GDPR Policy

The Association of Property & Fixed Charge Receivers (Nara) acknowledges its responsibilities to protect personal data and to comply with the requirements of the General Data Protection Rules, and more specifically the Data Protection Act 1998. This policy document sets out the manner in which Nara will comply with those rules in relation to acquiring, storing and using such data.

Nara is a trade association. Its purpose is to represent the interests of its members, to lobby to the benefit of its members, to train practitioners both for relevant technical examinations and for CPD purposes; to assist its membership on technical matters, to publish technical guidance and to liaise with other associated professional and trade bodies, together with any corporate (or similar) body or individual with an interest in the field of fixed charge receivership for the betterment of the membership and the understanding of their work and discipline.

Nara is specifically empowered by virtue of formal agreement to share membership data with members’ own regulators and with the monitoring scheme(s) to which Nara members individually subscribe. A written data sharing agreement exists between those regulatory, trade and monitoring bodies.

Nara acknowledges the necessity of compliance with the eight data protection principles:

1. Personal data must be processed fairly and lawfully.
2. Personal data shall be obtained for one or more specified and lawful purposes and shall not be processed in any manner incompatible with such purpose(s)
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which it is collected and processed.
4. Personal data shall be adequate and, where necessary, kept up to date.
5. Personal data shall not be kept for any longer than is relevant and necessary.
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1988.
7. Appropriate technical and organisational measure should be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data should not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of that subject in relation to the processing of personal data.

We will achieve compliance by:

1. Ensuring we comply with the eight principles set out above.
2. Meeting our legal obligations as laid down in the Data Protection Act 1998.
3. Ensuring data collected is used fairly and lawfully.
4. Processing data only to meet operational needs or fulfil legal obligations.
5. Seeking to ensure that all data is up to date and accurate.
6. Retaining data for no more than five years after a member leaves the association.
7. Ensuring that data subjects’ rights can be appropriately exercised.
8. Providing adequate security measure to protect personal data.
9. Ensuring that a nominated officer is responsible for data protection compliance and providing a point of contact for all data protection issues.
10. Ensuring that all staff are made aware of good practice in data protection.
11. Ensuring adequate training for all staff responsible for personal data.
12. Ensuring that those handling personal data know where to find further guidance.
13. Ensuring any queries, whether internal or external, are dealt with promptly.
14. Regularly reviewing the data protection procedures within the association.

 
To underpin our compliance, we will:

1. Appoint a Data Controller. This will be the CEO.
2. Appoint a Data Processor. This will be the Association’s senior administrator.
3. Process data only in relation to:
   1. The individual whose consent has been received;
   2. Where it is necessary to fulfil a contract with that individual;
   3. Where it is necessary to comply with the law;
   4. Where it is necessary to comply with professional or regulatory body regulation; registration or technical monitoring (see a. and Intro Para 1 above);
   5. Where it is necessary as it affects someone’s life;
   6. Where it is necessary for the Association to perform a task in the Public Interest or an official function;
   7. Where it is otherwise necessary for the Association’s legitimate interests or those legitimate interest of a third party.
   8. Hold all personal data in a secure electronic medium and to which access is controlled by passwords.
   9. Destroy all personal data within five years of the cessation of membership, or upon the request of the subject if earlier.
   10. Add personal information to our mailing lists only where either a) the consent of the subject has been received or b) where the information has been given to us by a member of the Association and who shall confirm that they have the consent of the subject to that effect.
   11. Use personal data only for the purposes set out above namely that of the Trade Association.
   12. Not share data with any third parties, other than as specifically set out above.