Privacy Policy

Privacy Policy

CBRE HOST BUILDING GLOBAL PRIVACY NOTICE

Last Updated: 25 May 2021

 

Last Reviewed: 25 May 2021

This CBRE Host Global Privacy Notice (“Notice”) is issued by CBRE, Inc. and its subsidiaries (“CBRE Group”) to assist you in understanding our data collection and handling practices when you use the Host Building app.

This Notice is also intended to assist you in making informed decisions and exercising your data privacy rights under applicable law.

Whenever this Notice refers to “CBRE”, “we”, “us” or “our”, it refers to the applicable responsible CBRE Group entity/ies defined in Appendix 1 below. Our data collection and handling practices relating to personal data of employees, contractors, and similarly employed individuals of CBRE are further described in our Employee Privacy Notices, which are available (as applicable) on CBRE’s employee Intranet.

TABLE OF CONTENTS

 

SUMMARY OF KEY INFORMATION

 

SCOPE

This Notice applies to the personal information relating to use of CBRE Host apps.

RESPONSIBLE ENTITY / DATA CONTROLLER

CBRE, Inc.

Please find information on how to identify your applicable responsible CBRE entity (or entities) in Appendix 1. See details below in Information about the Responsible CBRE Entity / Data Controller.

PERSONAL INFORMATION WE COLLECT / SOURCES

We collect your contact information, certain information from your device, and information you provide in relation to a service request. We also facilitate the collection of information relating to events or classes by third-party vendors or organizers. See details below in Personal Information We Collect and Sources.

USE OF YOUR PERSONAL INFORMATION AND LEGAL BASES 

We use your personal information to manage our relationship with you and provide you with Host Building services. We generally do this on the basis of our legitimate business interests, and in some cases with your consent. See details below in Use of Personal Data.

DATA SHARING

We share your information with our service providers, with vendors and event organizers, and with flexible space providers engaged by your employer or landlord. See details below in Sharing of Personal Data

DATA RETENTION

We retain the personal information we collect about you for as long as necessary for the purpose for which that information was collected or as otherwise legally required.  See details below in Retention of Personal Data

DATA SECURITY

We implement appropriate technical and organizational security measures to safeguard the personal information we collect and process about you against loss and unauthorized alteration or disclosure.  See details below in How We Secure Your Personal Information.

INTERNATIONAL DATA TRANSFERS

We may share your personal information with other CBRE entities and service providers located outside of your home country. When doing so, we provide appropriate safeguards for international data transfers as required by applicable law. See details below in International Data Transfers.

PRIVACY RIGHTS

Depending on the laws in your country, you may have certain rights to request access, rectification, deletion, objection, or other actions regarding your personal information. See details below, including how to exercise any privacy rights you may have under applicable law, in Your Data Privacy Rights.

CALIFORNIA CONSUMER PRIVACY POLICY

Additional disclosures required under California law to be made to individuals who are residents of California, including relating to applicable privacy rights, are provided in CBRE’s California Consumer Privacy Policy.

CONTACT CBRE

You are always free to contact us if you have questions or concerns about this Notice or our personal information collection and processing activities. See details below in Contact CBRE.

DATA PROTECTION OFFICER

Where required by law, we have appointed a data protection officer whose contact details are disclosed in this Notice. See details below in Data Protection Officers.

EU/UK REPRESENTATIVE

We have appointed a representative for any responsible CBRE entity located outside of the EEA and the UK that process personal information subject to the EU General Data Protection Regulation and UK data protection law. See details below in EU and UK Representative.

CHANGES TO THIS NOTICE

If we make any material changes to this Notice, we will make changes here and, if the changes are significant, we will provide a more prominent notice. Where required, we will obtain your consent. See details below in Changes to this Notice.

FULL NOTICE

1.    Personal Information We Collect and Sources

a.    Categories of Personal Information We Collect

 

Where we may lawfully do so under applicable law, we collect the following categories of personal information directly from you or from other sources, such as your contact when you visit a Host workplace (for more information on data sources, see Sources from Whom We Collect Personal Information, below).

  • Employment Information—the name of your employer, your business email address, and your office location
  • For Residential Properties, Tenancy Information – your residential address at the relevant property
  • Your Personal Contact Information—personal (non-business) email address, mobile phone number
  • Device Information—calendar information, unique ID, frequency of use, click tracking, device location tracking
  • Event Registrations—information collected by our vendors and third-party event organizers
  • Service Requests—any information you voluntarily provide
  • Your Contact Information provided by a Third Party—name, business or personal (non-business) email addresses
  • Payment Details – where necessary, your personal or business credit card details

 

b.    Sources From Whom We Collect Personal Information

 

Your employer’s landlord or your residential landlord, as applicable, provides us with your name, your business or personal email address (respectively) and your office location or residential address (respectively) so that we may verify your place of employment or residence and grant you access to the Host Building app.

If you visit a Host Building workplace or residential property, your contact at that property may provide us with your name and business or personal email address to allow you access to the workplace.

c.     Consequences of Not Providing Personal Information

 

If you do not provide your employment or tenancy information, you will not be able to use the Host app.

If you do not provide your location information, you will not be able to use location-based features of the app, such as wayfinding.

2.    Use of Personal Information and Legal Bases

 

The purposes for which we use your personal information and the legal bases for such processing are as follows:

  • To enable your access to the Host app, we process your (i) Employment Information and verify it with Employment Information provided by your employer’s landlord; or (ii) tenancy information, in each case based on our legitimate business interests or based on your consent (if required by law)
  • To manage our relationship with you, where necessary we process your Employment Information or Personal Contact Information to contact you with information about Host Building based on our legitimate business interests or based on your consent (if required by law).
  • To provide you with the Host Building services, we process your calendar data, location data, and service-request data based our legitimate business interests or based on your consent (if required by law).
  • To analyze your usage of the app, we process your unique ID, frequency of use, and click tracking information based on our legitimate business interests or based on your consent (if required by law).
  • To allow you to register for events or classes, we facilitate the collection of information by our vendors and third-party event organizers. These third parties act as controllers of this information, and we encourage you to read their privacy notices to understand how they will use and store your information.
  • To allow you to pay for goods or services ordered through the Host Building Application, including, where applicable, registering for activities and classes which require payment,

a.    Legitimate Business Interests

 

To the extent, CBRE relies on its overriding legitimate business interests for the processing of your personal information, such business interests are in particular:

  • providing you with the Host Building services,
  • improving our app and better serving our customers,
  • fulfilling your requests and responding to your inquiries, and
  • establishing, exercising or defending our legal rights and claims.

b.    Automated Decision-Making

 

CBRE does not process any personal data it collects and processes via Host Building to make automated decisions.

3.    Sharing of Personal Information

 

Where we can do so lawfully under applicable law, the personal information we collect may be shared and processed with the following categories of recipients, some of whom may be located in a country that does not provide an adequate level of data privacy and protection rights as your home country, as necessary for the purposes identified in Section 3 – Use of Personal Information and Legal Bases, above.  CBRE has in place appropriate safeguards regarding internal personal information sharing. See International Data Transfers below for more information. To the extent possible, personal information is shared in an aggregated, pseudonymized or anonymized format.

a.    Internally with Other CBRE Entities

 

CBRE is a global firm and the personal information we collect, or you provide may be shared and processed with CBRE entities as necessary for the purposes identified in Section 3 – Use of Personal Information and Legal Bases, above.

b.    With Third Parties

 

The potentially relevant third parties include:

  • Service Providers who assist us with infrastructure and IT services, including cloud service providers.
  • Consultants and advisors who assist us with legal, regulatory, and business operations activities, such as legal counsel, compliance consultants and business auditors.
  • Flexible working space providers who have been engaged by your employer.
  • Business partners in case of a merger or sale, such as if CBRE is merged with another organization, or in the event of a transfer of our assets or operations.

c.     Legally Compelled Disclosure

 

We may be required to disclose your personal information to governmental and regulatory authorities, law enforcement agencies, courts and/or litigants when legally compelled to do so, for example, in response to a court order, subpoena or other lawful, legally-binding request, including to meet national security or law enforcement agencies requirements, or in connection with legal proceedings or similar processes as necessary to exercise or defend our legal rights.

CBRE is committed to not disclose your personal information in response to an international court order or a subpoena or other legal obligation, unless we are legally compelled to do so under applicable law. In particular, CBRE, Inc. has assessed and is of the view that neither it nor its US subsidiaries qualify as a provider of electronic communication service, as defined in 18 U.S.C. § 2510, nor a provider of a remote computing service, as defined in 18 U.S.C. § 2711, and thus US public authorities cannot issue a legally binding demand for disclosure of data under Section 702 of the US Foreign Intelligence Surveillance Act ("FISA 702") upon CBRE, Inc. or its US subsidiaries.  In case CBRE nevertheless receives at some point a disclosure demand for personal information under FISA 702, we will publish a Transparency Report on cbre.com and our EEA websites (see our Schrems II statement).  All personal data transferred by CBRE to the US is encrypted in transit.

4.    Retention of Personal Information

 

We will retain your personal information only for as long as required to satisfy the purpose for which such information was collected, unless otherwise required by law or regulation to be retained for a longer period. Should you require further information as to the retention period, please do not hesitate to contact us.

5.    How We Secure Personal Information

 

We implement appropriate technical and organizational security measures to safeguard the personal information we collect and process about you against loss and unauthorized alteration or disclosure. The information you provide is encrypted in transit and at rest. We utilize role-based access controls to limit access to your personal information on a strict need-to-know basis consistent with the purposes for which we have collected such information. We utilize anti-malware and intrusion detection systems to guard against unauthorized access to our network, and we have an incident response plan in place to quickly respond to any suspected leak or breach of personal information.

Where we share your personal information with our service providers, we have assessed that their technical and organizational measures provide an appropriate level of security.

6.    International Data Transfers

 

Depending on the CBRE entity that is the responsible CBRE entity (see Appendix 1 below) and the recipients (see Sharing of Personal Information above), your personal information may be processed and hosted in countries other than your home country, such as the United States, Mexico, Singapore, and Australia. Those other countries may have less stringent data protection laws than the country in which you reside, in which you initially provided the information and/or in which your information was originally collected.

In case of international data transfers, we will protect your personal information as required by all applicable data protection laws.

a.    EEA and UK to Non-EEA Data Transfers

 

With respect to international data transfers initiated by CBRE from the European Economic Area ("EEA") or UK to recipients in any non-EEA jurisdictions,

  • some recipients are located in countries which are considered as providing for an adequate level of data protection under EU law (or UK law, as applicable). These transfers do not, therefore, require any additional safeguards under EU (or UK, as applicable) data protection law.
  • other recipients are located in countries not providing an adequate level of data protection under EU or UK law, such as such as the United States, Mexico, Singapore, and Australia, and, where required by law, we have implemented appropriate safeguards, such as EU Standard Contractual Clauses, and/or are relying on binding corporate rules of the recipient or an appropriate derogation.  Where applicable, we implement supplementary technical and contractual safeguards. Under applicable law you may have the right to ask for further information on such appropriate safeguards (see Section 9 - Contact CBRE below).

As stated above (see Legally Compelled Disclosures), CBRE, Inc. has assessed and is of the view that US public authorities cannot issue a lawful disclosure demand for personal data under FISA 702 upon CBRE, Inc. or its US subsidiaries. All personal data transferred by CBRE to the US is encrypted in transit. 

7.    Your Data Privacy Rights

 

Depending on the legal regulations in your country and the applicable laws to which you are subject, you may have all or some of the following rights set out below and may submit a request(s) to exercise any such rights through our Data Subject Rights Portal or by contacting us at dsr@cbre.com.  Irrespective of the CBRE entity that is responsible for the processing of your personal information, you may use such centralized contact details and CBRE will ensure that the responsible CBRE entity receives your request and addresses it promptly as required by applicable law. CBRE will respond to your request comprehensively, even if you do not identify the particular CBRE entity against whom you make the request. 

  • Right of access: You may have the right to obtain from CBRE confirmation as to whether your personal information is being processed, and, where that is the case, to request access to your personal information. You may have the right to obtain a copy of your personal information undergoing processing. For additional copies requested by you, CBRE may charge a reasonable fee based on administrative costs. 
  • Right to rectification: You may have the right to obtain from CBRE the rectification of inaccurate personal information concerning you.
  • Right to erasure (right to be forgotten) or anonymization: You may have the right to ask us to erase (or in some jurisdictions, anonymize) your personal information. In some jurisdictions, this right may be limited to deletion or anonymization of data that is unnecessary, excessive, or unlawfully processed, or deletion of data that is processed based on your consent.
  • Right to restriction of processing: You may have the right to request the restriction of processing your personal information.  
  • Right to data portability: You may have the right to receive your personal information which you have provided to CBRE in a structured, commonly used and machine-readable format and you may have the right to transmit those personal information to another entity without hindrance.
  • Right to withdraw consent: If we rely on your consent for any personal information processing activities, you have the right to withdraw or revoke this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. This right to withdraw consent applies in particular to consents given for marketing and profiling purposes, if any.
  • Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal information by CBRE, and CBRE can be required to no longer process your personal information unless CBRE demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. The right to object may, in particular, not exist if the processing of your personal information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
  • Right to request an explanation of our processing activity of your personal information
  • Right to information on the possibility to withhold consent and information on the consequences of doing so.
  • Right to information on third parties with whom we have shared your data.
  • Right to lodge a complaint with the competent data protection authority in your home country or in the country in which the responsible CBRE entity is located, in particular with respect to the result of automated decision-making.  A list of European Union Data Protection Authorities is available from the European Data Protection Board.  In Brazil, the competent data protection authority is the Autoridade Nacional de Proteção de Dados (ANPD).

a.    Brazil

 

In addition to other rights provided under applicable law, with respect to personal information collected and processed within Brazil, you may have the right to request review of decisions taken solely based on the automated processing of personal data which affects your interests, including decisions aimed at defining their personal, professional, consumption and credit profiles or aspects of their personality.

b.    China

 

In addition to other rights provided under applicable law, with respect to personal information collected and processed within China, you may have a right to deregister as a user of an application and cancel online accounts.

8.    California Consumer Privacy Policy

 

If you are a resident of the State of California (“Consumer”), CBRE’s California Consumer Privacy Policy (“California Policy”) supplements the information provided in this Notice and includes information about your privacy rights and how to exercise them.  The California Policy applies solely to personal information we have collected from individuals who are residents of the State of California in the twelve (12) months preceding date on which the California Policy was last updated. 

9.    Contact CBRE

 

You are always free to contact us if you have questions or concerns regarding this Notice or our data handling practices.  We may contact you by email in relation to any Observations, Incidents, and Self-Certifications you report or make. If you prefer us to contact you in an alternative manner, please let us know and we will accommodate your request if possible and appropriate.

a.    General Enquiries

 

You may contact CBRE’s Global Data Privacy Office (“GDPO”) at Privacy.Office@cbre.com or by writing to us at 321 North Clark Street, Suite 3400, Chicago, Illinois 60654, Attention: Global Director, Data Privacy.  You may also raise questions or concerns about the GDPO to CBRE’s Ethics & Compliance department via the CBRE Ethics Helpline.

Individuals in Europe, the Middle East or Africa:

 

If you are located in Europe, the Middle East or Africa, you may also e-mail us via the GDPO at EMEAPrivacyDirector@cbre.com or write to us at St. Martins Court, 10 Paternoster Row, London EC4M 7HP, United Kingdom, Attention: EMEA Director, Data Privacy.

Individuals in Asia or the Pacific:

 

If you are located in Asia or the Pacific, you may also e-mail us via the GDPO at APACPrivacyHelpline@cbre.com or write to us at 15/F M1 Tower, 141 H.V. Dela Costa Street, Salcedo Village, Makati City, Philippines 1227, Attention: APAC Senior Manager, Data Privacy.

b.    Data Protection Officers

 

In some countries, CBRE has appointed a Data Protection Officer (“DPO”), whom you may contact with questions or concerns about how CBRE processes your personal information.  Contact information for our DPOs in the European Union, the UK and Brazil is available in our Global Privacy and Cookie Notice.

c.     EU and UK Representative

 

We have appointed a representative for the responsible CBRE entities located outside of the EEA and UK that process your personal information subject to the EU General Data Protection Regulation and UK data protection law. The representatives contact details are available in our Global Privacy and Cookie Notice.

10.         Changes to this Notice

 

We are a rapidly evolving, global business. We will continue to assess and make changes to this Notice from time to time as required. If we make any material changes to this Notice, we will make changes here and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Notice changes). Where required, we will obtain your consent.