Privacy statement for customers

Data protection legislation gives individuals the right to be informed about how organisations use their personal data.

We are committed to protecting and respecting your privacy. We think it’s extremely important to keep any personal information we have about you secure and confidential.

We process the personal data that we collect for a number of different purposes. This privacy statement gives a general overview of how we use personal data.



This privacy statement may change from time to time, so we suggest you check it before you request a new service or meet with GreenSquare, to make sure you are kept up to date. If we make any significant changes affecting how we use your personal information, we will make changes to this privacy statement, and we will contact you to inform you of these changes.


Who we are

GreenSquare Group is a Data Controller. Our head office is located at Methuen Park, Chippenham, Wiltshire, SN14 0GU.

We are a Registered Social Landlord (RSL) regulated by the Homes and Communities Agency (HCA). Our normal activities can be summarised as:

  • providing social and other types of housing
  • providing support services
  • property and grounds maintenance and repair
  • managing your housing, tenancy/lease and account as your landlord

We also provide additional optional services including:

  • organising and assisting community events
  • providing welfare, benefits and debt advice
  • adaptations made to the properties we manage
  • selling properties

Where we refer to ‘we’ or ‘us’ in this privacy statement, we are referring to GreenSquare Group (GreenSquare). GreenSquare are a 'Group' of companies, including holding and subsidiary companies.

GreenSquare Group companies – ICO registrations

GreenSquare Group company ICO reference
GreenSquare Group Limited (Parent) ZA225832
GreenSquare Community Housing ZA094918
GreenSquare Construction Limited Z3140835
GreenSquare Estates Limited ZA094904
GreenSquare Homes Limited Z8805001
GS Energy Services Limited ZA062570
Westlea Housing Association Limited Z6710635

Back to the top

What is personal information?

Personal information is information relating to an identified or identifiable natural living person. An identifiable natural person is one who can be identified, directly or indirectly, by name and address, or by other details such as an identification number, location data or an online identifier.

In other words, it’s information that is clearly about a particular living person.

Back to the top

Who we collect personal information about

We may collect personal information about:

  • people who occupy one of our properties
  • people who visit our websites or complete forms on our websites
  • people who receive other services from us
  • relatives or other individuals who interact with those receiving our services
  • people who contact us with a query or complaint
  • people who make comments about the services we provide or actions we take
  • people who have been referred to us from other organisations
  • people who visit the organisation or who are recorded on CCTV on our premises
  • our suppliers and providers or their employees

Back to the top

The types of information we collect and use

The information we collect about individuals can include:

  • name and contact details
  • personal and family details
  • identifiers, such as National Insurance Numbers or NHS numbers
  • lifestyle and social circumstances
  • financial information
  • employment and educational details
  • housing or social care needs
  • visual images, such as photographs or CCTV recordings
  • date of a visit to our premises or a property and arrival time and departure time
  • licenses or permits held
  • business activities

We may also collect what is known as special categories of information. These include:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic and biometric data
  • mental or physical health details
  • sex life

We also collect equalities data to fulfil our equalities and monitoring obligations.

In some instances, we will also collect personal data relating to criminal convictions or offences.

Back to the top

We collect and process your personal information to provide you with our services, such as related to your tenancy, lease or support. The word ‘process’ covers most things that can be done with personal information, including collection, storage, use and destruction of data.

Our lawful basis for processing your information are defined in the GDPR as:

Legal obligations

As an employer and landlord, we are required to collect information to ensure we meet requirements placed on us in law. For example, we owe a duty of care to visitors to our premises under the Health and Safety Act.

Contractual obligations

In some cases, we collect information through a contractual agreement with an individual. For example, under a tenancy agreement when someone occupies one of our properties, we will collect information relevant to fulfilling our contractual obligations


When you contact us about accessing a service or with an issue you wish us to look into it is reasonable for us to take that contact as your consent to process and use your personal information for that purpose.

When there isn’t a legal reason or overriding interest for sharing your personal information, we will seek your consent if we want to share your personal data with a third party.

We will collect your consent when we want to add your name to a mailing list.

Legitimate interests

We also process personal information to pursue our legitimate interests. This means helping us to do our job as a housing provider, for example making sure our properties are let to appropriate people or reducing the risk of damage to our properties.

To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we will share with them (only when specifically requested) records of staff, customers and visitors who come onto our premises or when a visit has been made to a property. This is in the interests of the individual, the organisation, and the public health efforts to tackle Covid-19, to identify people who may have been exposed to the coronavirus for the purpose of contact tracing. You can ‘opt out’ of this by notifying us during a booking to carry out a service that may require close contact. Read our track and trace informing notice here.

Some of our services are provided by other organisations on our behalf. In these cases, we usually disclose personal data to them either under contract or because our powers or duties require us to do so. These providers also have to meet data protection requirements.

Public task

Where we process information on behalf of a public body, where the processing is necessary to perform a task in the public interest or for official functions.

Social protection

Where we ask for data concerning your health, and this is relevant to your housing needs, the condition for processing is that this is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller (us) or of the data subject (you) in the field social protection law”.

Providing us with special categories of data can help us deliver our services when providing accommodation for disabled people (including adaptations), people with substance abuse problems or when helping someone to access care services.

Back to the top

Examples of how we use your information

As we provide a range of services, there are many different purposes we could use personal data for; however, we will only ever use the information you provide us for specific purposes, which we will make clear to you when the data is collected.

These purposes could include:

  • meeting your housing management needs and requirements including (but not limited to) repairs, maintenance, relocation or exchange and routine inspection
  • providing additional services, where available, at your request including skills training, adaptations and everyday support services
  • promoting the services we provide and telling you about changes to GreenSquare and our services
  • keeping in touch with our customers, understanding your needs and preferences, carrying out surveys, inviting you to events, and offering and booking appointments with you
  • answering your queries and requests
  • crime prevention and prosecution offenders including the use of CCTV
  • corporate administration and all activities we are required to carry out as a data controller
  • managing payments from you to your or on your account, and for accounting purposes

Back to the top

Who we may share your information with

We sometimes need to share information with other organisations, where it’s relevant. Where this is necessary we are required to comply with all aspects of data protection law.

Who we share your personal information with depends on the products and services we provide to you and the purposes for which we use your personal information. For most products and services we will share your personal information with our own service providers such as our IT suppliers, with credit reference agencies and fraud prevention agencies.

We may share personal information with organisations that are within the GreenSquare group of companies (see Who we are).

Who else we may pass your information to may include:

  • customers (for example, we would share the personal information about a taxi driver with the relevant service users)
  • family, associates or representatives of the person whose personal data we are processing
  • current past and prospective employers
  • healthcare, social and welfare organisations and professionals
  • providers of goods and services including companies that assist us in mailing out our letters, leaflets and newsletters
  • training providers
  • IT providers
  • housing contractors and contractors who handle our out of hours call service
  • financial organisations
  • debt collection and tracing agencies
  • local and central government and local councils
  • ombudsman and regulatory authorities
  • professional advisers and consultants
  • legal representatives, defence solicitors, courts and tribunals
  • trade unions
  • credit reference agencies
  • utility companies
  • survey and research organisations
  • police forces, tax collection agencies and customs and excise
  • housing associations and landlords
  • voluntary and charitable organisations
  • regulatory bodies
  • courts, prisons and safeguarding boards
  • the disclosure and barring service (DBS)

Personal data may be shared with regulatory and statutory bodies and where required by law, such as to prevent and detect crime or fraudulent activity.

Personal data may be shared within councils to check the accuracy of your contact details to ensure our records are accurate and up to date and also to ensure that officers are aware of your circumstances and other services you are receiving when visiting or supporting you.

Back to the top

How long we keep your information for

We keep personal data for different lengths of time depending on the purposes for which it was collected. Sometimes the law will specify how long we have to hold personal data for. We base our retention periods on guidance issued by the National Housing Federation. View our data retention schedule.

Back to the top

European transfers

A large majority of the personal data that we collect is held within the United Kingdom and European Economic Area (EEA). Data protection law allows GreenSquare to hold personal data if it is inside the EEA. The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.

In very rare circumstances some of the personal data we collect may be stored overseas; however, if data is held outside the EEA then we can do so if we have ensured that there is suitable protection in place.

Back to the top

Telephone calls

Phone calls to and from our main telephone numbers may be recorded for training and monitoring purposes. We may do this to check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service. Calls are not recorded when you give us card details to make a payment for your rent or another service.

Back to the top


We have closed-circuit television (CCTV) at all our office locations. We operate CCTV only for the security of our staff, visitors and premises and we have signs which clearly show it is in operation. We keep the images for 30 days, after which we delete them.

Back to the top

Our security measures

Technical and physical security measures

GreenSquare protects the privacy and security of all data that we control and process. This protection includes:

  • Baseline security recruitment checks
  • Controlled staff pass access to buildings and systems
  • Servers based within the United Kingdom
  • Network security measures, including regular patching and updating of systems to maintain the security and integrity

Policies and procedures

GreenSquare also ensures that its policies and procedures reflect good practice for data protection and that staff are aware of these. This includes:

  • the Data Protection Policy, Data Protection Procedures Policy, Clear Desk Policy and ICT Security Policy
  • online data protection training for all new staff – completion is monitored and recorded electronically
  • a procedure for reporting and dealing with suspected breaches of data protection
  • limiting employee access to sensitive information
  • protecting against unauthorised access to customer data by using data encryption, authentication and virus detection technology
  • requiring service providers with whom we do business to comply with relevant data privacy legal and regulatory requirements
  • conducting background checks on employees and providing data privacy training to our team members
  • continually assessing our data privacy, information management and data security practices

Back to the top

Your rights

Data protection law gives you a number of rights over your personal data. Not all of these rights are automatic, and some may not be available to you at all times. For instance, where there is a legal obligation for us to withhold or retain data. If GreenSquare refuses to oblige your rights, we will always explain why this is and our reasons for doing so.

To protect the confidentiality and integrity of the personal data we hold, we may ask for proof of your identity before proceeding with any rights that you wish to use, if we are not already satisfied with your identity. If you have authorised a third party to act on your behalf we will also ask them to prove in writing that they have your permission to act.

GreenSquare is required by the law to respond to your requests within one month of receipt of the request. We may extend that period by a further two months where necessary, for example when the request is complex. If we need to extend the period then we will tell you why.

Right of access

You have the right to request a copy of the information we hold about you. Sometimes part or all of the information may be withheld, especially if it contains information about other individuals and if this is the case we will explain why.

In order to exercise this right, you must submit a “Subject Access Request” (SAR).

  • Requests can be made in writing or verbally over the phone. The easiest way to ensure you have provided all the necessary documentation and information to process your request is to complete our standard Subject Access Request Form - click here to download a copy (you don’t have to complete a form but it can help us find the information you need.)
  • If you are looking for specific information and/or you know where in GreenSquare the information you are interested in is likely to be held eg a specific department, then please state this clearly on the form.
  • We may also request a copy of an official form of identification, for example, a passport or driver’s licence. We will notify you if we require identification documentation.
  • You can ask any of our Customer Support Officers in our Contact Centre or write to the Data Protection Manager, GreenSquare Group, Methuen Park, Chippenham SN14 0GU.
  • You can also contact the Data Protection Manager on

Right to withdraw consent

You have the right to withdraw your consent to GreenSquare processing your information. To do this, please email or write to us using our contact details. Please be aware that there may be some situations where we are still allowed to keep and use your information, even when you have withdrawn consent.

Right to rectification (correction) of personal data

You have the right to request that GreenSquare correct information that you believe is inaccurate or incomplete. You may not always be able to change the information; however, we will correct factual inaccuracies and may include your comments in the records.

The right erasure (to be forgotten)

You have the right to request that GreenSquare delete your information when there is no compelling reason for us to continue using it. Please be aware that in certain situations we are still allowed to keep and use your information, even when you request that it should be erased.

The right to object

You have the right to object to us using your information if you feel we have used it outside the remit of our public tasks or when you have received marketing from us. Please be aware that in certain situations we are allowed to still use your information if there are compelling legitimate grounds to do so.

Rights relating to automated decision making or profiling

You have the right not to be subject to a decision based solely on automated decision making, including profiling, which produces legal effects about you or significantly affects you. GreenSquare can only carry out solely automated decision making when it is authorised by law, you have given us your explicit, written consent, or when it is necessary for entering into a contract with GreenSquare.

Back to the top

How to contact us

You can contact the Data Protection Manager with any issues regarding the processing of your personal data:

In writing:
Data Protection Manager
GreenSquare Group, Methuen Park, Chippenham, Wiltshire, SN14 0GU

By email: 

By telephone:
0300 111 7000

Back to the top

Contacting the Information Commissioner’s Office

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by:

Please note we can't be responsible for the content of external websites.

Back to the top

Covid-19 addendum

Data Controller: GreenSquare Group, Methuen Park, Chippenham, Wiltshire, SN14 0GU

This privacy notice is an addendum to GreenSquare’s main privacy notice, and it explains how GreenSquare (as Data Controller) may use your personal data, specifically in relation to the Covid-19 (coronavirus) pandemic. It is an addendum to all privacy notices, including those for customers, employees and third parties.

You may have already provided information for a specific reason, and GreenSquare would usually seek to inform you that the data provided would be used for a different purpose. Due to the rapidly emerging situation regarding the current pandemic, this will not always be possible. If we already hold personal information about you, we may share this for emergency planning purposes or to protect your vital interests by sharing with services both inside and outside the organisation.

The Information Commissioner’s Office has published guidance on data handling during the pandemic.

In this current crisis, we may need to ask you for sensitive personal information that you have not already supplied, including any underlying illnesses, allergies or Covid-19 symptoms. This is so GreenSquare can provide safe services for customers, staff and third parties.

Your personal data

Personal data relates to a living individual who can be identified from that data. Some of your personal data is classed as ‘special category data’ because this information is more sensitive for example health information, ethnicity and religion and so on.

Why we may need to share your personal data

In this current pandemic, we may share your information with other public authorities, health trusts, emergency services, and other stakeholders as necessary and only when necessary in a proportionate and secure manner. Contact with you to obtain consent before sharing will not be required for all the reasons described in this notice. Please be assured that protection of personal data remains a priority at this time after the health and safety of everyone.

We will only share your personal information where the law allows, and we always aim to share the minimum data necessary to achieve the purpose required. Further, the information will only be used for the purposes listed and retained for limited specific times.

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 allow us to share information for a wide variety of reasons. These are known as our ‘legal bases to process data’.

Data protection laws are written to facilitate valid information sharing, especially in times of emergency which often requires more collaborative working. The legal bases for processing data at GreenSquare during the Covid-19 pandemic are as follows:

  • Fulfil an explicit government purpose
  • Protect the public
  • Satisfy external regulatory requirements
  • Provide extra support for our customers and staff
  • Safeguard individuals at risk

We will refer to the following legal bases for processing in line with the General Data Protection Regulation (GDPR):

  • Article 6 (1) (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Article 6 (1) (d) – processing is necessary in order to protect the vital interests of the data subject or of another natural (living) person
  • Article 9 (2) (c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • Article 9 (2) (g) – processing is necessary for reasons of substantial public interest…
  • Article 9 (2) (h) – processing is necessary for the purposes of preventative or occupational medicine, where is it necessary for the provision of social care, the provision of health care or treatment or for the management of a health or social care system
  • Article 9 (2) (i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against cross-border threats to health or ensuring high standards of quality and safety of health care

Your rights

You have several rights with respect to your personal data and these remain all intact during the current coronavirus pandemic. Please refer to our substantive privacy notice. Any requests regarding your rights should be submitted to the Data Protection Officer.


For any questions regarding the above, please contact us at:

Data Protection Officer, GreenSquare, Methuen Park, Chippenham, Wiltshire, SN14 0GU

We use cookies to improve our website. To find out what cookies we use and what they do, please read our privacy policy.