All products

GDPR and data subject requests

Under UK GDPR and the Data Protection Act 2018, individuals whose personal data you hold have rights you must support. PropLink gives you the tools to do that. This page covers the workflows; consult your data protection officer or solicitor for legal interpretation.

Data-subject access requests

A data subject can request a copy of all personal data your organisation holds about them. You have one calendar month to respond.

To produce the export:

    1. Open the contact.
    2. Click Actions → Export data subject record.
    3. PropLink compiles a ZIP containing every record relating to the contact: profile, communications, invoices, payments, tickets, audit log entries.
    4. Download or email the ZIP to the contact within the statutory timeframe.

The export is generated in a portable format (PDF for documents, CSV for tabular data, JSON for the machine-readable record).

Right to rectification

If a contact tells you their data is wrong, fix it under Contact → Edit. PropLink records the change in the audit log.

Right to erasure

If a contact asks for their data to be deleted, you must consider whether you have a lawful basis to retain it. For most contacts you will: legal obligations on financial records, the firm's legitimate interest in retaining audit history for tribunal exposure, contractual obligations under leases.

If erasure is appropriate:

    1. Open the contact.
    2. Click Actions → Erase.
    3. PropLink shows you what will be erased and what will be retained for legal reasons (with the basis cited).
    4. Enter a reason and confirm.

PropLink replaces the contact's name, email, phone and address with placeholder values. Audit history is preserved for legal reasons but stripped of any personal data not required for that legal basis.

Right to data portability

The data subject access export is in machine-readable formats so the data can be transferred to another controller if requested.

Right to object

If a contact objects to direct marketing or to specific uses of their data, set the corresponding preference on their profile:

  • Marketing. Toggles whether they receive any non-transactional emails.
  • Surveys. Toggles whether they receive feedback requests.
  • Building updates. Toggles whether they receive non-statutory updates.

Statutory communications (Section 20 notices, Section 166 notices, demand letters) cannot be opted out of and are sent regardless.

Records of processing activity

The audit trail (see The audit trail) records every meaningful interaction with personal data. This is part of your records of processing activity under Article 30. Export the relevant log under Settings → Audit logs → Export.

Breach response

If a personal data breach occurs, you have 72 hours to notify the ICO. PropLink gives you:

  • The audit log to identify the scope of access during the breach window.
  • Communications history to identify what was sent to whom.
  • The ability to expire all active sessions immediately under Settings → Users and access → Sign all users out.

Retention

Data is retained as long as the organisation exists, unless an individual exercises their right to erasure and that erasure is granted. See Organisations and multi-tenancy for what happens to data if an organisation closes.

Related

The contact directory

Read

The audit trail

Read

Last reviewed 10 May 2026.