Fair Processing Notice – One Heddon Street (including app and platform)

This Fair Processing Notice (the ‘Notice’) explains how The Crown Estate (‘we’ or ‘us’) will store and use personal data that is collected from you when you visit https://oneheddonst.spaces.nexudus.com (the ‘Platform’), or use its associated application (the ‘App’) and/or apply for membership at One Heddon Street.

The Crown Estate is the ‘controller’ of personal data collected through the Platform and App for the purposes of applicable data protection laws, and is the organisation you should contact if you have questions about the use of your personal data.

Information that you provide to us

We will collect and process personal data about you:

  • If you apply for membership at One Heddon Street;
  • If you become a member at One Heddon Street;
  • If you participate in the Community Forum on the Platform;
  • If you contact us by telephone, email or letter;
  • If you visit One Heddon Street in person.

The personal data we collect may include your name, email address, employer, telephone number, mailing address, and payment information. We will keep this information for as long as it is necessary for us to process it for your membership.

We will also collect CCTV images when you visit One Heddon Street.

We will use the information you provide to us:

  • To create and maintain your account on the Platform;
  • To communicate with you about your application and/or membership, and to administer your membership at One Heddon Street;
  • To carry out identity verification, financial standing and any other background checks required to progress your application (please note that you will usually provide this information directly to a third party referencing agency to minimise data processing);
  • To process payments;
  • To facilitate and manage the Community Forum and respond to any comments or queries that you may post on the Community Forum;
  • To notify you about changes to the Platform or to our services (including building maintenance issues);
  • If you do not become a member at One Heddon Street, to notify you about events or promotions at One Heddon Street where you have consented for us to do so;
  • If you become a member at One Heddon Street, to notify you about events or promotions at One Heddon Street, the surrounding area and the wider community;
  • To send you occasional email updates (see ‘Email Updates’ below);
  • To perform surveys and analysis with the aim of improving the services we provide;
  • To ensure that your visit to the Platform is safe and secure;
  • To comply with any legal obligations to which we are subject, such as health and safety laws, and to protect and defend our rights and interests.
  • As part of security services within common areas, The Crown Estate may collect personal images including those of occupiers, their employees and visitors entering such areas. Signs will be displayed notifying you of our CCTV arrangements. The Crown Estate provides surveillance services with the primary purpose of preventing and detecting crime. Retention policies are in place to govern how long this information should be kept, which is generally for no longer than 30 days unless an incident has been logged. More information on access control and visitor management is provided below.

Access control and visitor management

At One Heddon Street, we provide an access control system that allows secure entry to the building, and/or details of visitors to your premises. We deliver these services at the property pursuant to leasing agreements, as well as to prevent and identify crime. These systems hold personal data – typically an individual’s name, the organisation with which they are associated and movement data as they access various parts of the building.

For the purposes of providing access control services to you, The Crown Estate’s managing agents act as your data processor. In relation to any subject right requests for the personal data included in the access control systems and/or visitor systems, The Crown Estate’s managing agents will refer requests to us as the data controller and respond to your instructions as to how these should be actioned. To ensure compliance with data protection laws, The Crown Estate’s managing agents will review personal data within any access control and visitor systems, and any personal data relating to expired access cards will be permanently deleted.

Location information

When you use our app for room booking, and consent to location services being used by it, low energy bluetooth is used to broadcast a unique meeting room ID so that the app knows when you are close to the meeting room and prompt you to book it.

Transfers of personal data

Where necessary, The Crown Estate may transfer your personal information to its joint venture partners, suppliers or service providers based outside the European Economic Area (EEA). If The Crown Estate does this, your personal information will continue to be subject to one or more appropriate safeguards as required by law. These might include the use of model contractual clauses, or having suppliers sign up to an independent privacy scheme approved by regulators (such as ‘Privacy Shield’).

The Crown Estate will ensure that where information is transferred outside the EEA, transfers will only take place where appropriate safeguards are in place to protect it. Further information on such transfers are included below under ‘Service providers’.

Recipients of personal data

We may disclose the personal data we hold about you to:

  • Jones Lang LaSalle Limited trading as Regent Street Management Direct (or other trading name);
  • Third party referencing agencies in order to run background checks (we use a company called LetHQ);
  • Our service providers, including IT hosting companies, platform providers (such as Nexudus) and payment platforms – please see further details below under ‘Service providers’;
  • Rapport Concierge Services (or other concierge provider);
  • Professional advisors such as solicitors, accountants, auditors, financial and other professionals;
  • Regulatory authorities, law enforcement agencies, courts and other relevant tribunals where we are required or permitted to do so by law, or in order to protect and defend our interests;
  • A prospective buyer or seller of our business or assets in the event that we sell or buy any business or assets.

Service providers

Our app and platform link you to third party service providers, as explained below. We have also provided links to each supplier’s privacy policy or fair processing notice.

  • Nexudus. Nexudus provide our membership platform and use Amazon Web Services servers based in London and Ireland.
  • HelloSign. We pass your details to HelloSign so that you can sign an electronic contract and enter into the membership agreement. You will enter into a contract with HelloSign directly. Please note that HelloSign is based in the United States (US) and relies on the Privacy Shield to protect any transfers of personal data from the UK.
  • GoCardless We use GoCardless to take payments from you. Payments to UK-based providers, such as ourselves, do not involve a transfer of data outside the UK.
  • Avigilon: Avigilon provides us with security services including access control and security services. Staff and customer details will be held on servers located at One Heddon Street and only accessed externally within the UK for the purposes of authorised remote support.
  • IronWiFi: We use IronWiFi to provide WiFi network management services and they will process your name and email address within the UK.
  • WorldPay and Spreedly. These companies allow you to make payments for services to The Crown Estate. Spreedly enables you to do this without re-entering all your details each time, while WorldPay allows the payment to be taken. Using each of these services may involve the transfer of personal data to the US, with transfers protected by Privacy Shield.
  • Twilio SendGrid. We use SendGrid to facilitate our email messaging service. SendGrid is based in the US and uses appropriate safeguards – such as Privacy Shield, binding corporate rules and standard contractual clauses – in order to transfer any personal data to the US.
  • Papercut. We send members’ names and email addresses to Papercut servers that are physically located at One Heddon Street to enable you to use our printing services and be charged appropriately.

Cookies

When you visit the Website or the Platform, cookies may collect certain information about your device and activity. You can find out more about this in our cookie statement.

The Community Forum

Any messages that you post in the Community Forum will be viewable by other members of One Heddon Street, along with your name and photograph where you have uploaded one. Please do not post anything in the Community Forum that you would not wish to become public information.

Where we store your personal data

The data we collect is stored on information technology systems owned and run by or on behalf of The Crown Estate or on systems run by those businesses processing it on our behalf. All information you provide to us is stored on secure servers. Unfortunately, the transmission of information via the internet is not completely secure and although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet to the Platform; any transmission is at your own risk. Once we have received your data, we will use all necessary procedures and security measures to try to prevent unauthorised access, loss, disclosure or amendment.

Our legal basis for processing your personal data

  • If you apply for membership at One Heddon Street through the Platform and/or your application is accepted, our legal basis for processing your personal data is that it is necessary for the performance of any agreement that we enter into with you or the steps to enter into such agreement.
  • If you opt in to receiving marketing, the legal basis for processing your personal data is your consent. You can withdraw your consent to receiving marketing at any time by contacting us or clicking the ‘unsubscribe’ link at the bottom of any marketing email you receive from us.
  • If you otherwise contact us, our legal basis for processing your personal data is that it is necessary for our legitimate interest in conducting our business and meeting the requirements of customers.
  • Our legal basis for processing personal data as part of our security systems is legitimate interests; it is in the legitimate interests of the controller, The Crown Estate, to retain footage of possible criminal acts or threats to public security and, where appropriate, to pass that footage to a competent authority.

Email updates

You may opt out of receiving email updates by clicking the ‘unsubscribe’ link in any email update that you receive from us. If you do opt out, we may still send you non-promotional emails, for example, a service-related communication or a reply in relation to a query you have asked us.

Retention of personal data

We store the personal data we collect about you for as long as is necessary for the purpose(s) for which we originally collected it, or for other legitimate business purposes, including to meet our legal, regulatory or other compliance obligations.

Your rights

Individuals are afforded rights under GDPR including the right to access, correct, object, restrict and erase. To exercise these rights please contact One Heddon Street staff or email the Data Protection Officer at The Crown Estate using the contact details below.

  • You have the right of access to your personal data.

This includes a description of the personal data being processed, the purposes of processing and any recipients to whom the personal data is disclosed. To exercise this right, please make a Subject Access Request in writing to the Data Protection Officer at The Crown Estate, 1 St James’s Market, London SW1Y 4AH, stating the information you require. We do not charge a fee. We may contact you to verify your identity or to clarify the precise information you require before processing your request.

  • You have the right to ask us not to process your personal data for direct marketing purposes.
  • You have the right to rectify your personal data at any time if it is incorrect.
  • You have the right to have your personal data erased under certain conditions.
  • You have a right to restrict or object to some forms of data processing.
  • You have the right to prevent any unwarranted processing likely to cause damage or distress.

Please note that some of these rights may not apply to processing where it is necessary to fulfil a contract or where a legal obligation for us to process the information exists.

Please note that in the event The Crown Estate or its managing agent receives a request to access surveillance data from an occupier in relation to a member of their staff, they cannot provide it without sufficient cause so as to preserve the privacy rights of the individual.

Complaints

You have the right to complain about the use of your personal data to the Information Commissioner’s Office (www.ico.org.uk).

Changes to this Notice

This Notice will be reviewed from time to time to take account of changes to our operations and practices. If we make changes, we will notify you by revising the date at the top of this Notice, and if the changes are significant, we may provide you with additional notice, such as adding a statement to the homepage of the Platform or sending you an email with the update. Any personal data held will be governed by our most current Notice.

Contact us

If you have any questions about this Notice or the ways in which we use your personal data, you can contact our Data Protection Officer by writing to The Crown Estate, 1 St James’s Market, London, SW1Y 4AH, or emailing: enquiries@thecrownestate.co.uk.

This Privacy Notice was last updated on 7 November 2019. The Crown Estate is registered with the Information Commissioner’s Office with registration number Z6390151.