Privacy Policy


Balfours LLP Privacy and Data Policy – Updated July 2023

At Balfours LLP, we are committed to protecting and respecting your privacy. It is our policy to comply fully with the General Data Protection Regulation (GDPR) that came into force in 2018 and associated legislation. This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure. We may change this Policy from time to time so please check this page occasionally to ensure that you are happy with any changes. By using our website, you are agreeing to be bound by this Policy. Any questions regarding this Policy and our privacy practices should be sent by email to


Who we are

The Data Controller is Balfours LLP. We are a firm of Chartered Surveyors and Land Agents in England and Wales, with a strong regional presence in Shropshire, Herefordshire, Mid-Wales and surrounding counties. Bryn Hill is the nominated Data Protection Officer (DPO). Our website is For Data Protection matters, we are registered with The Information Commissioner’s Office – Registration No. Z9444031.


By definition, the GDPR applies to personal data. This is any information that can directly or indirectly identify a natural person, and can be in any format. The Regulation places much stronger controls on the processing of special categories of personal data. The inclusion of genetic and biometric data is new.

Personal Data

Name, Address, Email address, Photo, IP address, Location data, Online behaviour (cookies), Profiling and analytics data, Financial information

Special Categories of Personal Data

Race, Religion, Political opinions, Trade union membership, Sexual orientation, Health information, Biometric data and Genetic data


Data Protection Principles

Personal data must be processed according to the six data protection principles:

  • Processed lawfully, fairly and transparently
  • Collected only for specific legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Must be accurate and kept up to date
  • Stored only as long as is necessary
  • Ensure appropriate security, integrity and confidentiality


Accountability and Governance

We aim to demonstrate compliance with the GDPR through:

  • The establishment of a governance structure with roles and responsibilities
  • Keeping a detailed record of all data processing operations
  • The documentation of data protection policies and procedures
  • Data protection impact assessments (DPIAs) for high-risk processing operations
  • Implementing appropriate measures to secure personal data
  • Staff training and awareness
  • Data protection at the design stage of any new process, system or technology
  • Gathering only the personal data that is necessary for a specific purpose
  • Lawful processing

The processing of personal data must have one or more lawful basis:

  • Direct consent from the individual
  • The necessity to perform a contract
  • Protecting the vital interests of the individual
  • Our legal obligations
  • Necessity for the public interest
  • Legitimate interests


Valid Consent

There are strict rules for obtaining consent:

  • Consent must be freely given, specific, informed and unambiguous
  • A request for consent must be intelligible and in clear, plain language
  • Consent can be withdrawn at any time


Privacy rights of Individual

Individuals’ rights cover a number of important areas:

  • The right of access to personal data through subject access requests
  • The right to correct inaccurate personal data
  • The right in certain cases to have personal data erased – Please note statutory and legislative requirements may mean this is not always possible
  • The right to object
  • The right to move personal data from one service provider to another (data portability)


Data Transfers Outside the EU

The transfer of personal data outside the EU is only allowed:

  • Where the designated country provides an adequate level of data protection
  • Through model contracts or binding corporate rules
  • By complying with an approved certification mechanism, e.g. EU-US Privacy Shield


Data Security and Breach reporting

Personal data needs to be secured against unauthorised processing and against accidental loss, destruction or damage. The DPO must be advised if there has been a data breach.

All data breaches must be reported to the Data Protection Authority within 72 hours of discovery.

Individuals impacted should be told where there exists a high risk to their rights and freedoms, e.g. identity theft, personal safety.


Website Use

Log files are maintained and analysed of all requests for files on this website’s web servers. Log files do not capture personal information but do capture the user’s IP address, which is automatically recognised by our web servers.

Aggregated analysis of these log files is used to monitor website usage. These analyses may be made available to our staff to allow them to measure, for example, overall popularity of the site and typical user paths through the site.

We will make no attempt to identify individual users. You should be aware, however, that access to web pages will generally create log entries in the systems of your ISP or network service provider. These entities may be in a position to identify the client computer equipment used to access a page. Such monitoring would be done by the provider of network services and is beyond our control. We will make no attempt to track or identify individual users, except where there is a reasonable suspicion that unauthorised access to systems is being attempted. In the case of all users, we reserve the right to attempt to identify and track any individual who is reasonably suspected of trying to gain unauthorised access to computer systems or resources operating as part of our web services.

As a condition of use of this site, all users must give permission for us to use its access logs to attempt to track users who are reasonably suspected of gaining, or attempting to gain, unauthorised access. All log file information collected by us is kept secure and no access to raw log files is given to any third party.

This website uses Cookies, but does not store any information that would, on its own, allow us to identify individual users of this service without their permission. Any cookies that may be used by this website are used either solely on a per session basis or to maintain user preferences. Cookies are not shared with any third parties.

We use Google Analytics to monitor traffic levels, search queries and visits to this website.

Google Analytics stores IP addresses anonymously on its servers in the US, and neither us or Google associate your IP address with any personally identifiable information.

These cookies enable Google to determine whether you are a return visitor to the site, and to track the pages that you visit during your session. These cookies are set only after the user has given consent to us to use cookies.


The Information We Process

We collect and process personal information for the purposes of providing property services, full details of which can be found at

The personal information we collect might include your name, address, email address, telephone numbers, IP address, and more sensitive data such as your bank account details, where these are necessary for the purposes of providing our services to you.

We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. If you make a payment to us by debit/credit card, your card information is not held by us, it is collected by our third party payment processors, who specialise in the secure online capture and processing of card transactions
Security precautions are in place to protect the loss, misuse or alteration of your information.

When you give us personal information, we take steps to ensure that it’s treated securely.

Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site. When you are on a secure page, a lock icon will appear on either the top or the bottom of web browsers.

Non-sensitive details (your email address etc.) are transmitted normally over the Internet and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.


Recipients of Personal Information

We may pass your information to our third party service providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf.

We may provide contractors with your name, address and telephone number for the purposes of contacting you, for example to arrange property repairs and maintenance. When we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we require them to keep your information secure, to delete it once it is no longer required and not to use it for other purposes.
We have formal contracts in place for the software systems that we use to process information, principally:

We may also process your data on other systems, as required to deliver our service to you.
We will not sell or rent your information to third parties and we will not share your information with third parties for marketing purposes.


Retention Period

We review our retention periods for personal information on a regular basis. We will hold your personal information on our systems for as long as is necessary for the relevant activity or as long as is set out in any relevant contract you hold with us.

We are required to comply with statutory obligations such as UK tax law so we will keep your personal information for a minimum of 7 years after which time it will be destroyed.

Your information that we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this. You can unsubscribe at any time via phone, email or our website.


Your Choices

You have a choice about whether or not you wish to receive information from us.
If you do not want to receive direct marketing communications from us, then you can select your choices by ticking the relevant boxes situated on the form on which we collect your information.
We will not contact you for marketing purposes unless you have given your prior consent. You can change your marketing preferences at any time by contacting us by:


Your Rights

If at any point you believe the information we process on you is incorrect, you can request to see this information and even have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact our DPO who will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).