LXi REIT plc (the ‘Company’)
Data Protection Policy
This document is authorised by the Board of the Company and is reviewed by the Board at least annually.
This Policy also applies to any subsidiaries held directly and indirectly by the Company, which operate and are incorporated in the UK.
In this Policy, the terms:
"Data Protection Laws" mean all applicable laws from time to time relating to the processing of personal data and/or privacy, including, when, and to the extent in force, (a) the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), (b) the Privacy and Electronic Communications Regulations 2003 and (c) any legislation that in respect of the United Kingdom, replaces the GDPR as a consequence of the United Kingdom leaving the European Union; and"controller", "processor", "data subject", "personal data" and "processing" shall have the meanings ascribed to them in the Data Protection Laws.The document sets out the Company’s obligations under the Data Protection Laws and explains how the Company meets these obligations.
Data collected and processed lawfully, fairly and transparently
Data must be collected and processed for a lawful purpose. In the case of the data held by the Company, that purpose will either be that there is a legal requirement to hold the data or that it is necessary for the purposes of a contract between the Company and the data subject. Normally, a company collecting personal data is obliged to tell the data subject that the data are being collected, the reasons for collecting them and the data subject’s rights in respect of those data. However, this does not apply where the data are collected for the purposes of a statutory register which the company is required to maintain and make available to the public.
As a result, in the case of data held on the registers of directors and shareholders, the Company is not obliged to provide information to the relevant data subjects. However, for other data this information must be provided. The Company places reliance upon its data processors to carry this out.
The Company maintains a record of the types of personal data held and the basis on which it is held.
Specific purpose and minimum data
The Company only collects and processes personal data that it is required to collect and process by law or that it needs in connection with its contracts with directors. The Company does not collect or process any other personal data. If the Company’s investment managers or other service providers use data relating to shareholders for other purposes (eg marketing), they become the data controllers for that data and are responsible for ensuring compliance with GDPR.
Accuracy of data
The Company aims to ensure that all personal data for which it is responsible is accurate and up to date. For this purpose, it obtains confirmations from its data processors that there are processes in place to ensure accuracy of the data held by them.
All personal data held by the Company is subject to minimum retention periods laid down by law. Personal data is not retained beyond these statutory periods and the Company obtains confirmations from its data processors that this is the case.
The Company places reliance upon its data processors to ensure security of personal data held by them on its behalf. It obtains confirmations from its data processors that data security arrangements are adequate.
Under GDPR, any breaches of data security must be reported to the Information Commissioner’s Office within 72 hours and to the relevant data subjects if there is a high risk to their rights and freedoms. The Company places reliance upon its data processors to report any breaches of data security. It obtains confirmations from its data processors that their reporting procedures are adequate.
Staff involved in the collection and processing of personal data needs training in their responsibilities under GDPR. Data processors are responsible for the training of their own staff.
Transfer outside the EU
Under GDPR transfer of personal data outside the EU is illegal unless the European Commission has decided that the relevant jurisdiction provides equivalent protection or certain other conditions are met. Such transfers include the transfer of data by data processors to servers under their control but based outside the EU. The Company’s agreements with its data processors contain provisions restricting the transfer of personal data outside the EU, unless the Company has expressed its consent.
The Company places reliance upon its data processors to ensure that data are processed in accordance with the principles established by GDPR. It also places reliance upon them to ensure that adequate records are kept and that systems exist for reporting data breaches and responding to data access requests.
The Company has entered into agreements with each of its data processors designed to ensure that the data held by them on behalf of the Company are dealt with correctly.
The Company maintains records of all decisions made relating to data protection including all reports produced by data processors.