Tenant Privacy Notice

Penham Ltd is committed to protecting and processing your personal data in accordance with the General Data Protection Regulations and the Data Protection Act 2018 (the legislation). For the purpose of the legislation and your personal data, Penham Ltd, is the Data Controller.

Bernard Leuvennink is the person responsible for data protection and can be contacted at Penham Ltd, Station Road, Station House, Barnes, London, SW13 0HT.

The General Data Protection Regulations are to safeguard your personally identifiable information or personal data.

This privacy notice will be regularly reviewed and updated.


Information held

The personal data we process may include the information below of tenants and their guarantors:

  • Name
  • Address
  • Email address
  • Telephone numbers
  • Tenant employer details
  • Tenant previous landlord/letting agent details
  • Student university and study field
  • Next of kin
  • Tenant’s children
  • Passport/UK Visa

Where the provision of data is a statutory, a contractual requirement or a requirement necessary to enter into a contract, a refusal to provide the data may mean that we are unable to provide you with our service.

To ensure that we provide you with the best service possible we will need to collect and retain certain personal data. The data may be collected and processed by those listed below:

  • Penham Ltd staff
  • Landlords
  • Maras.co.uk
  • Utility providers
  • Council Tax
  • Contractors
  • Deposit Protection Service (DPS)
  • Icloud data storage and back up
  • Local Authority
  • Docusign.co.uk

How we source the data is identified in below:

  • In person
  • Over the telephone
  • Email

(We may source data from 3rd parties or via third parties (e.g. credit referencing company, referees, local authority).

Lawful basis of processing

Your personal data will be used for the activities below:

  • To allow us to contact you by telephone, email or letter (unless instructed otherwise)
  • To record data on our property management system for the purposes of conducting business with you
  • To maintain contact, to allow us to keep you informed and updated with all aspects of the tenancy
  • To allow us to share some of your data with contractors for the purpose of carrying out property repairs and maintenance/annual gas checks and other legal requirements
  • To share relevant data with utility providers and Council tax to update their records
  • To share with the DPS
  • To share with Maras.co.uk for the purpose of carrying out referencing checks
  • To share with Docusign.co.uk for purposes of signing contracts and other documents

There are 6 lawful bases of processing your data including consent, a legitimate interest, contract fulfilment, a legal obligation and a vital interest. For each usage of the data the lawful basis of the processing of your data will be identified as below:

A legitimate interest is when we have a business or commercial reason to process your personal data which needs to be balanced with your interests (i.e. what is right and best for you). Where we state that we have a legitimate interest, the fact that we have a legitimate interest and what that legitimate interest is e.g. to keep in touch with you during and after the tenancy; to seek your consent when we need it to contact you; fulfilling our legal and contractual duties. Your personal data will be processed during and after your tenancy and any subsequent tenancy arranged through us.


Recipients of personal data

It will be necessary for us to process or share all or some of your personal data with a range of individuals, businesses and organisations and these may include the below:

  • Penham Ltd
  • Landlords
  • Utility providers
  • Council tax
  • Contractors
  • Icloud
  • Deposit Protection Service (DPS)
  • Maras.co.uk
  • Local Authority
  • Docusign.co.uk


Where is the data stored?

Your personal data is stored in the way described below

  • Paper documents filed in a secure filing system
  • Computer server situated at our office
  • Icloud data back up and storage

The data is always stored within the European Union or outside of the European Union but with an organisation operating under the General Data Protection Regulations.


Retention period and criteria used to determine the retention period

We may retain some elements of your personal data for up to 6 years after your tenancy expires. What information can be anonymized will be when no longer required for either contractual fulfilment or a legitimate interest. If the lawful basis for processing your data was consent then you may withdraw consent at any time.


Your rights

You have a right of access to check your personal data to verify the lawful basis of processing. We are obliged to respond to an access request within 30 days and may not charge a fee unless the request is unfounded, excessive or repetitive. If a fee is charged it is to be a reasonable fee based upon the administrative cost of providing the information. You have a right to rectification if the data we hold is either inaccurate or incomplete. If your data has been disclosed to third parties then we must inform them of the rectification, where possible. You have a right to erasure of your data when consent is our basis of processing (the right to be forgotten). You may request that your personal data be erased, for example, where there is no compelling reason for its continued processing or where you withdraw consent. We will comply with your request unless we have another basis of processing justifying our retaining the data (for example a legal requirement or the defence of a legal claim). You have some rights to ask us to restrict processing i.e. to block or suppress processing where, for example, the data may be incorrect and whilst the accuracy is verified. We are permitted to store the data.


Your right to object

You do have a right to object to further processing of your personal data. We may be required to stop processing unless there is some other legitimate basis of processing such as a legitimate interest or a requirement for the exercise or defence of a legal claim.


Withdrawal of consent

Where the lawful basis for processing is your consent, you may withdraw consent at any time by writing to, Bernard Leuvennink, Penham Ltd at Station House, Station Road, Barnes, London, SW13 0HT.


How to lodge a complaint with the supervisory authority

The supervisory authority responsible for data protection is the Information Commissioners Office (ICO) to whom concerns may be reported by phone on 0303 123 1113 or +44 1625 545 745 if calling from outside the UK, by email using the form on the website ico.org.uk or the livechat function.