LET BUY MARK LTD (hereinafter referred to as the “Company”) shall endeavour in complying with the applicable laws related to the General Data Protection Regulation (GDPR 2016/679) in countries where the Company operates.
This Policy sets forth the basic principles by which the Company collects, retains, transfers, discloses and disposes the Personal Data of consumers, customers, suppliers, business partners, employees, users, visitors to the website and other individuals (hereinafter referred to as the “Data Subjects”), and indicates the responsibilities of its business departments and employees while processing personal data.
This Policy applies to the Company and any future subsidiary companies whether directly or indirectly controlled within the European Economic Area (EEA) or processing Personal Data of Data Subjects within the EEA.
The Company has no intention of transferring data outside of the EU and EEA. However, the Company ensures that in the event that any Personal Data of Data Subjects is transferred outside of the EU and EEA countries or to an international organisation, the legal regime in the third country or international organisation is deemed to provide an “adequate” level of Personal Data protection as stipulated by the European Commission or that Controller and Processor provide appropriate safeguards or the personal data is transferred under binding corporate rules or that the transfer satisfies one of the conditions under Article 49.
The Company warrants that all Personal Data of the users of its services and visitors of the website www.letbuymark.com are processed under the applicable regulations governing the protection of Personal Data (GDPR 2016/679).
Personal Data is processed only when there is a legal basis for such an act: legal obligation, contractual relationship, and user consent, protection of key user interests or legitimate interest of the Company.
This data protection policy ensures Let Buy Mark Ltd:
· Protects the rights of employees, self-employed estate agents, customers and business partners and affiliates.
The following terms “Controller”,“Processor”, “Data Subject”,“Personal Data”,“Processing Activity/ies”,“Pseudonymisation”,“Cross-Border processing of Personal Data”, “Supervisory Authority” used in this document shall have the same meaning as in the European Union’s General Data Protection Regulation:
The Company shall adhere to Article 5(2) of the GDPR which stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Personal Data must:
1. Be processed fairly and lawfully;
2. Be obtained only for specific, lawful purposes;
3. Be adequate, relevant and not excessive;
4. Be accurate and kept up to date;
5. Not be held for any longer than necessary;
6. Be protected in appropriate ways;
And the Company must:
7. Be Accountable;
8. Disclose information;
9. Not to transfer Personal Data outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
10. Process Data in accordance with the rights of Data Subjects;
The Company shall ensure that the Personal Data in relation to Data Subjects is processed lawfully, fairly and in a transparent manner.
The Company shall collect Personal Data for specified, explicit and legitimate purposes and will not further process Personal Data in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be deemed incompatible with the initial purposes.
The Company shall keep Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. The Company shall apply anonymization or pseudonymisation to Personal Data where possible to reduce the risks to the Data Subjects.
The Company strives to keep Personal Data accurate, and, where necessary, is to be kept up to date. The Company shall take reasonable steps to ensure that Personal Data is accurate, having regard to the purposes for which it is processed, and any inaccurate Personal Data shall be erased or rectified without undue delay.
The Company warrants that the Personal Data will not be kept for longer than is necessary and only kept for the purposes for which it is processed. Retention periods may vary from a few months in relation to enquiries to over ten years under applicable law or court orders. The Company stores Personal Data in an electronic password protected server and uploads Personal Data on a cloud service provider where access to download is restricted to the CEO and only limited to editing by employee and/or estate agents. The Company holds hard copy data files in relation to agreements and ensures adequate locked storage systems in the executive office.
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of Personal Data risks, the Company endeavours to use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of Personal Data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
The Company shall be responsible for and be able to demonstrate compliance with the principles outlined above.
In the event that the Company uses a third-party supplier, affiliate or business partner to process Personal Data on its behalf, the Company shall ensure that this processor will provide security measures to safeguard Personal Data that is appropriate to the associated risks.
The Company shall endeavour that the supplier, affiliate or business partner is to provide the same level of data protection. The Company shall ensure that the supplier or business partner shall process Personal Data only to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes.
When the Company processes Personal Data jointly with an independent third party, the Company will explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Data Processing Agreement.
The Company shall ensure that before transferring Personal Data out of the European Union (EU) and European Economic Area (EEA), adequate safeguards will be used including but not limited to the signing of a Data Transfer Agreement/Addendum, as required by the European Union. Authorisation may be obtained from the relevant Data Protection Authority where required. Furthermore, the entity receiving the Personal Data shall comply with the principles of Personal Data processing set forth in Cross Border Data Transfer Procedure.
The Company acting as Data Controller shall provide Data Subjects with a reasonable access mechanism to enable the same to access their Personal Data. The Data Subject shall be allowed to update, rectify, erase, or transmit their Personal Data, if appropriate or as required by law.
At the time of collection or before collecting Personal Data for any kind of Processing Activities including but not limited to selling products, services, or marketing activities, the Company shall inform the Data Subjects of the following:
· the Data Subjects’ rights with respect to their Personal Data;
· the retention period including any potential international data transfers;
This information shall be provided through a Privacy Notice. All Data Subjects, regardless of the type and legal basis of processing, may file a complaint against Personal Data processing to this email address – email@example.com
Where Personal Data is being transferred to a third country, the Privacy Notice should reflect this and clearly state to where, and to which entity Personal Data is being transferred.
The Company shall ensure that whenever Personal Data is processed, such processing is carried out based on the Data Subject's consent, or other lawful grounds. The Company shall retain record of such consent.
The Company shall provide Data Subjects with different options to provide their consent and must inform and ensure that their consent (apart from whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
Personal Data will only be processed when explicitly authorised by the Company.
It is in the Company’s remit to decide whether to perform the Data Protection Impact Assessment (DPIA) for each data processing activity following the Data Protection Impact Assessment Guidelines.
Upon request, Data Subjects have the right to have their Personal Data erased by the Company. The Company acting as a Controller will take all necessary actions (including technical measures) to inform any third-party Data Processors where applicable to comply with the request.
Data Subjects have the right to receive, upon request, a copy of the Personal Data they provided to the Company in a structured, commonly used and machine-readable format and to transmit such Data to another Controller, for free. The Company shall endeavour to ensure that such requests are processed within one month, subject that it is not excessive and does not affect the rights of other individuals’ Personal Data.
When the Company receives requests to dispose of Personal Data records by Data Subjects, The Company shall ensure that these requests are handled within a reasonable time frame. The Company shall keep record including a log of these requests.
The Company ensures that any archived Personal Data is disposed of by adequate disposal mechanisms on expiry of retention period. Any hard copies of Personal Data that the Company might have obtained from Data Subjects shall be physically destroyed when no longer relevant. The Company shall also strive in obtaining adequate disposal mechanisms to ensure no Personal Data is leaked outside of the organisation.
The Company shall maintain the accuracy, confidentiality and relevance of Personal Data based on the processing purpose. The Company shall ensure that adequate security mechanisms designed to protect Personal Data will be used to prevent Personal Data from being stolen, misused or abused, and to prevent Personal Data breaches.
The Company shall be responsible for the requirements in this section and that any present and future collection, retention, transfer, disclosure and disposal methods are compliant with relevant law, good practices and industry standards.
The Company shall ensure appropriate Personal Data processing from all its employees and all those who have access and process data on behalf of the Company.
Everyone who works for or with the Company has responsibility for ensuring that Personal Data is collected, stored and handled appropriately. Each team that handles Personal Data must ensure that it is handled and processed in line with this Policy and data protection principles.
However, these people have key areas of responsibility:
Use of Web Page: www.letbuymark.com
The Company collects information from the visitors and users of the website in order to better understand the needs of users and to improve their products and services.
The following data is collected for the above stated purposes:
While registering a user the Company shall collect the following information:
The Company may collect personal data from Data Subjects in a variety of ways, including, but not limited to, when Data Subjects visit the Company website, register on the site, make an enquiry, subscribe to the newsletter, respond to a survey, fill out a form, and in connection with other activities, services, features or resources the Company makes available on its website. Data Subjects may be asked for, as appropriate, name, email address, mailing address, phone number. Data Subjects may, however, visit the website anonymously. The Company may collect personal identification information from Data Subjects only if they voluntarily submit such information to the Company. Data Subjects can always refuse to supply personally identification information, except that it may prevent them from engaging in certain website related activities.
The Company shall provide its users with user support through an email. The data collected in this manner shall be processed exclusively for the purpose of providing user support.
The Company, in compliance with the given consent, may periodically notify Data Subjects of the new benefits of The Company. The Data Subject may always decide to decline from receiving the above notifications and may cancel the service by sending an e-mail to: firstname.lastname@example.org
No Personal Data is passed on to any entrusted partners/or third parties. However, in the event Personal Data is also passed on to trusted partners and/or third parties (Data Processors/Sub-Processors) for the purpose of providing user support, information system maintenance or similar needs. The Company shall keep the Data Subjects informed and ensure that these trusted partners and/or third parties will abide with the mandatory data protection measures.
During such data transmission the Company shall take all appropriate organizational, technical and legal protection measures.
When the Company learns of a suspected or actual Personal Data breach, the Company shall perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of Data Subjects, the Company will notify the relevant Supervisory Authorities without undue delay and, when possible, within 72 hours from when it learns of such breach.
The administration department or other relevant department is responsible for auditing how well business departments implement this Policy.
Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
This Policy is intended to comply with the laws and regulations in the place of establishment and of the country in which the Company operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
Requests, complaints or inquiries relating to processing and protection of Personal Data can be sent to the e-mail address: email@example.com or by calling +356 777 999 22
In accordance with the applicable legal regulations governing the protection of Personal Data, each request/inquiry will be resolved without undue delay and at the latest within 30 days of receipt.
When contacting and posting such requests, we will invest reasonable efforts to confirm your identity and to prevent unauthorized Personal Data processing.
As the Company evolves, there may be the need to update this Policy to keep pace with changes to the website, software, services, business and Applicable Laws. The Company will however, always maintain its commitment to respect the Data Subject's privacy. The Company ensures that it will notify the Data Subjects with any material changes under this Policy by email (the most recent email provided by the Data Subject) or post any other revisions to this Policy along with their effective date, in an easy-to-find area of the website.
This document was updated on 25th May 2018 and is effective from that date.
Contact: Mr. Mark Molnar
Company Address: 12/1, Forrest Street, St Julian’s STJ 2033, Malta