Customer Privacy Policy
1 DATA PROTECTION
Data Protection Legislation means the Data Protection Act 1998 ("DPA"), the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), or similar legislation as implemented under English law (including any national implementing laws, regulations and secondary legislation), in each case as applicable and in force in the United Kingdom from time to time and all other applicable laws and regulations, relevant industry codes of practice and guidance issued by the Information Commissioner, supervisory authority or other bodies concerning the protection of personal data and privacy, and where "Controller", "data subject", "personal data", "personal data breach", "process", "processor" and "supervisory authority" are referred to in this Agreement they shall have the meanings set out in the Data Protection Legislation. References to Article numbers of the GDPR shall be deemed to include the equivalent provisions in the event the Article numbers in the legislation are changed from time to time;
1 DATA PROTECTION
Processing instructions and requirement
1.1
In the event Landsec processes personal data in providing services to occupiers of its properties the parties agree that, for the purposes of the Data Protection Legislation, YOU shall be the controller and Landsec shall be the processor.
1.2
Below are details of the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects (which may be updated from time to time).
1.3
In relation to such processing, Landsec shall:
1.3.1
only process the personal data on YOUR instructions as set out below or in writing from time to time;
1.3.2
immediately inform YOU if it considers an instruction infringes the Data Protection Legislation;
1.3.3
not make independent use of the personal data and only process the personal data to the extent, and in such manner, as is necessary for the purposes of providing the services;
1.3.4
not modify, amend or alter the personal data except as instructed by YOU;
1.3.5
not transmit or send any personal data unless it is encrypted; and
1.3.6
not store personal data on any portable medium or device unless the data is encrypted and the encryption key is held or transmitted separately.
Technical requirements
1.4
In relation to such processing, Landsec shall:
1.4.1
implement and maintain appropriate technical and organisational measures for the processing to meet the requirements of the Data Protection Legislation and ensure the protection data subjects' rights take all measures set out in Article 32 of the GDPR (security of processing) and in relation to the personal data;
1.4.2
comply with the Data Protection Legislation.
Personnel and sub-processors
1.5
Landsec shall:
1.5.1
ensure the reliability of its employees, staff, other workers and agents and any subcontractors or agents who are engaged in the provision of the processing and ensure their compliance with the Data Protection Legislation;
1.5.2
ensure that only personnel needing access to the personal data are granted access to such data and that all personnel who process the personal data have committed to confidentiality obligations;
1.5.3
procure that any sub-processor is subject to terms no less onerous than those imposed on Landsec in this document.
Assistance
1.6
Landsec shall:
1.6.1
notify YOU promptly if it receives a request from a data subject for access to their personal data;
1.6.2
not respond to any requests from data subjects or third parties without YOUR consent; and
1.6.3
provide such assistance, co-operation and information as YOU reasonably require to enable YOU to comply with the Data Protection Legislation including:
(a) security of processing;
(b) data protection impact assessments;
(c) consultation with the supervisory authority; and
(d) any actions to be taken in respect of personal data breaches.
Breach
1.7
If Landsec, becomes aware any unauthorised or unlawful processing of or accidental loss, theft or destruction of, or damage to any personal data which was, at the relevant time, in the possession or control of Landsec (each, a "Data Incident") or where there are reasonable grounds for suspecting that a Data Incident has occurred Landsec shall:
1.7.1
notify YOU as soon as reasonably practicable of becoming aware, and provide YOU with all information, assistance and cooperation as necessary to enable YOU to comply with the Data Protection Legislation;
1.7.2
promptly undertake such actions to remedy any defect or potential breach of Landsec's obligations.
1.8
Landsec shall cooperate with YOUR reasonable instructions regarding how to minimise the effects of the Data Incident or suspected Data Incident.
Deletion and records
1.9
Landsec shall:
1.9.1
securely delete all the personal data promptly after the end of the provision of the relevant services or following the end of your occupation of the premises; and
1.9.2
provide YOU with such information, assistance and cooperation reasonably required by YOU to demonstrate compliance with the Data Protection.
Transfers abroad
1.10
Landsec shall not without the use of appropriate safeguards required under the Data Protection Legislation disclose or transfer the personal data to any location outside the United Kingdom or the European Economic Area;
DATA PROCESSING ANNEXURE
Subject-matter of the processing
- The performance of property management services
Duration of the processing
- The term of Landsec's (or a group company's) ownership and management of, or the customer's occupation of the property and for such further time as the parties shall agree in writing.
- Nature and purpose of the processing
Property and facilities management
- Access and security management
- Business continuity services
- Incident reporting
Type(s) of personal data
- name, email address, employer's identity, phone numbers, photographs
- Where the customer is an individual, address
Categories of data subjects
- Customers, their employees and agents
Location of processing
- unless otherwise advised the UK or EEA
Insert data processing instructions
- As set out in the processing terms in the Tenant Privacy Policy
