本政策规定了Eden Harper Ltd的义务，该公司是在英国注册的公司，注册号为04335562，注册办事处位于伦敦巴特西公园路64号，SW11 4JP（“the Company”) regarding data protection 和 the rights of Landlords, Tenants, Consumers, Maintenance Contractors in respect of their 个人资料 under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
GDPR定义“personal data”作为与已识别或可识别自然人有关的任何信息（“data subject”）;可识别的自然人是指可以直接或间接识别的人，特别是通过参考诸如姓名，识别号码，位置数据，在线标识符之类的标识符，或针对一种或多种特定于身体，生理的因素自然人的遗传，心理，经济，文化或社会身份。
This Policy sets 公司’s obligations regarding the collection, processing, 转让, storage, 和 disposal of 个人资料. The procedures 和 principles set out herein must be followed at all times by 公司, its employees, agents, contractors, or other parties working on behalf of 公司.
The Company is committed not only to the letter of the law, but also to the spirit of the law 和 places high importance on the correct, lawful, 和 fair handling of all 个人资料, respecting the legal rights, privacy, 和 trust of all individuals with whom it deals.
This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling 个人资料 must comply. All 个人资料 must be:
2.1 Processed lawfully, fairly, 和 in a transparent manner in relation to the 数据主体.
2.4 Accurate 和 , where necessary, kept up to date. Every reasonable step must be taken to ensure that 个人资料 that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
2.6 Processed in a manner that ensures appropriate security of the 个人资料, including protection against unauthorised or unlawful processing 和 against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
The GDPR sets out the following rights applicable to 数据主体s (please refer to the parts of this policy indicated for further details):
3.4 删除权（也称为‘被遗忘的权利’) (Part 15);
4.1 The GDPR seeks to ensure that 个人资料 is processed lawfully, fairly, 和 transparently, without adversely affecting the rights of the 数据主体. The GDPR states that processing of 个人资料 shall be lawful if at least one of the following applies:
4.1.1 The 数据主体 has given consent to the processing of their 个人资料 for one or more specific purposes;
4.1.2 The processing is necessary for the performance of a contract to which the 数据主体 is a party, or in order to take steps at the request of the 数据主体 prior to entering into a contract with them;
4.1.4 The processing is necessary to protect the vital interests of the 数据主体 or of another natural person;
4.1.6 The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights 和 freedoms of the 数据主体 which require protection of 个人资料, in particular where the 数据主体 is a child.
4.2 [If the 个人资料 in question is “特殊类别数据” (also known as “sensitive 个人资料”) (for example, data concerning the 数据主体’的种族，种族，政治，宗教，工会会员资格，遗传学，生物特征识别（如果用于身份证明目的），健康，性生活或性取向），至少必须满足以下条件之一：
4.2.1 The 数据主体 has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);
4.2.2 The processing is necessary for the purpose of carrying out the obligations 和 exercising specific rights of the data controller or of the 数据主体 in the field of employment, social security, 和 social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights 和 interests of the 数据主体);
4.2.3 The processing is necessary to protect the vital interests of the 数据主体 or of another natural person where the 数据主体 is physically or legally incapable of giving consent;
4.2.5 The processing relates to 个人资料 which is clearly made public by the 数据主体;
4.2.7 The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, 和 shall provide for suitable 和 specific measures to safeguard the fundamental rights 和 interests of the 数据主体;
4.2.9 The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality 和 safety of health care 和 of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable 和 specific measures to safeguard the rights 和 freedoms of the 数据主体 (in particular, professional secrecy); or
4.2.10 The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, 和 provide for suitable 和 specific measures to safeguard the fundamental rights 和 the interests of the 数据主体.]
5.1 The Company collects 和 processes the 个人资料 set out in Part 21 of this Policy. This includes:
5.1.1 Personal data collected directly from 数据主体s
5.2 The Company only collects, processes, 和 holds 个人资料 for the specific purposes set out in Part 21 of this Policy (or for other purposes expressly permitted by the GDPR).
5.3 Data subjects are kept informed at all times of the purpose or purposes for which 公司 uses their 个人资料. Please refer to Part 12 for more information on keeping 数据主体s informed.
The Company will only collect 和 process 个人资料 for 和 to the extent necessary for the specific purpose or purposes of which 数据主体s have been informed (or will be informed) as under Part 5, above, 和 as set out in Part 21, below.
7.1 The Company shall ensure that all 个人资料 collected, processed, 和 held by it is kept accurate 和 up-to-date. This includes, but is not limited to, the rectification of 个人资料 at the request of a 数据主体, as set out in Part 14, below.
7.2 The accuracy of 个人资料 shall be checked when it is collected 和 at regular intervals thereafter. If any 个人资料 is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
8. Data Retention
8.1 The Company shall not keep 个人资料 for any longer than is necessary in light of the purpose or purposes for which that 个人资料 was originally collected, held, 和 processed.
8.2 When 个人资料 is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
8.3 For full details of 公司’s approach to data retention, including retention periods for specific 个人资料 types held by 公司, please refer to our Data Retention Policy.
9. Secure Processing
The Company shall ensure that all 个人资料 collected, held, 和 processed is kept secure 和 protected against unauthorised or unlawful processing 和 against accidental loss, destruction, or damage. Further details of the technical 和 organisational measures which shall be taken are provided in Parts 22 to 27 of this Policy.
10.1 The Company’s的数据保护官是Ajaye Gopal，可以通过发送电子邮件至[email protected]，电话为020 3514 4056或通过邮寄至伦敦SW2 1RH阿灵顿游行3阿灵顿游行的伊甸园哈珀。
10.2 The Data Protection Officer shall be responsible for overseeing the implementation of this Policy 和 for monitoring compliance with this Policy, 公司’其他与数据保护相关的政策，以及GDPR和其他适用的数据保护法规。
10.3 The Company shall keep written internal records of all 个人资料 collection, holding, 和 processing, which shall incorporate the following information:
10.3.1 The name 和 details of 公司, its Data Protection Officer, 和 any applicable third-party data processors;
10.3.2 The purposes for which 公司 collects, holds, 和 processes 个人资料;
10.3.3 Details of the categories of 个人资料 collected, held, 和 processed by 公司, 和 the categories of 数据主体 to which that 个人资料 relates;
10.3.4 Details of any 转让s of 个人资料 to non-EEA countries including all mechanisms 和 security safeguards;
10.3.5 Details of how long 个人资料 will be retained by 公司 (please refer to 公司’的数据保留政策）；和
10.3.6 Detailed descriptions of all technical 和 organisational measures taken by 公司 to ensure the security of 个人资料.
11.1 The Company shall carry out数据保护影响评估 for any 和 all new projects 和 /or new uses of 个人资料 which involve the use of new technologies 和 the processing involved is likely to result in a high risk to the rights 和 freedoms of 数据主体s under the GDPR.
11.2.1 The type(s) of 个人资料 that will be collected, held, 和 processed;
11.2.2 The purpose(s) for which 个人资料 is to be used;
11.2.3 The Company’s objectives;
11.2.4 How 个人资料 is to be used;
11.2.7 Risks posed to 数据主体s;
11.2.8 Risks posed both within 和 to 公司; 和
12.1 The Company shall provide the information set out in Part 122 to every 数据主体:
12.1.1 Where 个人资料 is collected directly from 数据主体s, those 数据主体s will be informed of its purpose at the time of collection; 和
12.1.2 Where 个人资料 is obtained from a third party, the relevant 数据主体s will be informed of its purpose:
a) if the 个人资料 is used to communicate with the 数据主体, when the first communication is made; or
b) if the 个人资料 is to be 转让red to another party, before that 转让 is made; or
c) as soon as reasonably possible 和 in any event not more than one month after the 个人资料 is obtained.
12.2.1 Details of 公司 including, but not limited to, the identity of its Data Protection Officer;
12.2.2 The purpose(s) for which the 个人资料 is being collected 和 will be processed (as detailed in Part 21 of this Policy) 和 the legal basis justifying that collection 和 processing;
12.2.3 Where applicable, the legitimate interests upon which 公司 is justifying its collection 和 processing of the 个人资料;
12.2.4 Where the 个人资料 is not obtained directly from the 数据主体, the categories of 个人资料 collected 和 processed;
12.2.5 Where the 个人资料 is to be 转让red to one or more third parties, details of those parties;
12.2.6 Where the 个人资料 is to be 转让red to a third party that is located outside of the European Economic Area (the “EEA”），转让的详细信息，包括但不限于现有的保障措施（更多信息，请参阅本政策的第28部分）；
12.2.8 Details of the 数据主体’GDPR的权利；
12.2.9 Details of the 数据主体’s right to withdraw their consent to 公司’s processing of their 个人资料 at any time;
12.2.10 Details of the 数据主体’向信息专员投诉的权利’s Office (the “监督机构” under the GDPR);
12.2.11 Where applicable, details of any legal or contractual requirement or obligation necessitating the collection 和 processing of the 个人资料 和 details of any consequences of failing to provide it; 和
12.2.12 Details of any automated decision-making or profiling that will take place using the 个人资料, including information on how decisions will be made, the significance of those decisions, 和 any consequences.
13 Data Subject Access
13.1 数据主体可以提出主题访问请求（“SARs”) at any time to find out more about the 个人资料 which 公司 holds about them, what it is doing with that 个人资料, 和 why.
13.2 Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to 公司’s Ajaye Gopal的数据保护官，可以通过电子邮件联系[email protected]，电话是020 3514 4056，也可以邮寄到伦敦SW2 1RH阿灵顿游行3阿灵顿游行的Eden Harper。
13.3 Responses to 特区 shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex 和 /or numerous requests are made. If such additional time is required, the 数据主体 shall be informed.
13.4 All 特区 received shall be handled by 公司’数据保护官。
13.5 The Company does not charge a fee for the handling of normal 特区. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a 数据主体, 和 for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
14.1 Data subjects have the right to require 公司 to rectify any of their 个人资料 that is inaccurate or incomplete.
14.2 The Company shall rectify the 个人资料 in question, 和 inform the 数据主体 of that rectification, within one month of the 数据主体 informing 公司 of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the 数据主体 shall be informed.
14.3 In the event that any affected 个人资料 has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that 个人资料.
15.1 Data subjects have the right to request that 公司 erases the 个人资料 it holds about them in the following circumstances:
15.1.1 It is no longer necessary for 公司 to hold that 个人资料 with respect to the purpose(s) for which it was originally collected or processed;
15.1.2 The 数据主体 wishes to withdraw their consent to 公司 holding 和 processing their 个人资料;
15.1.3 The 数据主体 objects to 公司 holding 和 processing their 个人资料 (and there is no overriding legitimate interest to allow 公司 to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);
15.1.4 The 个人资料 has been processed unlawfully;
15.1.5 The 个人资料 needs to be erased in order for 公司 to comply with a particular legal obligation
15.2 Unless 公司 has reasonable grounds to refuse to erase 个人资料, all requests for erasure shall be complied with, 和 the 数据主体 informed of the erasure, within one month of receipt of the 数据主体’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the 数据主体 shall be informed.
15.3 In the event that any 个人资料 that is to be erased in response to a 数据主体’如果已将要求披露给第三方，则应将删除信息告知这些第三方（除非这样做是不可能的，否则将需要不成比例的努力）。
16.1 Data subjects may request that 公司 ceases processing the 个人资料 it holds about them. If a 数据主体 makes such a request, 公司 shall retain only the amount of 个人资料 concerning that 数据主体 (if any) that is necessary to ensure that the 个人资料 in question is not processed further.
16.2 In the event that any affected 个人资料 has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
17。 Data Portability
17.1 The Company processes 个人资料 using automated means such as via software systems, email 和 other electronic methods.
17.2 Where 数据主体s have given their consent to 公司 to process their 个人资料 in such a manner, or the processing is otherwise required for the performance of a contract between 公司 和 the 数据主体, 数据主体s have the right, under the GDPR, to receive a copy of their 个人资料 和 to use it for other purposes (namely transmitting it to other data controllers).
17.3 To facilitate the right of data portability, 公司 shall make available all applicable 个人资料 to 数据主体s in the following formats:
17.4 Where technically feasible, if requested by a 数据主体, 个人资料 shall be sent directly to the required data controller.
17.5 All requests for copies of 个人资料 shall be complied with within one month of the 数据主体’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the 数据主体 shall be informed.
18.1 Data subjects have the right to object to 公司 processing their 个人资料 based on legitimate interests, direct marketing (including profiling).
18.2 Where a 数据主体 objects to 公司 processing their 个人资料 based on its legitimate interests, 公司 shall cease such processing immediately, unless it can be demonstrated that 公司’s legitimate grounds for such processing override the 数据主体’的利益，权利和自由，或进行合法索偿所必需的处理。
18.3 Where a 数据主体 objects to 公司 processing their 个人资料 for direct marketing purposes, 公司 shall cease such processing immediately.
19.1 The Company uses 个人资料 in automated decision-making processes for referencing
19.2 Where such decisions have a legal (or similarly significant effect) on 数据主体s, those 数据主体s have the right to challenge to such decisions under the GDPR, requesting human intervention, expressing their own point of view, 和 obtaining an explanation of the decision from 公司.
19.3.1 The decision is necessary for the entry into, or performance of, a contract between 公司 和 the 数据主体;
19.3.3 The 数据主体 has given their explicit consent.
20.1 The Company does not currently use 个人资料 for profiling purposes. Should it do in the future, the following will apply:
20.2 When 个人资料 is used for profiling purposes, the following shall apply:
20.2.1 Clear information explaining the profiling shall be provided to 数据主体s, including the significance 和 likely consequences of the profiling;
20.2.4 All 个人资料 processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling (see Parts 22 to 26 of this Policy for more details on data security).
The following 个人资料 is collected, held, 和 processed by 公司 (for details of data retention, please refer to 公司’的数据保留政策）：
名称& 联系 Details
当前& Forwarding address
名称& 联系 Details
联系方式& 电话 Numbers
The Company shall ensure that the following measures are taken with respect to all communications 和 other 转让s involving 个人资料:
22.1 All emails containing 个人资料 must be encrypted. All emails containing 个人资料 must be marked “confidential”;
22.5 Where 个人资料 is to be sent by facsimile transmission the recipient should be informed in advance of the transmission 和 should be waiting by the fax machine to receive the data;
22.6 Where 个人资料 is to be 转让red in hardcopy form it should be passed directly to the recipient BY POST OR GIVEN TO THE RECIPIENT IN PERSON
22.7 All 个人资料 to be 转让red physically, whether in hardcopy form or on removable electronic media shall be 转让red in a suitable container marked “confidential”.
The Company shall ensure that the following measures are taken with respect to the storage of 个人资料:
23.1 All electronic copies of 个人资料 should be stored securely using passwords 和 data encryption;
23.2 All hardcopies of 个人资料, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;
23.3 所有以电子方式存储的个人数据都应每周备份，并在异地存储备份。所有备份都应加密。在以下情况下，未经主管Ajaye Gopal的正式书面许可，不得将任何个人数据存储在任何移动设备（包括但不限于笔记本电脑，平板电脑和智能手机）上，无论该设备是否属于公司：严格按照批准时所描述的所有说明和限制进行此类批准，且期限不得超过绝对必要；和
23.4 No 个人资料 should be 转让red to any device personally belonging to an employee 和 个人资料 may only be 转让red to devices belonging to agents, contractors, or other parties working on behalf of 公司 where the party in question has agreed to comply fully with the letter 和 spirit of this Policy 和 of the GDPR (which may include demonstrating to 公司 that all suitable technical 和 organisational measures have been taken).
When any 个人资料 is to be erased or otherwise disposed of for any reason (including where copies have been made 和 are no longer needed), it should be securely deleted 和 disposed of. For further information on the deletion 和 disposal of 个人资料, please refer to 公司’数据保留政策。
The Company shall ensure that the following measures are taken with respect to the use of 个人资料:
25.1 不得非正式地共享个人数据，并且如果代表公司工作的员工，代理商，分包商或其他方要求访问他们尚无法访问的任何个人数据，则应正式向Ajaye要求进行此类访问Gopal，ajayegopal @ edenharper.com或020 3514 4056未经董事Ajaye Gopal的授权，不得将个人数据传输给任何员工，代理商，承包商或其他方，无论这些方是否代表公司工作。个人数据必须始终谨慎处理，任何时候都不应无人看管或留给未经授权的员工，代理商，分包商或其他方查看；
25.2 If 个人资料 is being viewed on a computer screen 和 the computer in question is to be left unattended for any period of time, the user must lock the computer 和 screen before leaving it; 和
25.3 Where 个人资料 held by 公司 is used for marketing purposes, it shall be the responsibility of a company director to ensure that the appropriate consent is obtained 和 that no 数据主体s have opted out, whether directly or via a third-party service such as the TPS.
26.1 All passwords used to protect 个人资料 should be changed regularly 和 should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase 和 lowercase letters, numbers, 和 symbols. All software used by 公司 is designed to require such passwords.;
26.2 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of 公司, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
26.4 未经主管Ajaye Gopal事先批准，不得在任何公司拥有的计算机或设备上安装软件。
The Company shall ensure that the following measures are taken with respect to the collection, holding, 和 processing of 个人资料:
27.1 All employees, agents, contractors, or other parties working on behalf of 公司 shall be made fully aware of both their individual responsibilities 和 公司’根据GDPR和本政策承担的责任，并应随附本政策的副本；
27.2 Only employees, agents, sub-contractors, or other parties working on behalf of 公司 that need access to, 和 use of, 个人资料 in order to carry out their assigned duties correctly shall have access to 个人资料 held by 公司;
27.3 All employees, agents, contractors, or other parties working on behalf of 公司 handling 个人资料 will be appropriately trained to do so;
27.4 All employees, agents, contractors, or other parties working on behalf of 公司 handling 个人资料 will be appropriately supervised;
27.5 All employees, agents, contractors, or other parties working on behalf of 公司 handling 个人资料 shall be required 和 encouraged to exercise care, caution, 和 discretion when discussing work-related matters that relate to 个人资料, whether in the workplace or otherwise;
27.6 Methods of collecting, holding, 和 processing 个人资料 shall be regularly evaluated 和 reviewed;
27.7 All 个人资料 held by 公司 shall be reviewed periodically, as set out in 公司’数据保留政策；
27.8 The performance of those employees, agents, contractors, or other parties working on behalf of 公司 handling 个人资料 shall be regularly evaluated 和 reviewed;
27.9 All employees, agents, contractors, or other parties working on behalf of 公司 handling 个人资料 will be bound to do so in accordance with the principles of the GDPR 和 this Policy by contract;
27.10 All agents, contractors, or other parties working on behalf of 公司 handling 个人资料 must ensure that any 和 all of their employees who are involved in the processing of 个人资料 are held to the same conditions as those relevant employees of 公司 arising out of this Policy 和 the GDPR; 和
27.11 Where any agent, contractor or other party working on behalf of 公司 handling 个人资料 fails in their obligations under this Policy that party shall indemnify 和 hold harmless 公司 against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
28。 Transferring Personal Data to a Country Outside the 欧洲经济区
28.1 本公司可能会不时转让（‘transfer’ includes making available remotely) 个人资料 to countries outside of the 欧洲经济区.
28.2 The 转让 of 个人资料 to a country outside of the 欧洲经济区 shall take place only if one or more of the following applies:
28.2.1 The 转让 is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for 个人资料;
28.2.3 The 转让 is made with the informed consent of the relevant 数据主体(s);
28.2.4 The 转让 is necessary for the performance of a contract between the 数据主体 和 公司 (or for pre-contractual steps taken at the request of the 数据主体);
28.2.5 The 转让 is necessary for important public interest reasons;
28.2.6 The 转让 is necessary for the conduct of legal claims;
28.2.7 The 转让 is necessary to protect the vital interests of the 数据主体 or other individuals where the 数据主体 is physically or legally unable to give their consent; or
29.1 All 个人资料 breaches must be reported immediately to 公司’数据保护官。
29.2 If a 个人资料 breach occurs 和 that breach is likely to result in a risk to the rights 和 freedoms of 数据主体s (e.g. financial loss, breach of 机密ity, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s办事处会在知道后立即在72小时内立即将违规情况告知我们。
29.3 In the event that a 个人资料 breach is likely to result in a high risk (that is, a higher risk than that described under Part 29。2) to the rights 和 freedoms of 数据主体s, the Data Protection Officer must ensure that all affected 数据主体s are informed of the breach directly 和 without undue delay.
29.4.1 The categories 和 approximate number of 数据主体s concerned;
29.4.2 The categories 和 approximate number of 个人资料 records concerned;
29.4.3 The name 和 contact details of 公司’数据保护官（或其他可以获得更多信息的联络点）；
29.4.5 Details of the measures taken, or proposed to be taken, by 公司 to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
Name: Ajaye Gopal
Date: 18th May 2018
Due for Review by: 17th May 2019