Our Data Protection and Control Principles
We will abide by the principles stated below:
a) Data will be processed lawfully, fairly and in a transparent manner in relation to individual users;
b) Data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) Data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) Data will be kept in a form which permits identification of data subjects/individual users for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
f) Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
The data controller will be responsible for and be able to demonstrate, compliance with the above principles.
The rights of Individual Users
The GDPR provides the following rights for individuals:
1. The right to be informed
Individual users have the right to be informed about the collection and use of their personal data. This will be clearly stated in our Privacy notices.
2. The right of access
Individuals have a right to access any personal data relating to them which are held by us. Any individual wishing to exercise this right should apply in writing to our agency or directly to the data controller.
Individuals have the right to obtain the following:
• confirmation that we are processing their personal data;
• a copy of their personal data; and
• other supplementary information – this largely corresponds to the information that is provided in our privacy notice.
3. The right to rectification
Under Article 16 of the GDPR, individual users have the right to have inaccurate personal data rectified.
If an individual user feels their data is inaccurate, they should submit a ‘request for rectification’ to our agency or directly to the data controller.
4. The right to erasure
Under Article 17 of the GDPR, individual users have the right to have their personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
Individual users have the right to have their personal data erased if:
• the personal data is no longer necessary for the purpose in which our agency originally collected or processed it for;
• The data was collected relying on the consent of the individual users and the individual user withdraws that consent.
• The data was collected or is being processed based on there being a ‘legitimate interest’ and the individual user objects to their data being processed and there is no overriding legitimate interest to continue this processing;
• The data is being processed for direct marketing purposes and the individual user objects to that processing;
In such cases, we agree to erase the data allowing the individual user the ‘right to be forgotten’. If an individual user wishes to have their data erased they should submit a ‘request to be forgotten’ to our agency or directly to the data controller.
5. The right to restrict processing
Under GDPR individual users have the right to restrict the processing of their personal data in certain circumstances. The data will still be stored but the way we process and/or share the data will be restricted. This might happen for example if a host wishes to take a break from accommodating students. They may wish for their data to be kept on our system but request we no longer offer their profile to students in accommodation offers.
In such cases, we agree to restrict the use/processing of the data. If an individual user wishes to restrict their data being processed they should submit a ‘data processing restriction request’ to our agency or directly to the data controller. They should make it clear the restrictions they wish to set, the data this corresponds to and the period of time they wish the restriction to be in place for.
6. The right to data portability
Individual users have the right to receive personal data they have provided to our agency/data controller in a structured, commonly used and machine-readable format. This data can be issued to the individual user and/or (if requested by the induvial user) transferred to another controller.
7. The right to object
Article 21 of the GDPR gives individual users the right to object to the processing of their personal data. This effectively allows individual users to ask us to stop processing their personal data.
In such cases, we agree to stop using/processing their data. If an individual user wishes for us to stop processing their data they should make this clear to our agency or directly to the data controller.
8. Rights in relation to automated decision making and profiling.
This gives individual users protection against decisions being made based on automated profiling i.e. without human involvement. Although our agency uses information technology to match accommodation requests with accommodation providers, the final decision is always made by a human.