Welcome! You’ve landed on our US website. If this isn’t right you can change regions below or click above any time.

Change to EMEA or APAC

Welcome! You’ve landed on our US website. If this isn’t right you can change regions below or click above any time.

Change to EMEA or APAC

European Data Protection and General Data Protection Regulation

Last reviewed: April 2024


European Data Protection

European Data Protection encompasses principles from the Universal Declaration of Human Rights, established by the Council of Europe based on the Human Rights Declaration, particularly emphasizing the right to privacy (Article 12) and free speech (Article 19). It seeks a balance between these rights when necessary (Article 29(2)). The European Convention on Human Rights (ECHR), passed in 1950 by the Council of Europe, not only requires member state approval but also allows nations to enact their own laws in alignment, focusing on individual rights protection (Article 8) and freedom of expression (Article 10 and 10(2)). The General Data Protection Regulation (GDPR), enforced since 2018, builds on these foundational principles, specifically tailored to data protection within the EU. It's important to distinguish between the European Court of Human Rights, which enforces the ECHR and is a part of the Council of Europe, and the Court of Justice of the European Union, which interprets EU law, including GDPR. This distinction highlights the separate yet complementary roles of the Council of Europe, the European Union, and the European Economic Area (EEA), which includes EU states and certain European Free Trade Association members. The European Data Protection Board ensures GDPR's consistent application across the EEA, reinforcing the EU's commitment to data protection.

The GDPR’s scope extends beyond the 27 member states of the European Union, also applying to the European Economic Area, a total of 30 countries combined. The GDPR applies to organisations outside of the EU/EEA if they offer goods or services, monitor behaviour inside the EU/EEA or are handling personal data of EU/EEA residents.


EU member states includes:

  1. Austria
  2. Belgium
  3. Bulgaria
  4. Croatia
  5. Cyprus
  6. Czech Republic
  7. Denmark
  8. Estonia
  9. Finland
  10. France
  11. Germany
  12. Greece
  13. Hungary
  14. Ireland
  15. Italy
  16. Latvia
  17. Lithuania
  18. Luxembourg
  19. Malta
  20. Netherlands
  21. Poland
  22. Portugal
  23. Romania
  24. Slovakia
  25. Slovenia
  26. Spain
  27. Sweden

European Economic Area includes:

  1. Iceland
  2. Liechtenstein
  3. Norway


United Kingdom and the GDPR

When the United Kingdom left the European Union (Brexit), the Data Protection Act 2018 (DPA 2018) has incorporated the GDPR into UK national law with specific adjustments, thereby maintaining the core principles, rights, and obligations of the GDPR within the UK context. Despite Brexit, the alignment ensures that the UK continues to offer a high level of data protection, facilitating data flows between the UK and the EU/EEA.


UK GDPR includes:

  1. England
  2. Scotland
  3. Wales
  4. Northern Ireland


The GDPR and UK GDPR focus on regulating personal data processing across various sectors, with specific exclusions such as law enforcement and national security, which are covered by the Law Enforcement Directive (LED). Incorporated into the UK's DPA 2018 Part 3, the LED addresses data processing in law enforcement, allowing for certain exemptions and modifications to balance privacy with public security needs. The Information Commissioner's Office (ICO) plays a vital role in enforcing these regulations, ensuring compliance, and protecting individual data rights while recognizing the unique needs of law enforcement and national security.


Forbury Hosting and Policies

Hosting Environment
Hosting Environment 

Forbury's databases are hosted on Microsoft Azure's data centres and feature at-rest encryption, including Transparent Data Encryption (TDE) for Azure SQL Database. This encryption safeguards stored data against unauthorized or offline access.

Data Collection and Storage
Data Collection and Storage

We collect and store only essential information necessary for the functionality of our products, including your name, email address, city location, and an optional phone number for support purposes. Additionally, we retain property data for backup purposes and service usage. Our commitment to privacy is reflected in our minimalistic approach to data collection, ensuring transparency and responsibility. All data is hosted on Microsoft Azure servers located in the Australia region, adhering to strict data sovereignty and legal compliance standards.

Below is a table detailing our approach to data collection and storage.

Data Handling
Data Handling

Our data collection is minimal, transparent, and user-centric, offering data sharing choices. Forbury does not share or sell your data, nor do we use it for benchmarking or data mining. In the event of discontinuation of our services, we can permanently delete all sensitive data related to you upon request. The table below shows your options when sharing your data with us:

We collect your data for

Why do we collect your data?

Does this require your data to be stored?

How can your data be removed?

Model calculations Product development, error detection and testing No Calculation logs can be removed by requesting Forbury
Backup and Restore Enable the ability to migrate inputs into new models Yes Users can delete uploaded data
Portfolio Reports Consolidate property information and the ability to refresh reports with latest information Yes Users can delete uploaded data
Sharing To facilitate the transfer of data to nominated 3rd party users Yes User can delete uploaded data. Receiving parties may hold your data in our system
Sale Evidence To provide a sale database service with comparison and report functionality Yes Users can delete uploaded data
Activity Logs Audit, support, records Yes Cannot be removed


Security Measures and Data Protection
Security Measures and Data Protection

Our security framework employs Microsoft Azure Security Services to encrypt data at rest and utilizes HTTPS with 256-bit TLS encryption for securing data during transit between Forbury's software and servers. Data is categorized as Public, Sensitive, or Confidential, with strict access based on 'least privilege.' We adhere to ISO 27001:2013 standards, encompassing Access Controls, an Acceptable Use Policy and a Customer Data Management strategy that includes responsible asset use, secure handling, and encryption of customer information, with options for anonymization or deletion. Regular compliance checks and secure disposal of hardware are key aspects of our data management system. Password security is enforced through the ASP.NET Core Data Protection framework with strong one-way encryption and multi-factor authentication. We mandate that passwords include a mix of lowercase, uppercase, non-alphanumeric, and digit characters, with a minimum length of eight characters, enhancing our defence against unauthorized access. User authentication and activities are rigorously regulated by the OAuth 2.0 Open ID Connect protocol, ensuring secure and efficient access management.

User Data Rights and Policies
User Data Rights and Policies

Forbury is dedicated to empowering users with control over their personal data. Users have the right to request access to, corrections of, or the erasure of their personal data, as well as to object to processing, request restrictions on processing, and seek data portability. These rights can be exercised without incurring a fee, except in cases of requests deemed unfounded, repetitive, or excessive. To safeguard personal data and verify identities, we may request additional information from users making such requests. Our goal is to respond to all legitimate requests within one month, keeping users informed throughout the process.

Data Retention and Management Policies
Data Retention and Management Policies

Our data retention policies are designed to retain data only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, tax, accounting, or reporting requirements. We are committed to a policy of not sharing or selling data, nor using it for benchmarking or mining purposes. Users have the autonomy to manage, delete, or remove their data, in alignment with the strict privacy and data protection laws of the European Union, Australia, and New Zealand.

ISO Certification and Compliance
ISO Certification and Compliance

Hundreds of customers trust Forbury with their data, a responsibility we take very seriously. We are proud to adhere to the ISO 27001:2013 certification, a globally recognized standard that reflects our comprehensive approach to managing information security. This certification underscores our dedication to the integrity and confidentiality of customer data through stringent security measures and strong data retention policies. Complementing this, we comply with European Data Protection, the General Data Protection Regulation (GDPR), the UK’s Data Protection Act 2018, Australia’s Privacy Act 1988, and New Zealand’s Privacy Act 2020 (“Data Privacy Laws”). Registered with the Information Commissioner's Office under registration number ZA900740, we maintain strong administrative, technical, and physical safeguards, including encryption and regular security training for staff, to ensure the security, confidentiality, and integrity of our customers' information.


For more detailed information please visit our website’s Privacy, Security or FAQ's pages.


Prefer to talk to a real person?