1. Purpose of this notice
This privacy notice describes how we collect and process personal information about you, in accordance with the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 and any other national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK (“Data Protection Legislation”).
This notice describes how we may collect and process information about any data subjects including:
• Our clients and other people who use our property management services, including the employees of any clients (referred to for convenience in this notice as “Clients”);
• Our suppliers and service providers and their agents, employees and representatives (“Suppliers”);
• Tenants of the properties which we own or for which we provide property management services and the employees of any such tenants (referred to for convenience in this notice as “Tenants”);
• Individuals who visit any of the properties which we own or for which we provide property management services, including Tenants (“Property Visitors”) and
• Visitors to our website (“Website Visitors”).
This privacy notice applies to all personal information we collect or process about you. Personal information is information, or a combination of pieces of information that could reasonably allow you to be identified. Paragraphs 3 and 4 of this privacy notice contain specific information for different categories of data subjects. The other paragraphs of this notice contain information relevant to all data subjects including the data subjects rights described in paragraphs 5 and 6 of this notice.
This privacy notice is effective from and including 25 May 2018. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
2. About Us
Real Estate Management (UK) Limited (“REM”, “we”, “us”, “our” and “ours”) provides property development and asset management services across London’s finest real estate. We are registered in England and Wales under company number 07870825 and our registered office is at 51 Grosvenor Street, London, W1K 3HH.
For the purpose of the Data Protection Legislation and this notice, we are the “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.
3. Personal information we collect and hold about you
We will collect personal information about you from a variety of sources, including information we collect from you directly (e.g. when you contact us) and information we collect about you from other sources described below.
Note that we may be required by law to collect certain personal information about you or as a consequence of any contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfilment of our obligations. We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.
3.1 Information we collect directly from you
All Data Subjects
a) We will collect and process information about you when you contact us by email, telephone, post or social media. The information we hold about you may include the following:
- your personal details (such as your name, address and other contact details);
- details of our correspondence and communications with you; and
- information about any complaints and enquiries you may have submitted to us.
b) When we send emails to you we may review whether these have been opened and whether you clicked on any links within these.
d) If you sign up for a newsletter, fill out a feedback form, complete a “contact us” form or enter a competition or promotion we collect personal information such as your email address, name, contact number and postcode. Not all fields are mandatory and provision of the information is optional but if you provide less information this may limit your use of our online services.
e) When visiting some of our buildings we may collect information from your mobile device and identify its location. This occurs whether or not you have used the Wi-Fi at the building. To opt out of the collection of your MAC or IP address and location turn off your device’s Wi-Fi and Bluetooth capabilities.
f) We occasionally stream videos on social media such as Facebook live and take and display photos of members of the public using and enjoying our buildings. Where we do so, we inform members of the public and Tenants of this possibility through the signs places around the building.
g) We operate CCTV at our buildings for the purposes of public safety, crime prevention and prosecution, insurance, property management and marketing and advertising.
h) Where we own a building or we provide property management services for a building owner we collect data on accidents in order to comply with health and safety legislation.
Clients and Suppliers
i) If you are a Client or a Supplier then we will collect and process information about you: (i) when you request a proposal from us in relation to our services; (ii) when you or your employer or other relevant organisation engages us to provide our services (or visa-versa, if you are a Supplier); and (iii) during the course of the provision of those services.
j) We may collect and process additional information about you (as applicable) relevant to the management and administration of the relationship between us which will be as described in the engagement terms between us.
k) Where you are a tenant living at a building we manage, you provide us with personal data such as references and financial information, identity documentation, your contact details and the contact details of your next of kin, bank account details and information relevant to health and safety matters at the building (such as any difficulty you may have in using the stairs in the event of a fire). This is so that we can assess your suitability to be a tenant, allow you to pay the sums due under your lease and manage our buildings.
l) Where you are a commercial tenant at one of our buildings you provide us with data (which may include the personal data of your employees) such as financial and business information, contact details and bank account details. This is so that we can assess your suitability to be a tenant, allow you to pay the sums due under your lease and manage our buildings.
m) Where you work for a tenant of one of our buildings we may be provided with your contact details by your employer if we need to liaise about estate management matters.
3.2 Information we collect from other sources:
All Data Subjects
a) We use social media such as Facebook, either ourselves or through third party advertising agencies, to carry out digital advertising on the profiles of users who we think may be interested in our advertising campaigns based on events of ours that they have attended, what marketing communications they have subscribed to and which parts of our website they have visited or users who are in a similar demographic to such persons. Information on how advertising is shown to you should be available from your own social media provider.
b) If you use one of the Wi-Fi networks in a building we own or manage, the Wi-Fi provider may collect personal information about you, such as your name, email address and postcode, which is required in order for you to log onto the Wi-Fi network. This may then be shared with us.
c) If you access one of the Wi-Fi networks in the buildings we own or manage using your social media, such as Twitter or Facebook or other online accounts, we are also provided with the data that is shared by your social media/online provider. Information on what personal data is being shared should be available to you from your own social media / online provider.
d) We may use detectors to count the volumes of customers using our buildings by entrance and time of day.
4. How we use your personal information and the basis on which we use it
Clients and Suppliers
If you are a Client or a Supplier then we will use your personal information for purposes additional to the purposes set out in this notice including in relation to the provision of our services (or your services, if you are a Supplier) and the management and administration of the relationship between us; which will be as described in the engagement terms between us.
All Data Subjects
We must have a legal basis to process your personal information. In most cases the legal basis will be one of the following:
a) to fulfil our contractual obligations to you, for example to fulfil the terms of a competition or promotion that you have entered or to provide you with information you have requested;
b) to comply with our legal obligations to you, for example health and safety obligations while you are on our premises or to a third party (e.g. the police); and
c) to meet our legitimate interests, for example to understand how you use our services and our buildings and to enable us to derive knowledge from that which in turn enables us to develop new services and further tailor our buildings to appeal to a wide variety of persons. When we process personal information to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and to ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.
Please note that we may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data.
Situations in which we will use your personal data
We may use your personal information to:
a) deal with your enquiries and requests;
b) provide and personalise our services;
c) carry out our obligations arising from any agreements entered into between you or your employer or other relevant organisation and us (which will most usually be our engagement for the provision of our services or your services, as applicable);
d) notify you about any changes to our services;
e) comply with legal obligations to which we are subject and cooperate with regulators and law enforcement bodies;
f) contact you with marketing and offers relating to products and services offered by us and / or other members of our group (unless you have opted out of marketing or we are otherwise prevented by law from doing so);
g) personalise the marketing messages and offers we send you to make them more relevant and interesting;
h) contact you for research purposes, where you have consented to us doing so, in order to understand what you think of our sites and how we can improve them;
i) maintain the quality of our websites and to analyse the use of our websites in order to help guide improvements; and
j) better design and optimise our properties to improve the experience of our customers.
In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.
We may also process your personal information without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.
Change of Purpose
Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal information where that reason is compatible with the original purpose.
Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.
5. Your rights in respect of your personal information
You have certain rights regarding your personal information, subject to local law. These include the following rights to:
a) Request access to your personal information. This enables you to receive details of the personal information we hold about you and to check that we are processing it lawfully.
b) Request correction of the personal information that we hold about you.
c) Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
d) Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
e) Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
f) Request the transfer of your personal information to another party.
If you would like to discuss or exercise such rights, please contact us using the details below.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate.
6. Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us); you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us using the details below.
Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
7. Information sharing
We may share your personal information with certain third parties in the following circumstances:
• Services providers and business partners. We may share your personal information with our services providers and business partners that perform various business operations for us. For example, we may partner with other companies to: process secure payments, fulfil orders, optimise our services, send newsletters and marketing emails, support email and messaging services and analyse information.
• Law enforcement agencies, courts, regulators, government authorities, insurance providers or other third parties. We may share your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party or to put in place insurance for any of the buildings which we own or for which we provide property management services.
We contract with third parties which, in certain circumstances, will be controllers of your personal data and responsible for managing it properly and, in others, will be processors who deal with your personal data in accordance with our instructions. Whether a third party supplier (who is not us) is a processor or controller of your personal data depends on the facts and where we appoint a third party processor of your personal data depends on the facts. Where we appoint a third party processor of your personal data we will put a framework around what we expect them to do with it and how they manage it, for example:
• Where we do not own a building but we provide property management services for the building owner and / or we provide access control system services for the building owner we capture personal data within the access control system. This comprises personal data of people who work in a building and those who visit it and includes name, occupation, employer and contact details. The data controller in these situations will be the building owner or the tenants of the building owner and we are a data processor.
• Where we provide property management services for a third party landlord, we can be provided with personal data on tenants and their employees where this is necessary for us to carry out these services. We are not the data controller in these circumstances and are a data processor for the third party landlord.
What about other third parties?
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business.
We may share non-personally identifiable information with third parties such as partners, customers, tenants and suppliers for example to show trends on the use of our buildings.
8. Information security and storage
We implement technical and organisational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the on-going integrity and confidentiality of personal information. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We evaluate these measures on a regular basis to ensure the security of our data processing.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain your personal information for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:
a) the requirements of our business and the services provided;
b) the purposes for which we originally collected the personal data;
c) the lawful grounds on which we based our processing;
d) the types of personal data we have collected;
e) the amount and categories of your personal data; and
f) whether the purpose of the processing could reasonably be fulfilled by other means.
9. Transferring information outside of the European Economic Area (“EEA”)
Your personal information may be transferred to, stored and processed in a country outside of the EEA that is not regarded as ensuring an adequate level of protection for personal information under European Union law/by the European Commission. Where this is the case we have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us using the details below.
10. Changes to our Privacy Notice
We review our privacy notice on a frequent basis to check that it accurately reflects how we deal with your personal information and may amend it if necessary. Any changes we may make to our privacy notice in the future will be posted on this webpage. You should check this page regularly to see the most up to date information.
This privacy notice was last updated on 19 June 2018.
11. Contact us
We welcome questions, comments and requests regarding this privacy notice which can be sent to: firstname.lastname@example.org
You also have the right to make a complaint to the Information Commissioner's Office (ICO: www.ico.org.uk ), the UK supervisory authority for data protection issues, at any time.