skip to Main Content

Privacy Policy


1.Who is this Privacy Notice From?

Commerson Estate Management Ltd is based at 6 Feast Field, Horsforth, Leeds LS18 4TJ and can be contacted on tel 0330 111 2610 e mail

Commerson Estate Management Ltd is employed by Visa Properties Ltd PO Box 131, Radlett, Herts WD7 8DZ via a Management Agreement to fulfil duties as a Managing Agent for a portfolio of Retirement Properties. Your leasehold property is located within this portfolio.

As required by Data Protection Law this privacy notice gives you information from the 2 data controllers who use and access your data, namely;

  • Commerson Estate Management Ltd
  • Visa Properties Ltd

At Commerson we are fully committed to protecting your privacy and to complying with all relevant legislation.

2.Why am I being sent this notice?

You are being sent this notice because you are a leaseholder, sub tenant, contractor, member of staff or a potential member of staff (including job applicant).

This Privacy notice explains how Commerson Estate Management Ltd (on behalf of Visa Properties Ltd) will use any personal data that they collect from you or about you. It also explains how we will comply with Data Protection Law and the data that we hold about you. If you use our Website, you may also be interested in how we use cookies.

Commerson needs to collect data about you to ensure that we meet the landlord’s obligations contained and detailed within individual lease agreements. Commerson Estate Management Ltd collects data to enable services to be provided in the following areas;

These services are

  • Sale of existing properties and collection of fees
  • Approval service for new leaseholders
  • Provision and management of a House Manager Service
  • Provision of an Emergency Response Service (via a third party)
  • Provision of property maintenance and major works delivery
  • Provision of a finance and payment collection service
  • Security CCTV
  • Maintaining our database records
  • Providing advice and support and signposting services to residents
  • Provision of all aspects of a management service

3.Who is the responsible person?

The responsible person at Commerson is our Managing Director, Mr Richard Wien. Mr Wien can be contacted at 6 Feast Field, Horsforth, Leeds LS18 4TJ tel 0330 111 2610 e mail

4.What data does Commerson hold about you?

To enable Commerson to perform our obligations we hold store, process and delete the following records including;

  • Resident(Client) records (including Next of Kin & Emergency contact details)
  • Job Applicants
  • Supplier/Contractor records
  • Human Resources records
  • Financial records
  • Company performance reporting (to the Freeholder)


We obtain this data from prospective leaseholders and leaseholders, their sub tenants, next of kin, job applicants, current and former staff, and their contacts, business customers, employees, contractors and suppliers.

Specifically, we collect personal and personal sensitive information as follows

Personal data

This relates to a living individual who can be identified from the information (or from that information and any other information in the possession of Commerson). Specifically, this is;

  • Factual information
  • Expressions of opinion about the individual
  • Indication of the intentions of the Data Controller (Visa Properties Ltd contracted to Commerson Estate Management Ltd)
  • Any other person in relation to the individual concerned
  • Any data where an individual can’t be identified but may come across something later that allows identification of that individual.

This type of data that we collect about you includes;

Name, name of spouse, DOB, address (including previous address), email address, landline tel number, mobile tel number, key safe access details, Solicitors details, GP information, passport details, next of kin details with contact numbers, land registry titles, factual details about any history of disciplinary or work actions in accordance with the staff handbookprevious employment history, details of any criminal activities

Sensitive personal information/data

This attracts additional protection and is considered by the Information Commissioner’s Office (ICO) to be any data that could identify a person. This type of data is held by Commerson because it is necessary for us to fulfil our contract and because an individual has given clear consent for us to process their data for a specific purpose.

Examples of this would include personal data consisting of information such as:

  • The racial or ethnic origin of the data subject
  • Political opinions
  • Religious beliefs or other beliefs of a similar nature
  • Membership of a trade union
  • Physical or mental health or condition
  • Sexual life
  • Details of bank account, national insurance number, any ID details such as passport or driving licence, etc.

This type of data that we collect about you includes;

Bank account information, personal medical information (including prescribed medicines, registered disabled information, care plans and carer information.

Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).

5.When does Commerson obtain your data and what is our lawful basis for processing data?

Personal data

This type of data is held by Commerson because it is necessary for us to fulfil our contractual obligations under the lease. Including but not exclusive to; our obligation to approve prospective leaseholders, identify individuals, prevent fraud and contact you about the management of your property.

Personal Sensitive data

Residents consent to our use of this data via an approval process which is completed for all leaseholders prior to completion of a sale, completion of personal information forms for both Commerson and our third-party providers to enable the contractual provision of an effective Emergency call and House Manager Service. We also collect your financial data to enable effective collection of development service charges, ground rents and car park licences.

6.Our promise about your data processing and security

Specifically, the six data protection principles require that data is:

Processed lawfully, fairly and in a transparent manner in relation to individuals
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures


Commerson will, through appropriate management, and strict application of criteria and controls:

  • Ensure that there is a lawful ground for using personal data;
  • Ensure that the use of the data is fair and that will meet one of the specified conditions.
  • Only use sensitive personal data if it is necessary for Commerson to use it.
  • Only use sensitive personal data where Commerson has obtained the individual’s express consent, unless an exception applies.
  • Explain to individuals, at the time their personal data is collected, how that information will be used.
  • Only obtain and use personal data for those purposes which are known to the individual.
  • Personal data should only be used for the purpose it was given. If we need to use the data for other purposes, further consent may be needed.
  • Only keep personal data that is relevant to Commerson.
  • Where required keep personal data accurate and up to date.
  • Only keep personal data for as long as is necessary.
  • Always adhere to our Subject Access Request Procedure and be receptive to any queries, requests or complaints made by individuals in connection with their personal data.
  • Will always give an option to “opt out” when consent is needed to share personal data unless there is a statutory/contractual purpose to do so.
  • Take appropriate technical and organisational security measures to safeguard personal data.

In addition, Commerson will ensure that:

  • There is an employee with specific responsibility for Data Protection in Commerson (Commerson Managing Director, Richard Wien is Data Protection Lead)
  • Everyone managing and handling personal data understands that they are contractually (whether implied or expressly under their terms and conditions of employment) responsible for following good data protection practice
  • Everyone managing and handling personal data is appropriately trained to do so; and appropriate advice is available. Training and refresher training is a mandatory requirement for all staff every two years
  • Everyone managing and handling personal data is appropriately supervised
  • Enquiries about handling personal data are promptly and courteously dealt with
  • Methods of handling personal data are clearly described
  • An annual internal audit is to be made of the way personal data is managed by the Data Owners.
  • Methods of handling personal data are regularly assessed and evaluated
  • Performance with handling personal data is regularly assessed and evaluated.

7.Who do we share data with?

Our partners include our 24 hour emergency response centres (Astraline & Tunstall), our maintenance contractors (detailed on our Approved Contractors list), insurance company and brokers, Salaries company, Information Technology support, Financial institution, Health and Safety & HR Consultants, Accountants & Auditors, health and safety executive (reportable accidents), our appointed Surveyors.

We transfer information on an individual basis to third countries or international organisations where the resident requests this.

In the case of additional requests to share data with other professional agencies such as Adult Social Care or Safeguarding or The Department of Work and Pensions we will always obtain your specific consent prior to sharing data.

8.Using our website

The information you choose to supply to us

You may complete the form on our “Contact Us” page, submit information to the Portal, or get in touch by email, letter or telephone. In doing so you will provide us with your personal data and other relevant information: which may include age, gender, ethnicity, sexual orientation or health conditions.

Anonymised information about the use visitors make of our site

We use cookies and may use other technologies to understand how people are using our site – we cannot use this information to identify you personally.

Uses made of your personal information

Typical uses include:

  • Providing you with a service or information, such as details of one of our developments
  • Keeping our records up to date – we may add these details to our database for the purpose of providing a service or information to you
  • Processing a job application
  • Improving products or services
  • Contacting you with details of additional services in which you may be interested – subject to your right to opt out of such communication

Uses made of non-personal data

We may use non-personal data to improve our website and improve our services. In addition to cookies we may use analysis of IP addresses.

Data Protection

We comply fully with the GDPR 2018 and the Data Protection Act 1998 in dealing with your personal data. We will hold this information securely and in accordance with our Privacy and Cookie Policy.

You agree that we may share your personal data with third parties if:

  • we sell or buy any business or assets, in which case we may disclose your personal data to the seller or buyer of such business or assets
  • we need to do so to enforce or apply our website terms of use; or
  • we are legally obliged to do so

Otherwise we will not share your personal data with third parties without first obtaining your consent.


We have established appropriate procedures and systems to ensure the security of personal data we hold about you. However, information supplied to us using our “Contact Us” is sent by email and therefore it is unprotected until it reaches us. You should take care not to disclose sensitive information such as credit card details using this method.

We may use services to store data which involve processing your personal data outside the European Economic Area. We will ensure that companies selected to store the data comply with equivalent standards for data protection to those in the EU.  By submitting your personal data, you agree to this processing.


Cookies are small text files placed on your computer or other device when you visit a website. They are widely used to allow websites to function, improve the browsing experience or to gather information.

The following table sets out details of our cookie usage:

Cookie Name Purpose
Google Analytics _utma




These cookies are used to collect information about how visitors us our site. We use the information to compile reports and help us to improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information.

Click here for an overview of privacy at Google

Click here to learn about Google’s Analytics privacy policy


Portal Login ASP.NET_SessionId This cookie enables secure login by our tenants to the Portal.  The cookie is removed when the tenant logs out of the Portal and closes their browser.


By using our website, you agree to cookies being placed on your device. If you do not consent you should not use our site, delete cookies after leaving or enable your browser’s anonymous browsing setting (“Incognito” in Chrome, “InPrivate” in Internet Explorer and “Private Browsing” in Firefox and Safari).

9.Data Retention periods

We will only retain data for the period that it is required to fulfil our contractual obligations.

We retain personal data record about former residents of our properties for a period of 7 years

We retain personal sensitive data financial information relating to former residents of our properties for a period of 7 years

We retain information from unsuccessful job applicants for a period of 12 months from the date the vacancy was filled.

We delete information about contractors annually if they are not currently in use

10.Your individual Data Subject rights

These rights can be made/requested verbally to a member of staff or in writing to Richard Wien at the address on page 1. We will respond to you within 28 days from the date of the request.

Data Subject Access Request

The EU General Data Protection Regulation (referred to in the rest of this policy as “GDPR”), which becomes effective from the 25th May 2018, gives every living person (or their authorised representative) the right to apply for access to the personal data which organisations hold about them irrespective of when and how they were compiled, i.e. electronic and manual records held in a structured file, subject to certain exemptions. This is called a Data Subject Access Request.

Your Right of Rectification

If your data is inaccurate you have the right to have it corrected. If this data has been shared with another organisation you have the right to ensure that Commerson updates/corrects this record.

Your Right to be Forgotten

In the case of a Right to be forgotten request we will assess this individually accounting for the impact of this request on others. If we determine that an individual cannot be forgotten, we will ensure there are no negative impacts on the individual concerned. The exception to this will be if an offence has been committed or a person will be endangered as a result. Please be aware that in some circumstances we will retain information even if you have requested its removal. For example, we may need to keep personal data to resolve disputes or because you are currently a resident of one of our properties or a member of staff.

Your Right to restrict processing

You can restrict processing whilst a Right to be rectified or forgotten

Your right to portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability

Your Right to lodge a complaint with the ICO

The Information Commissioner’s Office is responsible for overseeing compliance e.g. investigating complaints, issuing codes of practice and guidance, maintaining a register of data protection officers. Any failure to comply with GDPR may lead to investigation by the ICO which could result in serious financial or other consequences for the company. You have the right to lodge a complaint directly with this office on or tel 0303123113

11.What will happen if a data breach occurs?

If a data breach is suspected staff will immediately

  • Notify their manager
  • Notify the Data Protection Lead

Following notification Commerson will take the following actions urgently: –

  • Implement a recovery plan, including damage limitation;
  • Assess the risks associated with the breach (carry out a privacy impact assessment);
  • Inform the appropriate people and organisations that the breach has occurred;
  • Where required report the breach to the ICO;

Review our response and update our information security

12.Changes to this Privacy Notice

A copy of this privacy notice is kept on our website and you should check this regularly if you have access to the internet. We may need to change the content of this notice to comply with any changes in Legislation or our practice. If these changes effect any of the spirit of the notice we will advise you accordingly.

Back To Top