Version last revised: May 2020
1. Important Contact Information
Cromwell Group European Entities, whose list is shown below;
|GDPR Central Representative:||Iana Fox (as at the date hereof) at the following email address EUprivacy@cromwellpropertygroup.co.uk|
2. Purpose of this document
2.1 We, the above-named Controller (“Cromwell”, "we", “us”), are committed to protecting the privacy and security of your personal data. We will comply with the following data protection principles when gathering and using personal data:
- we will process personal data lawfully, fairly and in a transparent manner;
- we will collect personal data for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;
- we will only process the personal data that is adequate, relevant and necessary for the relevant purposes;
- we will keep accurate and up to date personal data and take reasonable steps to ensure that inaccurate personal data is deleted or corrected without delay;
- we will keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the information is processed; and
- we will take appropriate technical and organisational measures to ensure that personal data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
2.2 This privacy notice describes how we collect and use personal data concerning you in connection with our marketing practices and in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 – The General Data Protection Regulation (the "GDPR").
2.3 It applies to all individuals who we collect marketing data from and are located in the European Union (the “EU”).
2.4 We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice if we make any substantial updates.
3. Your Personal Data
3.1 Cromwell will keep and otherwise process personal data concerning you for marketing purposes. Except as specifically indicated in this privacy notice, personal data we hold and process will only be used within Cromwell and the other companies in Cromwell’s group whose list is shown below;
- Cromwell Netherlands BV
- Cromwell Property Group Poland Sp. z o.o.
- Cromwell Property Group Czech Republic s.r.o.
- Cromwell Germany GmbH
- Cromwell European Management Services Limited
- Cromwell France SAS
- Cromwell Property Group Italy SRL
- Cromwell Investment Luxembourg S.à r.l.
- Cromwell Finland Oy
- Cromwell Sweden AB
- Cromwell Denmark A/S
4. How your information will be used
- keeping you up to date with our latest research or other relevant content we have published that we believe may be of interest to you;
- to invite you to any events we may be putting on;
- or for sending notices for direct marketing of our products and services and compliance with legal or regulatory requirements.
4.2 If in the future we intend to process your personal data for a purpose other than that for which it was collected we will provide you with information on that purpose and any other relevant information.
5. How is your personal data collected?
5.1 “Personal data” relates to information that can be used to directly or indirectly identify you. Personal data also includes anonymous information that is linked to information that can be used to directly or indirectly identify you. Personal data does not include information that has been irreversibly anonymised or aggregated so that it can no longer enable us, whether in combination with other information or otherwise, to identify you.
- Personal data that is usually included in a business card such as your contact details such as name, title, company email address, company name, company address and telephone numbers.
- automatic identifiers such as IP address, geographic location, browser type, operating system, screen size and company that we automatically collect when you visit our websites. These automatic identifiers are anonymous unless you provide additional information to us (such as by filling out a form on our website) that connects the automatic identifiers to you.
- cookies, web beacons or other online tracking identifiers (when you visit our website). These tracking identifiers are anonymous unless you provide additional information to us (such as by filling out a form on our website) that connects the tracking identifiers to you. You can enable or disable cookies by modifying the settings in your browser.
- data that shows the web pages you may view, marketing content you have requested and any sales that may have resulted from your interaction with marketing content. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
6. Legal basis for processing
6.1 We will only use your personal data when the law allows us to. In connection with our marketing activities, we will rely on
6.1.1 our legitimate interests (or those of a third party) of engaging in marketing activities, where your fundamental rights do not override those interests.
6.1.2 Where required by law, your consent;
6.2 Please note that we may process your personal data using more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us using the details set out in the “How To Contact Us” section below if you need details about the specific legal ground we are relying on to process your personal data on any given occasion.
6.3 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by applicable data protection legislation.
7. How we may share your information
7.1 We will only share your personal data with the following third parties: All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies.
7.2 We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
8. Retention of personal data
8.1 We retain marketing data for as long as is reasonable for the original purpose for which it was collected and for furthering our legitimate interest for marketing. In general, we retain marketing data related to (i) a customer for as long as they remain a customer and (ii) for prospect, for a period of 36 months from their last engagement with us.
8.2 In all cases, you are given the right to opt out of receiving further marketing communications. In that case, we will only retain the amount of information needed to be sure we do not contact you again for direct marketing purpose. You may tailor further communications from us at any time by visiting our website.
9. Your Rights
9.1 The GDPR, and other applicable data protection legislation gives you certain specific rights relating to your personal data which are set out below.
9.2 Please note that not all these rights are absolute, and they do not apply in all circumstances. However, you are always welcome to contact us with any request relating to processing of your personal data and, even if we are not obliged by law to comply with your request, we will do everything reasonable to accommodate your wishes.
9.3 It is also important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.
Access – you have the right to access your personal data and certain information about how and why Cromwell is processing it;
Rectification – you have the right to have any inaccurate or incomplete personal data rectified without undue delay;
Erasure – Sometimes called the ‘right to be forgotten’, in certain circumstances, you have the right to have your personal data erased without undue delay;
Restriction – in certain circumstances, you have the right to have the processing of your personal data by Cromwell restricted;
Data portability - where the processing is carried out under the legal basis of your consent or the necessity to perform a contract with you, and is carried out by automated means, you have the right to receive the personal data concerning you that you have provided to Cromwell, in a structured, commonly-used and machine-readable format and the right to transmit those data to another controller without hindrance; and
Objection - in certain circumstances, you have the right to object to the processing of your personal data carried out by Cromwell or on its behalf.
10. Information Security
10.1 Cromwell has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing it carries out to protect the confidentiality, integrity and availability of your personal data and to protect against unauthorised or unlawful processing and accidental loss, destruction or damage. These measures include:
- Physical safeguards, such as locked doors and file cabinets and controlled access to our facilities.
- Technological safeguards, such as use of anti-virus and endpoint protection software, encryption, and monitoring of our systems and data centres to ensure compliance with our security policies.
- Organisational safeguards, through training and awareness programs on security and privacy, to ensure employees understand the importance and means by which they must protect personal data, as well as through privacy policies and policy standards that govern how we treat personal data.
11. Contact Us
If you would like further information on anything in this privacy notice, for all questions or concerns you have about your personal data, or if you think you would like to exercise any of your rights as a data subject, please contact the GDPR Central Representative named at the top of this Privacy Notice at: 1st Floor, Unit 16, Manor Court Business Park, Scarborough, YO11 3TU or EUprivacy@cromwellpropertygroup.co.uk
12. Making a Complaint
If you think we have not complied with the requirements of the GDPR as it applies to your personal data, please contact us using the contact information above.
You also have a right to lodge a complaint with any data protection supervisory authority in the EU. You can find details of all of the EU supervisory authorities here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.