The Data Protection Act 2018 (DPA 2018) sets out the data protection framework in the UK and incorporates the Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) into the national law. Its purpose is to protect the “rights and freedoms” of natural persons (living individuals), and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
Personal information includes any information that identifies you personally, such as your name, address, email address, internet protocol address or telephone number.
Under the DPA 2018 and the GDPR, Destined Abroad, is defined as the Data Controller and therefore has a legal duty to protect any information we collect from you. We use appropriate technologies to safeguard your details and keep to strict security standards to prevent unauthorised access to it.
The Destined Abroad head office can be located at:
Destined Abroad, 27 Miserden Crescent, Milton Keynes, MK4 4GJ
Contact Email: firstname.lastname@example.org
Further contact information can be located at: https://www.destinedabroad.com
Definitions used by the organisation (drawn from the GDPR)
Material scope (Article 2 GDPR) – the GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.
Territorial scope (Article 3 GDPR) – the GDPR applies to all controllers that are established in the EU (European Union) who process the personal data of data subjects, in the context of that establishment. It also applies to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.
Article 4 GDPR – Definitions
Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.
Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data subject – any living individual who is the subject of personal data held by an organisation.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
Data subject consent – means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Child – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
1. Types of Information Collected.
Personal data means any information relating to a living individual who can be identified (directly or indirectly) in particular by reference to an identifier (e.g. name, NI number, employee number, email address, physical features). It can be factual (e.g. contact details or date of birth), an opinion about an individual’s actions or behaviour, or information that may otherwise impact that individual in a personal, or business capacity.
Data protection law divides personal data into two categories: ordinary personal data and special category data. Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data. (The rest is ordinary personal data).
Categories of personal information collected and processed by Destined Abroad include, but are not limited, to:
- Residential status – including present and past addresses
- Date of Birth
- Marital status
- Residential status
- Dependent information
- National Insurance number
- Employment history – including current and former employer information
- Copies of identification
- Financial information – such as salary, bank details, mortgage statements, credit card details, load details
- Contact information
- Third party contact information
- Online identifier information
1.1 Methods of Collection
Personal information we process about you may be directly provided to us by yourself in the course of you:
- Using or applying for a Destined Abroad product or service
- Making a complaint or enquiry to ourselves
- Subscribing or unsubscribing to marketing material
- Participating in a promotion, offer or programme
- Entering or attempting to enter into a business or employment relationship with ourselves
We will always attempt to provide you with our Privacy Notice in regards to information received from other sources than yourself if it is not deemed to be disproportionate or prejudicial.
We, our service providers and partners collect certain information by using automated means, such as cookies, when you interact with our advertisements, mobile applications, or visit our websites, pages or other digital assets. The information we collect in this manner may include:
- IP address
- Browser type
- Operating system
- Referring URLs and information on actions taken or interaction with our digital assets.
1.2 Purposes of Processing
Generally, we will collect, use and hold your information for the purposes of:
- Assessing applications for and providing Destined Abroad products and services
- Conducting business and developing relationships with Destined Abroad and affiliates
- Protecting against and preventing fraud, unauthorised transactions, money laundering, tax evasion, claims and other liabilities
- Creating and managing any accounts or associated authentication criteria (such as ID logons and passwords) you may have with Destined Abroad
- Communicating and marketing Destined Abroad products, services, offers, programs and promotions
- Compiling business directories, including business contact information
- Operating, monitoring and improving our products, services, websites, mobile applications and
other digital assets as well as developing new products and services
- Complying with industry standards and Destined Abroad policies
- Processing complaints, enquiries and data subject rights requests
- For training, communication and awareness
- Confirming appointments and meetings
- Publishing of customer feedback and reviews
1.3 Lawful basis of processing
The legal basis we use to process your personal data may differ for each processing activity. Dependent upon the purpose for processing, as outlined above, and the business area processing your data Destined Abroad relies upon the following lawful basis of processing:
Article 6 (1) (a) GDPR Consent: Where your permission and consent has been provided to allow processing to be undertaken. For example;
Using video, messaging or other communication applications to provide a service, where you have requested, actively chosen to use or approved the use of the application as a form of contact between yourself and the business
Article 6 (1) (b) GDPR Performance of a contract: where you have or will enter into a contract with Destined Abroad and we need to process your information as part of this contract
Article 6 (1) (c) GDPR Compliance with a legal obligation: Where Destined Abroad are bound by further laws and regulations to process your information, affecting areas such as:
- Crime and anti-moneylaundering
- Property and estate management
- Welfare and health and safety
Article 6 (1) (e) GDPR Public interest: Information concerning relocations is processed in accordance with public interest
Article 6 (1) (f) GDPR Legitimate interests: These include:
- Fraud prevention and detection
- Risk assessment
- Due diligence
- Network and Information Security
- Suppression lists and managing communication opt-out requests
- Training, communication and awareness
- Direct marketing
- Monitoring and web analytics
- Cloud storage
2. Information We Share
We do not sell or otherwise disclose personal information we collect about you, except as described in this Privacy Notice or as indicated via the consent process at the time the data is collected. We may share the information we collect, where applicable, with:
- Landlords and landlord associates and sub processors
- Vetted affiliates and partners
- Financial Institutions
- Insurance Companies
- Formally contracted service providers
Destined Abroad may also disclose personal information to other employees in the course of providing you with our services. Destined Abroad does not permit these parties to use such information for any other purpose than to perform the services they have been instructed to provide by us.
We may also share information about you, if required legally, to prevent harm or financial / reputation loss, for investigation of suspected or actual fraudulent or illegal activities.
We contractually require service providers and processors to safeguard the privacy and security of personal information they process on our behalf in line with data protection obligations and authorise them to use or disclose the information only as necessary to perform services on our behalf and under our instruction or to comply with legal obligations and requirements.
On websites, features can be accessed where we partner with other entities that are not affiliated with Destined Abroad. These include social networking and geo-location tools etc. and are operated by third parties who may use or share personal information in accordance with their own privacy policies. It is recommended that you review the third parties’ privacy notice if you use the relevant features.
In the event of a sale or transfer of our business or assets (wholly or partly) Destined Abroad reserve the right to transfer your information to the acquirer. You can exercise your rights and gain clarification concerning the protection and processing of your information by the acquirer by contacting them directly.
Destined Abroad may use direct or anonymised information to engage in data analysis, data matching and profiling activities for a variety of purposes, including, but not limited to:
- Business conduct
- Investigation and identification of fraud, money laundering and other potential unauthorised
- Financial Viability analysis / reports
- Business partner / client portfolio position, performance, risk positions
- Anti-money laundering
- Tax reporting
- Credit defaulting / exposure
2.2 International Data Transfers
Some of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.Under Data Protection Law, international transfers of personal data may take place if the third country ensures an adequate level of protection, and both controller and processor, provides appropriate safeguards though means such as standard data protection clauses or binding corporate rules.
Furthermore, the legislation provide for derogation clauses allowing for the transfer to take place even where neither an adequate level of protection nor appropriate safeguards are in place.
For any transfer of personal data outside the EEA, we aim to evidence a similar degree of data protection is applied by ensuring at least one of the following safeguards is implemented:
(a) We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (Adequacy Decision).
(b) Where we use certain service providers, we may use specific contracts approved by the European Commission or by the Supervisory Authority, which give personal data the same level of protection it has in Europe (Standard Data Protection Clauses for the transfer of personal data to third countries).
(c) Where we use providers based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the USA (Privacy Shield).
(d) Where we use providers within Destined Abroad Group, we may transfer data to them under the mechanism of binding corporate rules approved by the Supervisory Authority (BCRs).
Where we are unable to rely on one of the safeguards outlined above, we will rely on the derogation under Article 49 of the GDPR (when the transfer relates to the performance of a contract and for your benefit), and you hereby allow us to do so. Where your personal data is transferred outside the EEA in these instances, controls on data protection may not be as wide as the legal requirements within the EEA.
Third parties outside the EEA that we may share you personal data with includes:
We keep your personal information in line with our Data Retention & Destruction Policy. Information is always retained in line with its purpose of processing and only for as long as necessary usually, information is kept for 7 years after last contact with you. However, this period may be extended dependent upon any legal or contractual obligations Destined Abroad may be required to comply with, as well as any overriding business legitimate interests.
2.4 Your Rights and Choices
Under Data Protection law and regulation, you have a number of rights. The applicability of these rights are dependent upon our purpose and lawful basis of processing, therefore not all of these rights may be available to you.
You can exercise your rights either verbally or in writing. However, should you make a request verbally we recommend that you follow this up in writing to provide a clear correspondence trail.
We have an obligation to respond within one month of receiving your request. Should we deem the request to be complex the response time can be extended by up to two months. Should this be required, you will be informed of the extended response date, alongside an explanation, within the original one month time frame.
Should we feel the need to verify your identity, identification will be requested within the one month time frame and only limited to what is necessary for confirmation. Once we are satisfied we will then process your request.
Should we refuse to comply with a request we will inform you of this within the one month time frame and provide an explanation outlining our justification, our internal complaints procedure and your right to complain to a supervisory authority and to enforce your rights through a judicial remedy.
2.5 Your Right of Access
You have the right to request and receive copies of the personal information we hold that directly relates to you. This right is applicable at all times; however, due to exemptions within the legislation you may not always receive all the information we process. If this is applicable an explanation will be provided to you within our response.
If you are requesting information on behalf of someone else we require you to provide proof that you are entitled to act on behalf of the data subject and will require written confirmation of this authority. If we are not satisfied you have the right to act as a delegated authority we reserve the right to refuse the request.
2.6 Your Right to Rectification
You have the right to request that inaccurate information is rectified and incomplete information completed. Please provide an overview of the information you wish to be rectified / completed. Upon receipt of your request an investigation will be undertaken and a response determining our decision will be provided to you. Please be aware that we may need to take certain steps to verify the accuracy of the new information before the change can be applied.
2.7 Your Right to Erasure
You have the right to request your personal information is deleted by us; however, this only applies in certain circumstances. To exercise this right, please provide us with an overview of the information you would like deleted and your reasoning. Upon receipt this matter will be investigated and a response determining our decision provided to you.
In certain circumstances we may be unable to physically delete your data, however, we may put in place steps to ensure the data is ‘put beyond use’, anonymised or pseudonymised and you will be notified of this.
2.8 Your Right to Restrict Processing
You have the right to request we restrict the processing of your personal information, however, this only applies in certain circumstances. To exercise this right please provide us with an overview of the information you would like restricted and your reasoning for this request. Upon receipt this matter will be investigated and our decision provided to you. Processing of your personal data will not resume without you being notified that the restriction is to be lifted.
2.9 Your Right to Object
You have the right to object to us processing your data whereby we are processing your information in the public interest or for our legitimate interests. To exercise this right, please provide us with an overview of the information you are objecting to and your reasoning for this. Upon receipt, this matter will be investigated and our decision provided to you.
You also have an absolute right to object to us using your data for direct marketing. You can exercise this right by:
- Unsubscribing via the “unsubscribe link” within the marketing e-mails you receive
from us, or
- Contacting Destined Abroad as indicated below in Section 3.
2.9.1 Cookies Policy
2.10 Your Right to Data Portability
You have the right to request us to transfer the information you have provided to us to another organisation or to you directly. This right only applies if we are processing information based on your consent or in regards to a contract and the processing is automated. Requests to exercise this right will be reviewed and a decision provided to you.
2.11 Your Right to Automated Decision Making and Profiling
If automated decision making and profiling have been used you have a right to obtain human intervention and challenge a decision made as a result of this process. Requests to exercise this right will be investigated and a decision provided to you.
2.12 Withdrawal of Consent
If we obtain your information by consent you have the right to withdraw your consent at any time. However, the right to consent removal may be limited in some circumstances by local law requirements. Should this apply you will be informed appropriately.
3. Contact Information
You can exercise your rights, raise a query or concern, report a breach or make a complaint by emailing:
4. How to Lodge a Complaint
If you remain unsatisfied with the way in which Destined Abroad have handled your data or dealt with your request / complaint you have a right to raise this with the relevant Supervisory Authority and to seek to enforce your rights through a judicial remedy.
5. How we Protect Personal Information
The security of your personal information is of the utmost importance and Destined Abroad is committed to protecting the personal data we process. We maintain administrative, technical and physical safeguards designed to protect against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. We take measures to destroy or permanently de-identify personal information if required by law or the personal information is no longer required for the purpose for which we collected it.
In addition, access to personal data is restricted only to those who have a legitimate business need and data processed by third parties is only done so under strict instruction from Destined Abroad, as per the terms of their contract.
Procedures are in place to ensure breaches, or suspected breaches, are dealt with in a timely and secure manner and applicable notification applied within the required timeframes.
6. Updating this Privacy Notice
Destined Abroad reserve the right to amend and update this Privacy Notice when required therefore it is advisable you review this notice at regular intervals.
Destined Abroad Anti Money Laundering Statement
In addition to providing you with a property related service we are obliged to comply with certain regulations, such as, the “Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (referred to as “the Regulations).”
In order to comply with these regulations, we are required to obtain certain information from you. The information provided will only be used by Destined Abroad in relation to complying with the Regulations and will not be shared with any other party outside of the companies wholly owned by Destined Abroad unless we are required to do so under law.