HTS (Property and Environment) Limited

This Privacy Notice explains how HTS (Property and Environment) Limited (as the registered ‘Data Controller’) collects, uses and protects personal data that it holds.  This notice applies to all personal data collected for or on behalf of HTS by letter, email, face to face, telephone or automated.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data.  Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.

Some of your personal data is classed as “special categories of personal data” because it is the information that is considered to be more sensitive and therefore requires more protection.  This includes information that identifies your racial/ethnic origin, political opinions, religious/philosophical beliefs, sexual orientation and information regarding your physical and mental health.

HTS complies with the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (‘GDPR’) and is committed to keeping your personal data no longer than is necessary.  The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”) 2016 and the principles set out in it.

Who are we?

HTS is the Data Controller (contact details below) and decides how your personal data is processed and for what purposes.

How do we process your personal data?

We comply with our obligations under the GDPR and the principles of the DPA by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

Under the DPA, we have a legal duty to protect any personal data we collect from you. We use leading technologies and encryption software to safeguard your data, and keep strict security standards to prevent any unauthorised access to it. The Data Protection and Security Policy contains full details of HTS’ Data Protection Policy.

We will not process any data relating to a child (under 16) without the express parental/ guardian consent of the child concerned.

What is the legal basis for processing your personal data?

Depending on how we are processing your personal data will determine the legal basis for processing.  Generally, the legal bases for processing by HTS as a Local Authority Trading Company (LATC) to Harlow District Council will be:

  1. To perform a function or provide a service required by statute (Article 6(1)(e) GDPR);
  2. To comply with a legal obligation (Article 6(1)(c) GDPR);
  3. Where the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 6(1)(b) GDPR);
  4. Where disclosure is in the vital interests of yourself or another person (Article 6(1)(d) and 9(2)(c) GDPR); and
  5. With your explicit consent (Articles 6(1)(a) and 9(2)(a) GDPR).

Where the purpose for processing your personal data has changed, we will seek your consent.

In certain circumstances you will be able to withdraw your consent to processing.  Please contact the HTS Data Protection Officer on the details provided below, who will explain if your consent cannot be withdrawn.

Sharing your personal data

Depending on the purpose for which we originally obtained your personal data and the use to which it is to be put, it may be shared with other organisations. For example, personal data may be shared, where necessary, with other organisations that provide services on our behalf such as contractors carrying out repairs to Council houses. In such cases, the personal data provided is only the minimum necessary to enable them to provide services to you.

In most cases we will not disclose your personal data without your consent, however there are circumstances when your consent is not required such as the legal bases (1) – (4) above.

Where we require your consent to share or disclose your personal data, we will seek your consent.

How long do we keep your personal data?

We will only keep your personal data for as long as is necessary for the purpose for which we are processing it, unless we have a legitimate reason for keeping it.  For example, any legal requirement to keep the data for a set time period.  However, where possible we will anonymise this data so that you cannot be identified.  Where we do not need to continue to process your personal data, it will be securely destroyed.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  1. to request a copy of your personal data which we hold about you;
  2. to request that we correct any personal data if it is found to be inaccurate or out of date;
  3. to request that your personal data be erased where it is no longer necessary for us to retain such data;
  4. to withdraw your consent to the processing at any time;
  5. to request that we provide you with your personal data and where possible, to transmit that data directly to another Data Controller (where applicable) – please note this only applies where the processing is based on consent or is necessary for the performance of a contract with you, and in either case where we process the data by automated means;
  6. to request that a restriction be placed on further processing where there is a dispute in relation to the accuracy or processing of your personal data;
  7. to object to the processing of personal data (where applicable) – please note this only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics;
  8. to be informed of the processing of your personal information by:
  • automated means which results in a decision being made (without human intervention) and
  • profiling which is used for the purpose of evaluating certain characteristics about you without human intervention (for example, to predict your behaviour or interests) that have legal or similarly significant effects on you as an individual.

Where these methods of processing are used, you have the right to be informed as to how you can request human interaction and how to challenge a decision.

  1. to lodge a complaint with the Information Commissioners Office.

You can access the personal information that we hold about you (a. above) by submitting a Subject Access Request (SAR) to HTS.  This request must be in writing and clearly specify the information you require.  A SAR form [4] is available on the HTS website to assist you with submitting your request.

If you would like to make a request in regard to the processing of your personal data please contact the Data Protection Officer on the details provided below.  However, it is not always possible for requests to delete information to be fulfilled and the Data Protection Officer can provide you with more information on request.

Further information is available in our Data Protection and Security Policy.

Copies of HTS policies

You may request copies of our policies from the Data Protection Officer at the address below.

Complaints or queries

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you have any concerns, questions or comments please contact the Data Protection Officer at:

Mead Park Industrial Estate
River Way
CM20 2SE


01279 446603

If having exhausted the complaint process you are not content that your request or review has been dealt with correctly, you can appeal to the Information Commissioner’s Office to investigate the matter further by writing to:

Information Commissioner’s Office

Wycliffe House
Water Lane


1. Introduction

1.1. HTS (Property and Environment) Limited is registered with the Information Commissioner as a Data Controller (Registration No. ZA213736) – an organisation that processes personal data.  All Data Controllers have a responsibility under the Data Protection legislation and General Data Protection Regulation (GDPR) to comply with the requirements of the integrity and confidentiality principle of the GDPR. That is to ensure that the appropriate technical and organisational processes are in place to protect the personal data collected by HTS.

1.2. Article 5(1)(f) of the GDPR states that organisations which process personal data must be “Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

1.3. No organisation handling personal information can guarantee that it will never experience losses but by ensuring that standards are equivalent to, or exceed, best practice, data subjects will be reassured that all reasonable steps are taken to preserve and protect their information.

1.4. There are new mandatory reporting duties on data controllers and processors to notify the Information Commissioner’s Office (ICO) of data breaches that pose a risk to the rights or freedoms of data subjects, for example risk of identity theft.  Notification should be within 72 hours of becoming aware of the breach or potential breach, failure to notify may result in HTS being subjected to an administrative fine up to 10 million Euros or 2% of global turnover whichever is the higher.   

1.5. Only in exceptional circumstances can the notification be delayed; written justification must be provided of any delay and the possible consequences of the delay in reporting.

1.6. All data breaches must be reported to the HTS Data Protection Officer who is the named contact for the ICO.

1.7. HTS has a separate procedure for employees to follow when a data breach occurs.

2. Scope of policy

2.1. HTS is obliged under Data Protection legislation/GDPR to have a framework in place designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility which can be found in the HTS Data Breach Reporting Procedure

2.2. HTS employees will process personal data as part of their job and will adhere to the Data Protection legislation/GDPR.

3. Policy Statement

3.1. All users of personal data within HTS have a responsibility to ensure that they process personal data in accordance with the Data Protection legislation/GDPR and the six Data Protection Principles.

3.2. The Principles are that personal data must be processed with:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation, (to only hold the minimum amount of personal data to enable processing);
• accuracy;
• storage limitation (not kept for longer than necessary);
• integrity and confidentiality (that is be securely stored).

3.3. HTS will follow the data processing principles above and have the appropriate technical and organisational security measures in place to minimise the risk of breaches of personal information.

3.4. HTS will have the necessary contract provisions in place with data processors, contractors who process personal data on behalf of HTS, to ensure compliance with the data protection processing principles, and breach notification duties in the GDPR and Data Protection legislation.

3.5. Any employee or member of the public, who has a concern about processing or storage of personal information, should contact the Data Protection Officer at:

Mead Park Industrial Estate
River Way
CM20 2SE


01279 446603