments or occupational health

Legal obligation (employment law)

Employment, social security and social protection law (DPA 2018, Sch. 1)

Equal opportunities monitoring

Substantial public interest (DPA 2018, Sch. 1)

Explicit consent OR anonymised processing

IT security and network protection

Legitimate interests (Art. 6(1)(f))

N/A

 

Necessity Test: Even where a Recognised Legitimate Interest applies under the DUAA 2025, we only process data where it is necessary for the stated purpose and balanced against your rights and freedoms.

 

5. DATA SHARING & THIRD-PARTY PLATFORMS

To administer your employment and comply with legal duties, we share your personal data with the following recipients:

Recipient

Purpose of Sharing

Legal Basis

Link to Their Privacy Notice

Employment Hero

HR management system: personnel files, leave, performance records

Contract + Legitimate interests

Employment Hero Privacy Policy

Microsoft 365 (SharePoint/Teams)

Internal document storage, collaboration, email

Contract + Legitimate interests

Microsoft Privacy Statement

Whitelaw Wells

External payroll processing: salary, tax, bank details

Legal obligation + Contract

Whitelaw Wells Privacy

NEST

Workplace pension enrolment and contributions

Legal obligation (Pensions Act 2008)

NEST Privacy Policy

HMRC & Statutory Bodies

Tax reporting, right to work checks, statutory payments

Legal obligation

HMRC Privacy Notice

Finance Contractors

Payroll administration, expense processing

Contract + Legitimate interests

Provided on request (bound by Data Processing Agreement)

Occupational Health Providers

Fitness for work assessments, reasonable adjustments

Explicit consent + Legal obligation

Provided on request

Legal Advisors

Defence of legal claims, employment disputes

Legitimate interests + Legal obligation

Provided on request

 

 All third-party processors are bound by written Data Processing Agreements (DPAs) compliant with UK GDPR Article 28, requiring them to:

• Process data only on our instructions
• Implement appropriate security measures
• Assist us in responding to data subject requests
• Delete or return data at the end of the contract

 

6. INTERNATIONAL DATA TRANSFERS

Some of our service providers (e.g., cloud platforms) may process your data outside the UK. Where this occurs:

USA: Transfers are made to providers certified under the UK Extension to the EU-U.S. Data Privacy Framework. This ensures the level of protection for your data is not materially lower than under UK GDPR.
Other Countries: We use International Data Transfer Agreements (IDTAs) approved by the ICO, accompanied by a Transfer Risk Assessment (TRA) to confirm safeguards are in place.

 

 

We maintain a record of all international transfers and review them annually. For further details, contact our Data Protection Lead.

Following the Data (Use and Access) Act 2025, the UK applies a "data protection test" for international transfers: protection must not be materially lower than UK standards. See ICO guidance (January 2026) for details.

 

7. DATA RETENTION

We retain your personal data only for as long as necessary for the purposes for which it was collected, in line with the storage limitation principle (UK GDPR Article 5(1)(e)) and Scottish law.

Data Category

Retention Period

Legal/Practical Basis

Disposal Method

Employment Records (contract, appraisals, disciplinary)

6 years after employment ends

Best practice to cover limitation periods for civil claims under the Prescription and Limitation (Scotland) Act 1973 (5 years for contract; 6 years adopted for consistency with UK-wide HR practice)

Secure digital deletion + certificate of destruction for paper

Recruitment Records (Unsuccessful)

6 months after recruitment decision

Legitimate interests: To defend potential discrimination claims.

Secure digital deletion

Recruitment Records (With Consent)

Up to 2 years

Consent: To keep the candidate on file for future vacancies.

Secure digital deletion

Payroll, Tax, Pension Records

6 years after end of relevant tax year

HMRC requirements (TMA 1970, s. 12B)

Secure deletion

Right to Work Documentation

Duration of employment + 2 years

Immigration Act 2014; Home Office guidance

Secure deletion

Health & Safety / Accident Records

3 years from date of incident (or longer if claim anticipated)

Limitation period for personal injury claims in Scotland (3 years from date of knowledge)

Secure deletion

RIDDOR-Reportable Incidents

Minimum 3 years

Health and Safety at Work etc. Act 1974

Secure deletion

CCTV Footage

Maximum 31 days

ICO CCTV Code of Practice; security purpose

Automatic overwrite

Recruitment Records (unsuccessful applicants)

6 months after recruitment decision

Legitimate interests (defending discrimination claims)

Secure deletion

Equal Opportunities Monitoring Data

Anonymised immediately after reporting; raw data deleted after 12 months

Data minimisation principle

Anonymisation / secure deletion

Ex-Employee Reference Records

6 years after employment ends

Legitimate interests: To provide consistent, accurate employment history.

Secure digital deletion

Dead Files (Paper/Digital)

Checked every 12 months

1Let Internal Policy: Securely destroyed if no longer required.

Shredding / Scotwaste collection

 

 Annual Review: Our Data Protection Lead conducts an annual audit of data holdings against this schedule. Automated alerts in our HR/IT systems flag records approaching retention limits.

 

8. YOUR DATA PROTECTION RIGHTS

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights:

Right

What It Means

How to Exercise

Right of Access

Request a copy of the personal data we hold about you (Subject Access Request)

Email ken@1let.com with proof of identity

Right to Rectification

Request correction of inaccurate or incomplete data

Contact your manager or Data Protection Lead

Right to Erasure

Request deletion of your data (in limited circumstances, e.g., where consent was basis and withdrawn)

Submit request to Data Protection Lead

Right to Restriction

Request we temporarily stop processing your data (e.g., while accuracy is verified)

Email ken@1let.com

Right to Data Portability

Receive your data in a structured, machine-readable format (where processing is based on consent/contract and by automated means)

Request via email

Right to Object

Object to processing based on legitimate interests or Recognised Legitimate Interests

Submit objection to Data Protection Lead; we will cease processing unless compelling grounds override

Rights in Relation to Automated Decision-Making

Request human review of decisions made solely by automation with legal/significant effects

Contact Data Protection Lead immediately

Right to Withdraw Consent

Withdraw consent at any time where processing relies on consent (does not affect prior lawful processing)

Notify your manager or Data Protection Lead

 

Response Times: We will respond to all requests within one calendar month. Under the DUAA 2025, this period may be paused ("stop the clock") if we reasonably require further information to verify your identity or locate your data. We will inform you if an extension is needed.

No Fee: Exercising your rights is free of charge, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act).

 

9. AUTOMATED DECISION-MAKING & PROFILING

We may use automated systems or Artificial Intelligence (AI) to support HR processes (e.g., initial CV screening, productivity analytics). However:

Human Oversight: No significant decision affecting your employment (e.g., recruitment, promotion, disciplinary action, termination) is made solely by automated means without meaningful human review.

Transparency: Where automated tools are used, you will receive meaningful information about the logic involved and the significance of the processing.
 

Your Safeguards: You have the right to:
 - Make representations about an automated decision
 - Request human review of the outcome
 - Contest the decision

Following the Data (Use and Access) Act 2025, restrictions on solely automated decisions with legal or similarly significant effects apply only where special category data (e.g., health information) is processed. All our significant employment decisions involve human judgment.

 

10. HOW TO EXERCISE YOUR RIGHTS OR MAKE A COMPLAINT

10.1 Contact Us Directly

To exercise any right or raise a concern:
Email: ken@1let.com
Phone: 0131 476 5500
Post: 20a Manor Place Edinburgh EH3 7DS

10.2 Complaints Procedure (DUAA 2025 Compliant)

 

 

If you believe we have not complied with data protection law email ken@1let.com with "GDPR Complaint" in the subject line.

We will:

• Acknowledge receipt promptly (typically within 3 working days)
• Investigate thoroughly and provide a substantive response without undue delay
• Inform you of the outcome and any actions taken

10.3 Escalate to the Regulator

If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
 ico.org.uk/concerns
 0303 123 1113
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Note: The ICO remains the UK's independent regulator for data protection. The Data (Use and Access) Act 2025 updated its governance but did not change its name or core functions.

 

11. ADDITIONAL INFORMATION

11.1 Provision of Data: Statutory & Contractual Requirements

Provision of certain personal data (e.g., National Insurance number, right to work documentation, bank details) is a statutory or contractual requirement for employment. Failure to provide this information may prevent us from entering into or performing your employment contract, or complying with legal obligations (e.g., tax reporting).

11.2 Data Obtained from Third Parties

Where we obtain personal data about you from third parties (e.g., employment references, qualification verification, background checks), we will provide you with this privacy information:

• Within one month of obtaining the data, OR
• At the time of first communication with you, OR
• Before disclosing the data to another recipient
  (whichever is earliest)

11.3 Children and Young Workers

Where we employ staff under the age of 18, we take account of their specific needs and ensure privacy information is provided in clear, age-appropriate language, in line with our duties under the Data (Use and Access) Act 2025.

11.4 Data Protection by Design and Default

 

We embed data protection considerations into the design of our HR systems, processes, and policies. By default, we ensure that only personal data necessary for each specific purpose is processed, and that appropriate technical and organisational measures (e.g., encryption, access controls, staff training) are implemented.

11.5 Policy Review & Updates

This notice is reviewed annually or following significant changes to our processing activities, technology, or the law. The latest version is always available on our internal SharePoint portal. Staff will be notified of material changes via email and team briefings.

12. SPECIFIC PROVISIONS FOR JOB SEEKERS

12.1 Sources of Data We collect data from you via your application, CV, and interview. We may also obtain data from third parties, such as recruitment agencies, LinkedIn, or designated referees.

12.2 Purpose of Processing Your data is processed solely to:

• Assess your suitability for the role.
• Communicate with you during the recruitment process.
• Comply with legal requirements (e.g., Right to Work checks).

12.3 Pre-Employment Screening If we make a conditional offer, we will conduct background checks (e.g., criminal record checks via Disclosure Scotland, qualification verification). We will always inform you before initiating these checks.

 

13. SPECIFIC PROVISIONS FOR EX-EMPLOYEES

13.1 References After your employment ends, 1Let will typically provide a standard reference (confirming job title and dates of employment) to future employers or landlords. We process this under Legitimate Interests. If a detailed character reference is requested, we will seek your consent before disclosure.

13.2 Post-Employment Access Ex-employees retain the Right of Access to their personnel records for the duration of the 6-year retention period. Requests should be directed to the Data Protection Lead (ken@1let.com).

13.3 "The Right to be Forgotten" While you have the right to request erasure, please note that 1Let will generally decline requests to delete core employment records (contracts, payroll, disciplinary) until the 6-year period has elapsed. This is to ensure we can comply with our legal duties and defend against potential legal claims.