Data Protection & GDPR Policy

This policy explains how Wimbledon Park Co-operative Limited (“WPC”, “we”, “us”) collects, uses, stores and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
A GDPR policy must outline how organisations comply with data protection principles and maintain accountability, as noted in ICO guidance and standard GDPR policy structures.

This policy applies to:

• All WPC staff, contractors and Management Committee members
• All personal data relating to residents, applicants, visitors, suppliers, and contractors
• All personal data processed by WPC in the course of managing the estate

WPC is a Data Controller, meaning we decide how and why personal data is processed. ICO guidance explains the role and responsibility of controllers in ensuring compliance.

We collect and process only the minimum personal data required to manage the estate and fulfil our obligations. This may include:

• Name and contact details
• Address and tenancy/lease information
• Repair requests, maintenance records and relevant correspondence
• Membership details for WPC
• Records relating to anti-social behaviour reports or complaints
• Emergency information voluntarily provided by vulnerable residents

We do not collect biometric data, financial card information, or any unnecessary personal data.

WPC does NOT use CCTV cameras or any form of video surveillance anywhere on the estate. ICO identifies CCTV and video systems as specific categories of data processing requiring special compliance, but because WPC does not operate CCTV, no video, audio or surveillance data is collected or processed. If this changes in the future, a separate CCTV Privacy Notice and DPIA (Data Protection Impact Assessment) will be produced before installation.

In line with the lawful bases listed in UK GDPR guidance (consent, contract, legal obligation, vital interests, public task, legitimate interests), WPC processes data under:

• Contract – to administer tenancy/lease obligations
• Legal obligation – compliance with Wandsworth Borough Council requirements and housing regulations
• Legitimate interests – running a resident-led TMO, maintaining estate safety and communication with residents
• Consent – where required (e.g., mailing lists, optional resident support services)

We only use personal data for:

• Carrying out repairs, maintenance and estate services
• Communicating with residents
• Managing membership, voting rights, and committee activities
• Handling complaints, disputes or anti-social behaviour reports
• Ensuring health, safety, and estate compliance

Data is not sold, shared unfairly, or used for marketing without consent.

Following ICO security guidance, WPC uses technical and organisational measures to protect data, including secure systems, access controls, password protection and locked storage.

Only authorised staff and committee members may access personal data.

We may share limited personal data only when necessary, such as with:

• Wandsworth Borough Council
• Approved contractors carrying out repairs or services
• Emergency services (when required for safety)

All third-party processors must comply with UK GDPR.

WPC keeps personal data only for as long as necessary based on legal and operational requirements.
Retention periods follow ICO recommendations on purpose limitation and storage controls.

When data is no longer needed, it is securely deleted or destroyed.

Under UK GDPR, individuals have the right to:

• Access their data
• Correct inaccuracies
• Request deletion (where applicable)
• Restrict or object to processing
• Data portability (if relevant)
• Make a complaint

The ICO confirms that all organisations must be prepared to handle subject access requests (SARs).
Requests can be made via email, post or in person.

In line with GDPR requirements, we will:

• Investigate any suspected breach immediately
• Notify affected individuals where there is a risk to rights and freedoms
• Report serious breaches to the ICO within 72 hours (if required)

ICO provides guidance on breach management and reporting obligations.

Staff and committee members receive periodic data protection guidance to ensure compliance, consistent with best practices for GDPR governance.

WPC follows the UK GDPR principle of accountability, meaning we document decisions, policies and procedures demonstrating compliance.

Data Protection Contact:
Wimbledon Park Co-operative Limited
2 Fernwood, Albert Drive, Southfields, London SW19 6LR
Email: [email protected]
Phone: 020 8780 9980

For independent advice or complaints:
Information Commissioner’s Office (ICO) – ico.org.uk