GDPR Compliance

Last updated: 12th January 2025

Our Commitment to GDPR

Lettings Quest is fully committed to compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We understand the importance of protecting personal data and have implemented comprehensive measures to ensure compliance.

Data Controller Information

Lettings Quest acts as a data controller for the personal data we collect from our customers (estate agents and letting agents). When processing data on behalf of our customers, we act as a data processor.

  • Company: Lettings Quest
  • Email: dpo@lettings.quest
  • Website: lettings.quest

Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Contract: Processing necessary to perform our contract with you
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services and preventing fraud
  • Consent: Where you have given explicit consent for specific processing activities, such as marketing communications
  • Legal Obligation: Processing necessary to comply with legal requirements

Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will respond to your request within one month.

Right to Rectification (Article 16)

You have the right to request correction of any inaccurate personal data we hold about you.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.

Right to Restrict Processing (Article 18)

You have the right to request that we limit the processing of your personal data in certain circumstances.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our AI systems are designed to assist, not replace, human decision-making.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact our Data Protection Officer:

  • Email: dpo@lettings.quest
  • Subject line: "GDPR Request - [Your Right]"

We will respond to your request within one month. In complex cases, this may be extended by an additional two months, and we will inform you of any such extension.

Data Security Measures

We implement appropriate technical and organisational measures to ensure security of personal data, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Access controls based on the principle of least privilege
  • Multi-factor authentication for system access
  • Regular staff training on data protection
  • Incident response procedures
  • Regular backups with tested recovery procedures

International Data Transfers

Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Additional technical measures where required

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are:

  • Account data: Duration of account plus 6 years
  • Transaction records: 7 years (legal requirement)
  • Marketing preferences: Until consent is withdrawn
  • Support tickets: 3 years from resolution
  • Analytics data: 26 months (anonymised thereafter)

Data Processing Agreements

Where we act as a data processor on behalf of our customers, we enter into Data Processing Agreements (DPAs) that comply with Article 28 of the GDPR. Our DPAs cover:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Obligations and rights of the controller
  • Sub-processor arrangements

To request a DPA, please contact legal@lettings.quest

Sub-Processors

We use carefully selected sub-processors to help deliver our services. All sub-processors are bound by data processing agreements and are regularly assessed for compliance. A list of our sub-processors is available upon request.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay where there is a high risk
  • Document the breach and our response

Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

However, we encourage you to contact us first so we can address your concerns directly.

Contact Our Data Protection Officer

For any GDPR-related queries or to exercise your rights: