Last Updated: July 2020
1. Who are we?
H.R.A is a collective of Havering Resident Associations serving the Havering Community.
This privacy notice is to let you know how H.R.A promise to look after your personal information. This includes what you tell us about yourself, what we learn by having you as a customer, and the choices you give us about what marketing you want us to send you. This notice explains how we do this and tells you about your privacy rights and how the law protects you.
3. How the law protects you
We are only allowed to use your personal data if we have a one or more of the following reasons to do so:
To fulfil a contract we have with you, or
When it is our legal duty, or
When it is in our legitimate interest (which means we have a business or commercial reason to use your information. We still have to assess whether your rights when relying on this reason), or
When you give us consent to
4. Types of Personal Information
We use many different kinds of personal information:
Type of personal information
Financial - Your financial position when you open a business account with us via credit reference agencies.
Contact - Where you live and how to contact you.
Transactional - Details about payments including to and from your accounts with us.
Contractual - Details about the products or services we provide to you.
Locational - Data we get about where you are, such as may come from your mobile phone, the address where you connect a computer to the internet.
Behavioural - Details about how you use our products and services.
Technical - Details on the devices and technology you use.
Communications - What we learn about you from letters, emails and conversations between us.
Usage Data - Other data about how you use our products and services.
Consents - Any permissions, consents or preferences that you give us. This includes things like how you want us to contact you.
5. Where we collect personal information from
We may collect personal information about you (or your business) from our website. We may also receive data from third parties where you have consented for your details to be given to third parties.
Data you give to us:
When you sign up for our products and services
When you talk to us on the phone
When you use our websites and mobile device apps (including when you comment on them)
In emails and letters
In customer surveys / polls
If you take part in our competitions or promotions
Data we collect:
We also collect data when you use our services. This can include the profile you create to identify yourself when you connect to our internet, mobile and telephone services. It also includes other data about how you use those services. We gather this data from devices you use to connect to those services, such as computers and mobile phones, using cookies and other internet tracking software.
Data from third parties we work with:
Credit reference agencies
Third parties you have given consent to pass your data to us
6. Who we share your personal information with
We may share your personal information with these organisations:
Regulators and other authorities, including the Police
Credit reference agencies
Debt collection agencies
Fraud prevention agencies
Any party linked with you or your business’s product or service
Companies we have a joint venture or agreement to co-operate with
Companies you consent to share your data with.
Companies whom we run competitions in conjunction with
Exhibitors at events
If you are a shareholder, our Registrars
If you use direct debits, we will share your data with the Direct Debit scheme
If purchasing items from our shops, the supplier of such item
We may need to share your personal information with other organisations to provide you with the product or service you have chosen.
We may also share your personal information if the make-up of H.R.A changes in the future:
We may choose to sell, transfer, or merge parts of our business, or our assets. Or we may seek to acquire other businesses or merge with them.
During any such process, we may share your data with other parties. We’ll only do this if they agree to keep your data safe and private.
If the change to our Group happens, then other parties may use your data in the same way as set out in this notice.
Credit Reference Agencies (Business account customers only)
For business customers, we carry out credit and identity checks when you apply for an account. We may use Credit Reference Agencies (CRA’s) to help us with this.
We will share your personal information with CRA’s and they will give us information about you. The data we exchange can include:
Name, address and date of birth
Details of any shared credit
Financial situation and history
Public information, from sources such as the electoral register and Companies House.
We’ll use this data to:
Assess whether you or your business is able to afford to make repayments
Make sure what you’ve told us is true and correct
Help detect and prevent financial crime
Manage accounts with us
Trace and recover debts
Sending data outside of the EEA
We will only send your data outside of the European Economic Area (‘EEA’) to:
Follow your instructions.
Comply with a legal duty.
Work with our agents and advisers who we use to help run services.
If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards
Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.
Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA. If you choose not to give personal information.
We may need to collect personal information by law, or under the terms of a contract we have with you.
If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services. It could mean that we cancel a product or service you have with us.
We may use your personal information to tell you about relevant products and offers. This is what we mean when we talk about ‘marketing’.
The personal information we have for you is made up of what you tell us and data we collect when you use our services, or from third parties we work with where you have consented to data being passed to us
We can only use your personal information to send you marketing messages if we have either your consent or a ‘legitimate interest’. That is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you.
You can ask us to stop sending you marketing messages by contacting us.
If you choose to stop receiving marketing material you may still receive certain things such as invoices from us which we need to send you for contractual or other legal purposes.
8. How long we keep your personal information
We will keep your personal information for as long as you are a customer of H.R.A or you continue to use our services.
After you stop being a customer/user, we may keep your data for up to 6 years to enable us to respond to any questions or complaints and to show that we treated you fairly.
We may keep your data for longer than 6 years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.
9. What if you want us to stop using your personal information?
You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the ‘right to object’ and ‘right to erasure’, or the ‘right to be forgotten’.
There may be legal or other official reasons why we need to keep or use your data. But please tell us if you think that we should not be using it.
You can also ask us to restrict the use of your personal information if:
It is not accurate.
It has been used unlawfully but you don’t want us to delete it.
It not relevant any more, but you want us to keep it for use in legal claims.
You have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it.
If you want to object to how we use your data, or ask us to delete it or restrict how we use it or, please contact us.
If you withdraw your consent, we may not be able to provide certain products or services to you. If this is so, we will tell you.
10. Access to your information and correction
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information please see the subject access request procedure below.
We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate using the contact details above.
Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.
We use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
12. Other websites
We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
13. How to complain
Please let us know if you are unhappy with how we have used your personal information. You can contact us at
14. The General Data Protection Regulation
The General Data Protection Regulation (GDPR) gives individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data.
15. What is Personal Information?
Information protected under the GDPR is known as “personal data” and is defined as: – “Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Further information on what constitutes personal information and your rights under the data protection regulation and laws can be found on the Information Commissioners Office (ICO).
16. The Right of Access
Under GDPR, an individual has the right to obtain from the controller, confirmation as to whether personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information. Where requested, we will provide the following information: –
the purposes of the processing
the categories of personal data concerned
the recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed
If the data has been transferred to a third country or international organisation(s) (and if applicable, the appropriate safeguards used)
the envisaged period for which the personal data will be stored (or the criteria used to determine that period)
where the personal data was not collected directly from the individual, any available information as to its source
17. How To Make a Subject Access Request (SAR)?
A subject access request (SAR) is a request for access to the personal information that the Company holds about you, which we are required to provide under the GDPR.
You can make this request in sending an email to
18. What We Do When We Receive An Access Request
Subject Access Requests (SAR) are passed to the Data Protection Officer as soon as received and a record of the request is made, who will use reasonable measures to verify the identity of the individual making the access request, especially where the request is made electronically.
Where we are unable to verify your details, we may contact you for further information, or ask you to provide evidence of your identity prior to actioning any request. This is to protect your information and rights.
If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act for you and again, may contact you to confirm their identity and gain your authorisation prior to actioning any request.
If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.
Once we have collated all the personal information held about you, we will send this to you in writing (or in an electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language.
19. Fees and Timeframes
Whilst we provide the information requested without a fee, further copies requested by the individual may incur a charge to cover our administrative costs.
The Company always aim to provide the requested information at the earliest convenience, but at a maximum, 30 days from the date the request is received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to you within 30 days and keep you informed of the delay and provide the reasons.
20. Your other rights
Under the GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reason(s).
We will rectify any errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the Information Commissioner and to seek a judicial remedy.
In certain circumstances, you may also have the right to request from the Company, the erasure of personal data or to restrict the processing of personal data where it concerns your personal information; as well as the right to object to such processing. You can use the form at appendix one make such requests.
21. Exemptions and Refusals
The GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to your subject access request or where the Company does not act upon the request, we shall inform you at the earliest convenience, or at the latest, within 30 days of receipt of the request.
Where possible, we will provide you with the reasons for not acting.
22. Submission & Lodging a Complaint
To submit your SAR, you can contact us at
If you are unsatisfied with our actions or wish to make an internal complaint please use the details above.
23. Supervisory Authority
If you remain dissatisfied with our actions, you have the right to lodge a complaint with The Information Commissioner’s Office (ICO) who can be contacted at: –
Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Fax: 01625 524 510