Privacy Policy

1. Who We Are

Graham Bartholomew Limited is a UK-based residential block management and surveying company. We act as managing agents for residential freeholders, Residents’ Management Companies (RMCs), Right to Manage Companies (RTMs), and other property-owning entities.

For the purposes of UK data protection law, we act as either:

  • A Data Controller, where we determine how and why personal data is processed; or
  • A Data Processor, where we process personal data on behalf of our client freeholders or management companies.

If you have any questions about this policy, please contact us at:

managing.director@bartholomews.com

15 Penrhyn Road, Kingston upon Thames KT1 2BZ

 

2. The Personal Data We Collect

We may collect and process the following types of personal data:

  • Names, addresses and property details
  • Email addresses and telephone numbers
  • Leaseholder and tenant contact information
  • Service charge account information
  • Payment and arrears records
  • Bank details (where required for refunds or mandates)
  • Correspondence and complaint records
  • Maintenance and repair history linked to individual properties
  • CCTV or building access data (where applicable and controlled by our client)

We do not intentionally collect special category data unless it is voluntarily provided (for example, vulnerability information relating to accessibility or disability adjustments).

 

3. How We Use Personal Data

We use personal data to:

  • Manage residential properties, blocks and estates
  • Administer service charges and accounting functions
  • Arrange maintenance and repairs
  • Comply with legal and regulatory obligations
  • Communicate with leaseholders, tenants and directors
  • Recover arrears and manage debt
  • Maintain health and safety records
  • Respond to enquiries and complaints

We only process personal data where we have a lawful basis to do so.

 

4. Lawful Bases for Processing

Under UK GDPR, we rely on one or more of the following lawful bases:

  • Performance of a contract (e.g. managing a building under a management agreement)
  • Legal obligation (e.g. accounting and statutory compliance requirements)
  • Legitimate interests (e.g. effective property management and communication)
  • Consent, where required (e.g. marketing communications)

Where we act as Data Processor, we process personal data strictly on the documented instructions of our client.

 

5. Sharing of Personal Data

We may share personal data with:

  • Freeholders, RMC or RTM directors
  • Contractors and maintenance providers
  • Accountants, auditors and professional advisers
  • Insurers and brokers
  • Debt recovery agents or solicitors
  • Software providers and IT support companies
  • Regulatory or governmental bodies where required

All third parties are required to process personal data securely and lawfully.

 

6. International Transfers and Overseas Service Providers

We may engage carefully selected third-party service providers located inside and outside the United Kingdom to assist us in delivering property management, financial administration, and related back-office services.

In certain circumstances, personal data may be accessed or processed by service providers located outside the UK, including jurisdictions that do not benefit from an adequacy decision under UK GDPR.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, which may include:

  • Entering into the UK International Data Transfer Agreement (IDTA)
  • Conducting transfer risk assessments
  • Imposing contractual confidentiality obligations
  • Implementing appropriate technical and organisational security measures
  • Restricting access strictly to data necessary for the contracted services

Overseas service providers:

  • Act only on our written instructions
  • Are not permitted to use personal data for their own purposes
  • Do not exercise autonomous decision-making authority
  • Are not permitted to hold client money, operate bank accounts, or control financial transactions

We remain responsible for ensuring that personal data is processed securely and in accordance with UK data protection law.

 

7. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Secure IT systems and access controls
  • Role-based permissions
  • Encrypted communications where appropriate
  • Multi-factor authentication
  • Access logging and monitoring
  • Staff confidentiality obligations

 

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

  • Compliance with legal, accounting and regulatory obligations
  • Limitation periods for contractual and property-related claims
  • Ongoing building management requirements

Typical retention periods range from 6 to 15 years depending on the nature of the record.

 

9. Your Rights

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Request correction of inaccurate data
  • Request erasure (in certain circumstances)
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent (where applicable)

Requests should be made in writing to info@bartholomews.com

 

10. Complaints

If you are dissatisfied with how we handle your personal data, you may contact us directly. You also have the right to complain to the Information Commissioner’s Office (ICO):

www.ico.org.uk

 

11. Updates to This Policy

We may update this Privacy Policy from time to time. The most recent version will always be available on our website.