Dear customer,

Land Securities Properties Limited (“Landsec”, “us” or “we”) undertakes property management services at the property. It is committed to operating in accordance with data protection laws. 

The personal data that Landsec processes relating to our customers, in this case those occupying one of our properties, typically consists of the following:

1. Billing 

Details held on our corporate systems relating to the identity of occupiers for the purposes of fulfilling obligations and ongoing billing and management arrangements under a lease or occupational agreement;


2. Operations and health and safety

Personal details from occupiers, their employees and contractors on site, including names, addresses, emails, phone numbers and contact details are processed for the following purposes:

  • Providing property and facility management services – we may take personal details of occupiers or their employees to register facility issues and report back resolutions in connection with services under the lease. This is performed as part of our contract with our tenants and as legitimate interest to review and improve our services to our tenants. Personal information may be passed to contractors appointed by Landsec to respond to facility issues;
  • reporting any injuries or potential insurance claims – these may include special categories of personal data – to ensure that we comply with our legal responsibilities in relation to Health and Safety investigation and reporting, and also in relation to defending any future legal claims. The information can also be used to prevent and detect crime, or to protect the vital interests of individuals. The data may be shared with third parties such as insurance providers and legal advisors in order to defend a claim, government or other competent organisations who are required to report on incidents by law or the police to investigate a crime. It may also be shared with a third party who are liable for a claim under their contractual relationships with Landsec for the purposes of allowing them to defend a claim;  
  • provide business continuity services to allow us to alert occupiers and their employees of an incident that may impact their business operations, which may include collecting ‘home’ contact information. This is a legitimate interest to effectively respond to incidents at our properties.  

The data above is held is long as required to perform these functions.

3. Security systems

As part of our security operation, we will also be collecting personal images relating to visitors and customers to its properties from CCTV, Body Mounted Video and ANPR (Automatic Number Plate Recognition) systems.

CCTV, BMV, ANPR, Visitor and Access control data is collated to pursue our legitimate interests to protect the property in question, to protect the safety and vital interests of our visitors, employees, tenants and customers,to assist with the prevention and detection of crime and to provide our contracted service to our tenants. CCTV is not used for monitoring of staff or contractual performance, however, if CCTV is required as part of a disciplinary investigation it can be used for this purpose if the seriousness of the investigation warrants it.
We use third party service partners to provide security services, but the information recorded through these technologies is held on systems we control. The data we collect may be shared with the police, tenants, local authorities, other sites or local crime reduction partnerships and initiatives for our legitimate interests to run successful businesses in environments that are safe for our staff and customers, and the prevention and detection of crime. These organisations may also share data with us. ANPR data can be shared with third parties for the purposes of enforcement.

We may also obtain and share the information with insurance companies where they request data relating to insurance claims to support their legitimate interests, or those of their clients, or to defend legal claims.

ANPR is collected to fulfill a contract between ourselves and our users of our parking facilities, including enforcement action. At some of our sites ANPR automatically issues a penalty notice where the duration of stay exceeds the amount that has been paid for. If you wish to appeal a penalty notice issued as part of an automated process, please contact 

4. Access control and visitor management

Landsec may provide an access control system that allows secure entry to the building, and/or details of visitors to your premises. These systems may be provided and accessed by third parties, such as our reception or security staff. We deliver these services at the property pursuant to leasing agreements, as well as to prevent and identify crime. These systems hold personal data – typically an individual’s name, the organisation with which they are associated and movement data as they access various parts of the building. 

For the purposes of providing access control and visitor management services to you, Landsec acts as your Data Processor. In relation to any subject right requests for the personal data included in the access control systems and/or visitor systems, we will refer requests to you as the Data Controller and respond to your instructions as to how these should be actioned. 

If you instruct us to remove individuals from the access control system we deactivate the access card and remove any personal data associated with it. Cards which have not been used for three months will be deactivated. We will inform occupiers about deactivated cards to confirm whether to delete the information. Where we have not received an instruction, and where a card has not been used for a year, we will delete the access card and the personal information associated with it. If you require alternative treatment please provide written instructions to the security team.

For visitors, we will look to remove their data within six months of their last visit. 

For your convenience, a Data Processing Addendum is enclosed in this pack, which details our responsibilities to you as a data processor for access control and visitor management systems.

5. Marketing 

We also may use your business contact details to contact you in pursuit of our legitimate interests. Interactions can include: to inform you of products and services that we think may be of interest to you; asking you to complete customer surveys so that we can understand how we can better meet your needs; and communication through our tenant relationship management tool, which is VTS. This system is provided by a third party and holds your business contact details in the United States. Landsec has a model clause data transfer agreement in place.

Protection of information relating to occupiers, their employees and contractors

Landsec has in place administrative, technical and physical measures on our systems and internally which are designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that we hold. We place similar obligations on our service partners and undertakes risk assessments on their security measures. 

Landsec uses service partners to provide security, front of house/concierge/guest services as well as facilities management at its properties. We also use third party system providers for access control and visitor management systems, and to provide marketing services. These third parties will have access to your personal data. 

From time to time Landsec may transfer your personal information to its group companies, suppliers or service providers based outside the UK. If Landsec does so your personal information will continue to be subject to one or more appropriate safeguards as required by law. These might include the use of model contractual clauses, or having suppliers sign up to an independent privacy scheme approved by regulators. 

Landsec will ensure that where information is transferred outside the UK, Landsec and the receiving party will comply with all relevant laws governing such transfers.

Other recipients and third-party transfers not detailed previously

We may pass on or allow access to your information:

  • Other Service Providers: we may share information we collect about you with third parties who provide services on our behalf to help with our business activities, such as third parties providing valuation services for our portfolio;
  • to our Joint Venture partners or other companies in our group;
  • to any purchaser of all or part of our business or any of our properties;
  • to sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers;
  • where we are required to do so by law, court order or other legal process;
  • where, acting in good faith, we believe disclosure is necessary to assist in the investigation or reporting of suspected illegal or other wrongful activity.  This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
  • to protect and defend our rights or property.
  • Landsec uses Microsoft Office 365 cloud technology for its operations. Its data centres are located with the EU, which is considered adequate by the UK.

Rights of occupiers and their employees

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the following rights:

  • Subject to certain conditions, request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. Disclosure may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff.
  • Subject to certain conditions, request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.  You also have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details. This right only applies to your own personal data. When exercising this right, please be as specific as possible.
  • Subject to certain conditions, request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). 
  • Subject to certain conditions, object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. 
  • Subject to certain conditions, request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. 
  • Subject to certain conditions, request the transfer of your personal information to another party.  If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.  This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal data that has been provided to us by you.
  • Where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.   If you do decide to withdraw your consent we will stop processing your data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.  If you withdraw your consent, this will only take effect for future processing. 

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please email

You will not have to pay a fee to access your personal information (or to exercise any of the other rights); however, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

You can also contact the Information Commissioner's Office via for information, advice or to make a complaint.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

For more information, please contact the data protection officer on

Changes to the privacy and cookies policy

This Privacy Notice was last updated on 28 April 2021. If it is necessary for us to alter the terms of the Privacy Notice, we will post the revised Privacy Notice here. We encourage you to frequently review the Privacy Notice for the latest information on our privacy practices. 

Date Changes to Privacy Policy
25 May 2018 Updates relevant to GDPR
24 July 2018 Updated section 5 to provide additional transparency on third parties and inclusion of version control table

30 September 2020

Removal of Privacy Shield Reference
29 January 2021 Brexit update
28 April 2021 Updates to mirror updates made to bring information in alignment with privacy information provided at the ‘Visitor’ Landsec Privacy Page.   

Where Landsec is the Data Controller in respect of personal data processing, our details are as follows: Land Securities Properties Limited (company number 961477) whose registered office is at 100 Victoria Street London SW1E 5JL.

Landsec are registered with the Information Commissioner’s Office with registration number Z5806812

If you have any questions about this Privacy Notice, please contact the Data Protection Officer at