Blueco Limited (“Blueco”, “us” or “we”) undertakes property management services at the property. It is committed to operating in accordance with data protection laws. 

Types of data processing

The personal data that Blueco processes relating to our customers, in this case those occupying one of our properties, typically consists of the following:

1. Details held on our corporate systems relating to the identity of occupiers for the purposes of fulfilling obligations and ongoing billing and management arrangements under a lease or occupational agreement;
2. Personal details from occupiers, their employees and contractors on site, including names, addresses, emails, phone numbers and contact details are processed for the following purposes:

• Providing property and facility management services – we may take personal details of occupiers or their employees to register facility issues and report back resolutions in connection with services under the lease;
• providing secure access to the premises as a service under the lease;
• reporting any injuries or potential insurance claims – these may include special categories of personal data – to discharge our legal obligations or defend a claim;  
• provide business continuity services to allow us to alert occupiers and their employees of an incident that may impact their business operations, which may include collecting ‘home’ contact information. The service provider is based in the United States and we legitimise the transfer of your data through Privacy Shield. 

The data above is held is long as required to perform these functions.

1. Security systems

As part of the security services within common areas Blueco may collect personal images including those of occupiers, their employees and contractors entering such areas. Signs will be displayed notifying you of these arrangements, which may include CCTV, Body Mounted Video and ANPR (Automatic Number Plate Recognition). Blueco is the Data Controller for providing surveillance services at its managed properties.  This is collected to discharge our contractual obligations, and also to pursue our legitimate interests to protect the property in question, to protect the vital interests of our visitors and occupiers and to assist with the prevention and detection of crime.

However, this does not extend to any surveillance systems that you may have within your demise.

Blueco has retention policies which govern how long this information should be kept, generally for no longer than 31 days unless an incident has been logged.  

In the event Blueco receives a request to access surveillance data from an occupier in relation to a member of their staff, Blueco cannot provide it without sufficient cause so as to preserve the privacy rights of the individual.

2. Access control and visitor management

Blueco may provide an access control system that allows secure entry to the building, and/or details of visitors to your premises. We deliver these services at the property pursuant to leasing agreements, as well as to prevent and identify crime. These systems hold personal data – typically an individual’s name, the organisation with which they are associated and movement data as they access various parts of the building. 

For the purposes of providing access control services to you, Blueco acts as your Data Processor. In relation to any subject right requests for the personal data included in the access control systems and/or visitor systems, Blueco will refer requests to you as the Data Controller and respond to your instructions as to how these should be actioned. 

If you instruct us to remove individuals from the access control system we deactivate the access card and remove any personal data associated with it. Cards which have not been used for three months will be deactivated. We will inform occupiers about deactivated cards to confirm whether to delete the information. Where we have not received an instruction, and where a card has not been used for a year, we will delete the access card and the personal information associated with it. If you require alternative treatment please provide written instructions to the security team. 

For visitors, we will look to remove their data within six months of their last visit. 

For your convenience, a Data Processing Addendum is enclosed in this pack, which details our responsibilities to you as a data processor for access control and visitor management systems.

3. Protection of information relating to occupiers, their employees and contractors

Blueco has in place administrative, technical and physical measures on our systems and internally which are designed to guard against and minimise the risk of loss, misuse or unauthorised processing or disclosure of the personal information that we hold. We place similar obligations on our service partners and undertakes risk assessments on their security measures.

Blueco uses service partners to provide security, front of house/concierge/guest services as well as facilities management at its properties. We also use third party system providers for access control and visitor management systems, and to provide marketing services. These third parties will have access to your personal data. 

From time to time Blueco may transfer your personal information to its group companies, suppliers or service providers based outside the EEA. If Blueco does so your personal information will continue to be subject to one or more appropriate safeguards as required by law. These might include the use of model contractual clauses, or having suppliers sign up to an independent privacy scheme approved by regulators (such as ‘Privacy Shield’). For example, out provider of emergency broadcast services for business continuity transfers data to the US and utilizes Privacy Shield. 

Blueco will ensure that where information is transferred outside EEA, Blueco and the receiving party will comply with all relevant laws governing such transfers.

4. Marketing

As a Data Controller, we also may use your business contact details to contact you in pursuit of our legitimate interests. Interactions can include: to inform you of products and services that we think may be of interest to you; asking you to complete customer surveys so that we can understand how we can better meet your needs; and communication through our tenant relationship management tool, which is VTS. This system is provided by a third party and holds your business contact details in the United States, The provider of this system has Privacy Shield accreditation.

5. Other third-party transfers not detailed previously

We may pass on or allow access to your information:

• Other Service Providers: we may share information we collect about you with third parties who provide services on our behalf to help with our business activities, such as third parties providing valuation services for our portfolio;
• to our Joint Venture partners or other companies in our group;
• to any purchaser of all or part of our business or any of our properties;
• to sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers;
• where we are required to do so by law, court order or other legal process;
• where, acting in good faith, we believe disclosure is necessary to assist in the investigation or reporting of suspected illegal or other wrongful activity.  This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
• to protect and defend our rights or property.

6. Rights of occupiers and their employees

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the following rights:

• Subject to certain conditions, request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. Disclosure may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff.
• Subject to certain conditions, request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.  You also have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details. This right only applies to your own personal data. When exercising this right, please be as specific as possible.
• Subject to certain conditions, request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). 
• Subject to certain conditions, object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. 
• Subject to certain conditions, request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. 
• Subject to certain conditions, request the transfer of your personal information to another party.  If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.  This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal data that has been provided to us by you.
• Where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.   If you do decide to withdraw your consent we will stop processing your data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.  If you withdraw your consent, this will only take effect for future processing. 

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please email dataprotection@landsec.com.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights); however, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

You can also contact the Information Commissioner's Office via https://ico.org.uk/ for information, advice or to make a complaint.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

For more information, please contact the data protection officer on dataprotection@landsec.com.

7. Changes to the privacy and cookies policy

This Privacy Notice was last updated on 24 July 2018. If it is necessary for us to alter the terms of the Privacy Notice, we will post the revised Privacy Notice here. We encourage you to frequently review the Privacy Notice for the latest information on our privacy practices. 

Where Blueco is the Data Controller in respect of personal data processing, our details are as follows: Blueco Limited (company number 03196199) of 100 Victoria Street, London SW1E 5JL.

Blueco are registered with the Information Commissioner’s Office with registration number Z5806812.

If you have any questions about this Privacy Notice, please contact the Data Protection Officer at dataprotection@landsec.com.