I'm a customer occupying one of your premises.
The Crown Estate undertakes property management services at the property in which your organisation is occupying through the use of a managing agent. It is committed to operating in accordance with data protection laws.
Types of data processing
The personal data that The Crown Estate processes relating to our customers, in this case those occupying one of our properties, typically consists of the following:
- Details held on our corporate systems relating to the identity of occupiers for the purposes of fulfilling obligations and ongoing billing and management arrangements under a lease;
- Personal details from occupiers, their employees and contractors on site, including names, addresses, emails, phone numbers and contact details are processed for the following purposes:
- providing property and facility management services – we may take personal details of occupiers or their employees to register facility issues and report back resolutions in connection with services under the lease;
- providing secure access to the premises as a service under the lease;
- reporting any injuries or potential insurance claims – these may include special categories of personal data – to discharge our legal obligations or defend a claim;
- provide business continuity services to allow us to alert occupiers and their employees of an incident that may impact their business operations, which may include collecting ‘home’ contact information.
1. Security systems
As part of security services within common areas The Crown Estate’s managing agents may collect personal images including those of occupiers, their employees and contractors entering such areas. Signs will be displayed notifying you of these arrangements, which may include CCTV, body mounted video and ANPR (Automatic Number Plate Recognition). The Crown Estate’s managing agent is the data controller for providing surveillance services at our properties with the primary purpose for the prevention and detection of crime. However, this does not extend to any surveillance systems that you may have within your demise.
Retention policies are in place to govern how long this information should be kept, which is generally for no longer than 30 days unless an incident has been logged.
In the event The Crown Estate’s managing agent receives a request to access surveillance data from an occupier in relation to a member of their staff, they cannot provide it without sufficient cause so as to preserve the privacy rights of the individual.
2. Access control and visitor management
The Crown Estate’s managing agents may provide an access control system that allows secure entry to the building, and/or details of visitors to your premises. They deliver these services at the property pursuant to leasing agreements, as well as to prevent and identify crime. These systems hold personal data – typically an individual’s name, the organisation with which they are associated and movement data as they access various parts of the building.
For the purposes of providing access control services to you, The Crown Estate’s managing agents act as your data processor. In relation to any subject right requests for the personal data included in the access control systems and/or visitor systems, The Crown Estate’s managing agents will refer requests to you as the data controller and respond to your instructions as to how these should be actioned.
To ensure compliance with data protection laws, The Crown Estate’s managing agents will review personal data within any access control and visitor systems, and any personal data relating to expired access cards will be permanently deleted.
3. Protection of information relating to occupiers, their employees and contractors
The Crown Estate has in place administrative, technical and physical measures on our systems and internally which are designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that it holds which includes an Information Security Management System certified to ISO27001. We place similar obligations on our service partners and undertake risk assessments on their security measures.
The Crown Estate uses managing agents and service partners to provide security, front of house/concierge/guest services as well as facilities management at its properties. It also uses third party system providers for access control and visitor management systems. These third parties will have access to your personal data.
From time to time The Crown Estate may transfer your personal information to its joint venture partners, suppliers or service providers based outside the EEA. If The Crown Estate does this your personal information will continue to be subject to one or more appropriate safeguards as required by law. These might include the use of model contractual clauses, or having suppliers sign up to an independent privacy scheme approved by regulators (such as ‘Privacy Shield’).
The Crown Estate will ensure that where information is transferred outside EEA, The Crown Estate and the receiving party will comply with all relevant laws governing such transfers.
Rights of occupiers and their employees
Individuals are afforded rights under GDPR and these can be exercised where The Crown Estate or its managing agents operate as a Data Controller – the right to access, correct, object, restrict and erase. To exercise these rights please contact the managing agent of the property or email the data protection officer at: firstname.lastname@example.org.
You can also lodge a complaint with the Information Commissioner’s Office.This Privacy Notice was last updated on 25 May 2018.
The Crown Estate is registered with the Information Commissioner’s Office with registration number Z6390151.
This Privacy Notice was last updated on 25 May 2018.