I'm a resident at one of your properties.
Processing of personal data in relation to the property that you occupy as an individual tenant.
The Crown Estate will record your name and contact details on its property management database as a record of the lease of the property, which is the basis of our contractual agreement, and on its finance database for the purposes of managing payments. This information will be held for as long as we both are parties to the lease. We may use your data to bill you for any charges relating to your property in accordance with the terms of the lease.
The Crown Estate uses managing agents to provide a range of services on our behalf which may include security, front of house/concierge/guest services, billing as well as facilities management at our properties. We may also use third party system providers for access control and visitor management systems, and also to find new tenants for our properties. These third parties may have access to your personal data, and use it for the following purposes:
- providing property and facility management services – we may take personal details to register facility issues and report back resolutions in connection with services under the lease;
- billing – to invoice you in accordance with the terms of the lease;
- providing any secure access in accordance with terms of the lease;
- reporting any injuries or potential insurance claims – these may include special categories of personal data – to discharge our legal obligations or defend a claim;
- provide emergency broadcasts to alert occupiers to risks to protect your vital interests;
- (where locating new occupiers) undertaking credit checks and right to reside checks – to minimize our exposure to default, and to comply with our legal obligations; and
- consultancy and legal firms for the purposes of providing business advice.
The data above is held is long as required to perform these functions.
1. Security systems
As part of our security services within common areas of some of our properties, our managing agents may collect personal images through CCTV, body mounted video or through ANPR technology (Automatic Number Plate Recognition), and signs will be displayed notifying you of these arrangements.
The Crown Estate has retention policies which govern how long this information should be kept, generally for no longer than 30 days unless an incident has been logged.
2. Access control and visitor management
The Crown Estate’s managing agents may provide an access control system that allows secure entry to the building, and/or details of visitors to your premises. We deliver these services pursuant to leasing agreements, as well as to prevent and identify crime. These systems hold personal data – typically an individual’s name and access data as they enter various parts of the building.
To ensure compliance with data protection laws, The Crown Estate will review personal data within any access control and visitor systems, and any personal data relating to expired access cards will be permanently deleted. If you require any accounts to be subject to alternate treatment please provide written instructions to the managing agent at the property.
3. Protection of your data
The Crown Estate has in place administrative, technical and physical measures on our systems and internally which are designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that it holds, which includes an Information Security Management System certified to ISO27001. We place similar obligations on our service partners and undertakes risk assessments on their security measures.
From time to time The Crown Estate may transfer your personal information to its suppliers or service providers which run systems based outside the EEA. If The Crown Estate does this your personal information will continue to be subject to one or more appropriate safeguards as required by law. These might include the use of model contractual clauses, or having suppliers sign up to an independent privacy scheme approved by regulators (such as ‘Privacy Shield’).
The Crown Estate will ensure that where information is transferred outside EEA, The Crown Estate and the receiving party will comply with all relevant laws governing such transfers.
Individuals are afforded rights under GDPR and these can be exercised where The Crown Estate or its managing agents operate as a Data Controller – the right to access, correct, object, restrict, data portability and erasure. To exercise these rights please contact the managing agent of the property or email the data protection officer at: email@example.com
You can also lodge a complaint with the Information Commissioner’s Office.
The Crown Estate are registered with the Information Commissioner’s Office with registration number Z6390151.
This Privacy Notice was last updated on 25 May 2018.