1. Introduction

Arax Properties Ltd (Arax) is totally committed to protecting an individual Data Subject’s Personal Data and its fair and transparent processing. This Privacy Notice describes how Arax will collect, use and protect an individual Data Subject’s Personal Data and help them understand these processes relating to Personal Data from:

  • Clients
  • Suppliers
  • Business contacts
  • Employees
  • Third part sources
  • Special categories of Personal Data
  • Cookies

This Privacy Notice applies to all products and services supplied by Arax, including this web site.

Arax will only use Personal Data collected by any means for the purposed defined in this Privacy Notice or as defined at the point of collection.

2. Who we are

Arax Properties Ltd, a limited limited liability company registered in England and Wales with company number 05686995 and whose registered office is at Carrington House, 126-130 Regent ST., London W1B 5SE.

Arax Properties Ltd is registered as a data controller with the UK Supervisory Authority (The Information Commissioner’s Office (ICO)) with the registration number ZA 701204. This means that Arax is responsible for deciding how they hold and use an individual Data Subject’s Personal Data. Arax is required under Data Protection Legislation to provide individual Data Subjects with this Privacy Notice.

Arax is not responsible for the privacy practices of any other organisation that may be linked to Arax’s website.

3. Our lawful basis for proceeding

Arax relies on the following lawful bases of processing when Personal Data is collected and used to manage Arax’s business and provide products and services to clients or manage employees. These include:

  • Consent – where an individual Data Subject has freely given consent for the processing of their Personal Data for one or more specific purposes;
  • Contract – in order to perform contractual obligations, Arax may have with an individual Data Subject or to take steps to enter into a contract with one;
  • Legal obligations – in order to comply with any relevant legal or regulatory obligations Arax is subject to, as a provider of products and services as a commercial enterprise;
  • Legitimate interests – the legitimate interests can be Arax’s, their clients or other third parties except where such interests are overridden by the interests or fundamental rights and freedoms of the individual.

4. Personal Data Processed by Arax

4.1. Information processed about clients

Arax will only process Personal Data relating to clients (and their clients, suppliers and other relevant third parties) where necessary to perform either the services required or other specific business purposes.

Arax relies on its clients to ensure that the individual Data Subjects are advised of the use of their data in the provision of Arax products and services.

Arax processes many categories of Personal Data relating to individual Data Subjects which may include personal identification data, contact details and other Personal Data required for the provision of Arax’s products and services.

Typically, Arax obtains Personal Data directly from their clients or third parties acting on their behalf for the following purposes:

  • Provision of Arax products and services to clients;
  • Managing Arax’s business;
  • Application of security management systems to protect client Personal Data whilst in Arax’s care and for quality management purposes of delivered products and services;
  • Provision of information to clients, or prospective clients for marketing and advertising purposes relating to products and services that Arax provides to its clients, either directly or in association with selected third-party partners;
  • Complying with legislative or regulatory requirements.

4.2. Information processed about suppliers

Arax will only process Personal Data relating to suppliers (including subcontractors) where necessary for Arax to receive products and services from them to provide to Arax clients or to manage the supplier relationship.
Typically, Arax obtains Personal Data directly from their suppliers or third parties as part of the due diligence onboarding supplier process for the following purposes:

  • Providing professional services to assist in delivery of Arax products and services to their clients;
  • Managing supplier relationships;
  • Application of third-party security management systems to protect client Personal Data whilst in Arax’s care and for quality management purposes of delivered products and services;
  • Provision of information to clients or prospective clients for marketing and advertising purposes relating to products and services that Arax provides to its clients, either directly or in association with selected third-party partners;
  • Complying with legislative or regulatory requirements.

4.3. Information processed about business contacts

Using the Arax customer relationship management (CRM) system, details and Personal Data about existing clients, prospective clients and past clients are processed.

Typically, this will include, but not be limited to, name, employer identity, job title and business contact details. This comes from individuals themselves or public sources such as public registers, social media, professional networking sites, news articles and internet searches and is used for the following purposes:

  • Developing, managing and administering Arax’s business;
  • Provision of information to clients or prospective clients for marketing and advertising purposes relating to products and services that Arax provides to its clients, either directly or in association with selected third-party partners, including invitations to Arax hosted events;
  • Identification of clients or prospective clients that may need Arax products and services;
  • Producing management information relating to clients or prospective clients and products and services that Arax may supply to them. This may use automated tools for the analysis and production of this management
    information.

4.4. Information processed about employees

Details about Arax’s employees will be processed for the lifecycle of Human Resources functions whilst the employee is employed by Arax, and afterwards, according to legislative and contractual obligations. Full details are in the relevant employment agreement.

4.5. Information received from Third Party sources

Arax will access publicly available third-party sources for Personal Data for both Human Resources matters (e.g., screening) and onboarding clients and suppliers to verify facts or identify risks relating to the provision of products and services to clients or the receipt of products and services from suppliers. Where Arax collects personal data from a third party, we undertake to advise the data subject of this within a reasonable period after obtaining it, but at the latest within a month of obtaining it or the time of the first communication with the data
subject. Where this personal data is to be shared with another recipient, at the latest when the personal data is to be disclosed.

4.6. Special categories of Personal Data

Sensitive Personal Data may be obtained for Human Resources purposes and explicit consent from the individual will be obtained for this processing. For products and services delivered to clients (or from suppliers), Arax has no
requirement to obtain this information. If it is provided, then Arax relies on clients and suppliers to have gained explicit consent for Arax to process this Personal Data.

5. How Arax collects Personal Data

Arax receives individual Data Subject’s Personal Data:

  • Direct from the individual Data Subject (by phone, email, post, or any other electronic means);
  • As part of a contract to supply products and services;
  • Publicly available sources;
  • Business partners.

In each case, the collection and processing is covered by a lawful basis for processing that Personal Data

6. Consequences of not providing some types of Personal Data

If certain information is not provided to Arax, when requested, this may affect Arax’s ability to provide the products and services required to meet contractual obligations or complying with legal and regulatory obligations and requirements.

7. Automated decisions

Arax may use Personal Data provided to undertake automated online identity and background checks for ‘Know your Customer’ (KYC) or ‘Know your Customer’s Business’ (KYCB) purposes and for the purposes of relevant checks in the detection, prevention and investigation of illegal or prohibited criminal activities such as Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF), as required by law.

8. Security of Personal Data in Arax’s care

Arax regards the security of a Data Subject’s Personal Data as critical to their business processes. Arax has implemented risk based technical and organisational security measures which include physical and technical security safeguards and a governance model that ensures that adequate policies, procedures and controls are in place, are working and are effective.

Arax has outsourced its IT Services to a third party that holds a certificate or registration of ISO / IEC 27001 for information security that provides third party assurance that appropriate organisational and technical security measures are in place to protect the rights and freedoms of the Data Subject.

If an individual Data Subject require details of these measures, contact the DPO as below.

9. Data Retention

Arax will only retain Personal Data only for as long as necessary based on the following:

  • the products and services being provided to the client by Arax for which it is being processed;
  • any legal, regulatory or contractual requirements.

Arax regularly reviews records to ensure that an individual Data Subject’s Personal Data is only retained for as long as is necessary for the legal basis of processing and the purposes defined in this Privacy Notice.

Where retention periods are due, Personal Data shall either be returned to the individual Data Subject (or the supplier or client) or be securely deleted, as agreed.

10. Sharing Personal Data

Arax will only share an individual Data Subject’s Personal Data with third parties where absolutely necessary for the purposes for which it is held and where appropriate contractual arrangements and security mechanisms are in place.

Personal Data may be transferred to:

  • Third parties that the client has authorised Arax to share it with;
  • Third parties to meet legislative, regulatory or contractual obligations and requirements;
  • Third party suppliers who process an individual Data Subject’s Personal Data for the provision of products and services to Arax to meet client requirements as a Processor;
  • Professional Advisors where Arax are required by law or as reasonably required so to do, for business management purposes;
  • Law enforcement or other government and regulatory agencies or to other third parties, where Arax is required by applicable legislation, courts of competent jurisdiction or any applicable legal or regulatory authority where this can be processed in a lawful manner or in Arax’s opinion such disclosure is necessary to comply with to support an investigation or to protect Arax’s valid business rights and interests.

11. Transfers outside the UK

Arax stores all business-related individual Data Subject’s Personal Data in the UK in on premises devices. Where cloud storage is used, this is based in the UK or the European Economic Area (EEA).

There is an ‘Adequacy’ decision that permits flow of information from the UK to the EEA. For transfers to other countries without an Adequacy decision, standard contractual clauses (SCCs) are used to protect the rights and freedoms of the individual Data Subject.

12. Data Subject’s Rights

Individual Data Subjects have a number of rights that they can exercise, and Arax is legally required to address them and respond to them appropriately within the prescribed time limits as defined by legislation. The length of time taken to comply with Data Subject’s rights requests will depend on the nature and extent of the request to
exercise those rights.

These rights include to:

  • be informed – about how Arax obtains and uses an individual Data Subject’s Personal Data
  • access – obtain a copy of the Personal Data that Arax holds about the individual Data Subject
  • rectification – to have Personal Data rectified or completed if it is inaccurate or incomplete
  • withdraw consent – where Arax processes Personal Data based on consent, individual Data Subjects have the right to withdraw consent at any time. This must be as easy as the process of giving consent
  • erasure (right to be forgotten) – in certain circumstances, an individual Data Subject can request Arax to erase or delete an individual’s Personal Data
  • data portability – individual Data Subjects can request their Personal Data to be sent to the Data Subject or a third party in a structured, commonly used and machine readable format where technically feasible
  • automated decision making – where Arax makes automated decisions, or undertakes profiling, about the Data Subject, they can request those decisions to be reviewed by a human
  • restrict or object to our processing – individual Data Subjects can request restriction of, or objection to, Arax’s processing of their Personal Data (e.g., removal from a marketing subscription list after removal of consent).

To exercise these rights, contact the Arax Data Protection Officer as below.

In addition, an individual Data Subject has the right to make a complaint to Arax about any aspect of Arax’s processing of their Personal Data

If the individual Data Subject remains dissatisfied with Arax’s response, they can make a complaint about how Arax processes their Personal Data to the Information Commissioner’s Office (ICO) who is the UK Supervisory Authority and an independent
regulator to:

Monday to Friday, 09:00 to 16:30

Alternatively, it is possible to have a ‘Live Chat’ via the ICO’s website, https://ico.org.uk/make-a-complaint/

13. Contacting Arax

Arax has appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice.

Any questions about this Privacy Notice or how Arax handles an individual Data Subject’s Personal Data should be addressed to the DPO dpo@araxproperties.com

14. Changes to this Privacy Notice

Arax reserves the right to update this Privacy Notice at any time and will provide a new Privacy Notice when substantial updates are implemented. This will be updated on the Arax website, but individual Data Subjects may request this in hard copy from the Arax DPO, as above.

15. Cookies

Arax does not use cookies on its website or collect Personal Data from it.