Privacy policy

This Privacy Notice may vary from time to time so please check it regularly.

This Notice describes the types of information collected, how that information is used and disclosed, and how you can access, modify, or delete your information.

Land Securities Properties Limited (company number 961477) whose registered office is at 100 Victoria Street London SW1E 5JL (“we”, “us” or “our”) is the ‘data controller’ for the personal data we collect. We are registered with the Information Commissioner’s Office with registration number Z5806812.

The Personal Information that we collect and how we use that information depend on your relationship with us and whether you are a customer and their registered occupants or a visitor to the site as outlined below:

A) A Customer or Potential Customers

Contact Information, including your name, mailing address, phone number, email address and other information that enables us to contact you; Professional Information, including your company name, title, role, team and other information about your profession; Payment Information, including your credit or debit card details, bank account information, and payment or other information required when you make a purchase. Please note that for your protection this information is not stored on our systems and the payment processing is performed by a third party that specialises in secure online payment processing. You can view their privacy notices here: For direct debit instruction – GoCardless For credit or debit card payments – Stripe The data is collected for the purposes of entering or performing a contract, or in our legitimate business interests to analyse and improve our service offering, and to conduct marketing.

B) Visitors, guests and your registered occupants

We act as a Data Processor to our customers, who determine what data to give to us and for what purpose. This includes any personal data obtained from our customers for the purposes of providing their staff with access to the office space, booking room services or wifi.

A data processing agreement is available to our tenants here.

You may be pre-registered by your host, who will provide us with your name and email address so that we can identify you and provide you with access to the facility and systems (such as Wifi).

The data from A and B is collected and stored in a third party lease booking system.

DATA MINIMISATION AND RETENTION We will retain your Personal Information for as long as you have a relationship with us, and for a period after your relationship with us has ended. When determining how long this retention period will last, we take into account the length of time Personal Information is required to:

Continue to develop and improve our Services; Maintain business records for analysis and/or audit purposes; Compliance with legal requirements; Defend or bring any existing or potential legal claims; or Address any complaints. Email Marketing

By indicating an interest in our service offering or by subscribing to the service we will use the soft opt-in/ our legitimate interest to provide you with email marketing of relevant goods and services. You can unsubscribe to these marketing messages at anytime by emailing dataprotection@landsec.com

If you are a subscriber to the service, you can also change your own preferences for receiving updates through the My Accounts page.

Other areas where data is collected that is not specific to your relationship with us are outlined below:

  1. WIFI IN OUR PROPERTIES

If you use one of the Wi-Fi networks we provide, we may collect personal information from you, such as your name and email address order to log you on to the Wi-Fi network. Your Wi-Fi is provided by us through a third party.

Through our Wi-Fi services, we may also collect data which shows how often, how long and from which location you are accessing the Wi-Fi services, which will include recording the address of your device that connects to the Wi-Fi network.

The personal information gathered through Wi-Fi for our legitimate business interests, to collect data obtained through our interaction with customers for research, analysis, testing, monitoring, risk management and administrative purposes including the optimization of service delivery at our properties and to improve the customer experience.

The legal basis is also to form a contract with you to provide the Wi-Fi Services.

  1. SECURITY

HOW DO WE COLLECT INFORMATION FROM YOU? As part of our security operation, we will also be collecting personal images relating to visitors and customers to our properties from any CCTV, Body Mounted Video (BMV) and ANPR (Automatic Number Plate Recognition) systems.

We use third party service partners to provide security services, but the information recorded through these technologies is held on systems we control. The data we collect may be shared with the police for our legitimate interests and the prevention and detection of crime, or between our other sites to share intelligence or local crime reduction partnerships and initiatives. ANPR data can be shared with third parties for the purposes of enforcement.

We may also share the information with insurance companies where they request data relating to insurance claims to support their legitimate interests, or those of their clients, or to defend legal claims.

We also capture personal data within Access Control systems which may provide access to the building in our properties. Personal data is also collected from visitors to our properties. Access control data is held within our systems and the visitor management data may be held on third party systems.

In relation to access control and visitor data, where the data relates to our employees, contractors or visitors, we consider ourselves to be the Controller. However, personal data relating to our customer’s staff, contractors and employees, we consider our customer to be the Data Controller.

In relation to third parties, we ensure that they will also safeguard your data – please see Protection of Your Information below.

FOR WHAT PURPOSE IS IT COLLECTED CCTV, BMV, Visitor and Access control data is collated to pursue our legitimate interests to protect the property in question, to protect the safety and vital interests of our visitors, employees, tenants and customers, to assist with the prevention and detection of crime and to provide our contracted service to our tenants.

ANPR is collected to fulfill a contract between ourselves and our users of our parking facilities, including enforcement action.

Access control data is also processed because of our contractual responsibilities to our occupiers.

DATA MINIMISATION AND RETENTION For CCTV and Body Mounted Video: Generally, this data will not be held for longer than 31 days unless an incident or suspected incident has occurred.

ANPR: kept for as long as is contractually required.

Access Control Systems: Access cards and the personal data associated with them are deleted on requests from our occupiers. Cards which are not used for three months are deactivated. Any passes which have remained inactive for twelve months will have all data relating to the card permanently deleted.

Visitor Management Systems: All data is deleted where a visitor has not returned to the site within six months.

  1. ACCIDENT AND INCIDENT REPORTING

HOW DO WE COLLECT INFORMATION FROM YOU? When an incident occurs at one of our properties, we are required to document the particulars of an incident which may include witness statements, CCTV footage, photographs and written reports. This information may include special categories of data depending on the nature of the incident. A third-party system is used to log details relating to these incidents and physical paperwork may also be stored on site. The data may be shared with third parties such as insurance providers and legal advisors in order to defend a claim, government or other competent organisations who are required to report on incidents by law or the police to investigate a crime.

FOR WHAT PURPOSE IS IT COLLECTED This information is collected to ensure that we comply with our legal responsibilities in relation to Health and Safety investigation and reporting, and also in relation to any future legal claims. The information can also be used to prevent and detect crime, or to protect the vital interests of individuals. Where health information is collected we may also need this for our substantial public interest for Insurance processing.

DATA MINIMISATION AND RETENTION All personal data (CCTV, Witness Statements, Photographs and written reports) relating to the incident is held for six years, unless there are reasons to retain it for longer, such as an ongoing HSE investigation, a suspected pattern of fraud, or because an injury has been sustained by a child.

  1. OCCUPANCY SENSORS

Occupancy sensors are in place to determine how the office space is used by our customers for our legitimate interests to ensure that the space meets their requirements and to improve our customer experience and service offerings. We have deployed two types of sensors – both of which ensure that the privacy of our customers is respected.

  1. Desk sensors – a light sensor positioned underneath each desk determines at what time periods the desk is occupied. We do not combine this data with any other data to assist in identifying an individual – such as CCTV or seating plans – as the purpose of the processing is to understand the usage of the desks, and not who has been using the desks.

  2. Meeting sensors – occupancy sensors have been placed in the ceiling of the meeting rooms and communal areas. The sensor is capable of taking a low-resolution video of the space to determine how many occupants are present. The quality of the image is low enough to prevent the identification of an individual, but suitable to distinguish the number of people within the area of its view. The sensor is not capable of tracking an individual and their repeated visits to an area because the image quality does not allow for the re-identification and tracking of a person. We commit to not combining this information with other data (such as CCTV or meeting calendars) for the identification of individuals.

  3. OTHER USERS

In addition to the purposes already described, we may use information collected to perform other important business operations, for example: to understand usage patterns (such as foot traffic) within our properties; to develop, provide, improve and personalise products and services; and, to provide customer service/support. We may undertake additional research, analysis, and surveys, both online and in our centres. The lawful basis for this use of Information is for our legitimate business interests.

  1. OTHER THIRD-PARTY TRANSFERS NOT DETAILED PREVIOUSLY

We may pass on or allow access to your information:

to our suppliers, contractors and professional advisors where this is necessary for them to provide services and facilities to us, such as to provide car parking services; to our Joint Venture partners; to any purchaser of all or part of our business or any of our properties; to sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers; where we are required to do so by law, court order or other legal process; where, acting in good faith, we believe disclosure is necessary to assist in the investigation or reporting of suspected illegal or other wrongful activity. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; to protect and defend our rights or property; to deal with any misuse of any of our Services; in order to enforce or apply our terms and conditions and other agreements with third parties; to our group companies and affiliates or third-party data processors who may process data on our behalf to enable us to carry out our usual business practices; personal data relating to an insurance claim, including sensitive data, may be transferred to our reinsurance business based within the Land Securities Group (Land Securities Insurance Limited (registered in Guernsey as a Data Controller (ref 11453)). Research / Survey Solicitations. From time to time, we will provide your Personal Information to our service providers to perform research (online and offline) via surveys on our behalf. Participation is voluntary, and we will use the information that we collect for research and reporting purposes, and to help us to improve the quality of our Services. We use the survey responses to determine the effectiveness of our Services, including the quality of our communications and our advertising and/or promotional activities. If you participate in a survey, your responses will be used along with other participants’ responses. 7. PROTECTION OF YOUR INFORMATION

We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that we hold. We place similar obligations on our third parties and risk assess their security based on the sensitivity of the personal data that they hold.

If we transfer your personal information outside of the EEA, it will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators (like the US ‘Privacy Shield’ scheme).

  1. YOUR RIGHTS

You have the right to opt out of receiving any marketing information which we send you.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the following rights:

Subject to certain conditions, request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. Disclosure should not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff. Subject to certain conditions, request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. You also have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details. This right only applies to your own personal data. When exercising this right, please be as specific as possible. Subject to certain conditions, request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). Subject to certain conditions, object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. Subject to certain conditions, request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. Subject to certain conditions, request the transfer of your personal information to another party. If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal data that has been provided to us by you. Where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. If you withdraw your consent, this will only take effect for future processing. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please email dataprotection@landsec.com

You will not have to pay a fee to access your personal information (or to exercise any of the other rights); however, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

You can also contact the Information Commissioner’s Office via https://ico.org.uk/ for information, advice or to make a complaint.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

CHANGES TO THE PRIVACY & COOKIES POLICY

This Privacy Notice was last updated on 23rd April 2019. If it is necessary for us to alter the terms of the Privacy Notice, we will post the revised Privacy Notice here. We encourage you to frequently review the Privacy & Cookies Notice for the latest information on our privacy practices.

CHANGES TO THE PRIVACY & COOKIES POLICY

This Privacy & Cookies Notice was last updated on 30th June 2019 . If it is necessary for us to alter the terms of the Privacy Notice, we will post the revised Privacy Notice here. We encourage you to frequently review the Privacy Notice for the latest information on our privacy practices.

Date Change to Privacy Policy 23rd April 2019 Updates to reflect payment provider data processing 30th June 2019 Update for Occupancy Sensors

HOW YOU CAN CONTACT US

If you have any questions about this Privacy Notice, please contact the Data Protection Officer at dataprotection@landsec.com