I am a business contact or stakeholder.
As part of its normal business operations, The Crown Estate needs to contact key business contacts and stakeholders and for these purposes for processing The Crown Estate is the data controller. These contacts include:
- Contacts of employees who work for businesses with which The Crown Estate has a business relationship;
- Contacts with employees of businesses that are involved in the wider industries in which we operate;
- Contacts with stakeholders, including MPs, councillors etc.
This information is normally restricted to name, job title, email address, telephone number and the name of the business or organisation they represent.
We obtain this personal information from a variety of sources including:
- The course of normal business operations;
- The exchange of business cards and other collateral in the normal business environment;
- Information published by the data subject so that they can be contacted for business purposes.
Whilst we process this information as part of our legitimate business interests, we assume that the sharing of this contact information in the normal business environment for the purposes for which it was shared constitutes consent to be contacted for the business circumstances under which the information was shared. Consequently, we will only contact these data subjects in the context in which the information was provided and we will never use these contact data for any other purposes. Where we have a contract with the individual, that will be our purpose and lawful basis for using their data.
Types of data processing
The personal data that The Crown Estate processes relating to business contacts typically consists of the following:
- Details held on our corporate systems relating to ongoing business relationships;
- Normal business correspondence with the individual;
- Collaborative working on industries issues;
- Inviting contacts to events specific to the context in which the information was provided.
The data above is held is long as required to perform these functions.
The Crown Estate has in place administrative, technical and physical measures on our systems and internally which are designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that it holds which includes an Information Security Management System certified to ISO27001. We place similar obligations on our service partners and undertake risk assessments on their security measures.
From time to time The Crown Estate may process contact information in relation to email contacts and event management on systems based outside the EEA. If The Crown Estate does this your personal information will continue to be subject to one or more appropriate safeguards as required by law. These might include the use of model contractual clauses, or having suppliers sign up to an independent privacy scheme approved by regulators (such as ‘Privacy Shield’).
The Crown Estate will ensure that where information is transferred outside EEA, The Crown Estate and the receiving party will comply with all relevant laws governing such transfers.
Rights of business contacts
Individuals are afforded rights under GDPR and these can be exercised where The Crown Estate operates as a Data Controller – the right to access, correct, object, restrict and erase. To exercise these rights please contact the managing agent of the property or email the data protection officer at: firstname.lastname@example.org.
You can also lodge a complaint with the Information Commissioner’s Office.
The Crown Estate is registered with the Information Commissioner’s Office with registration number Z6390151.
This Privacy Notice was last updated on 25 May 2018.