Effective date: 24/07/2020
This Privacy Notice describes how CBRE, Inc. (“CBRE”, “we”, “us”, our”) collects, shares, uses, and otherwise processes your personal data in connection with SpaceSpot. It also explains how you can exercise your privacy rights in connection with SpaceSpot.
We may update this Privacy Notice from time to time.
CBRE may collect and process the following categories of personal data for the following purposes in connection with SpaceSpot.
Personal data we may collect from you, reuse from your previous interactions with CBRE, or obtain from third parties:
Contact information, such as your name, phone number, email address, or username on a social-media service.
We use this information to prepare or facilitate communications with you. We do this as necessary for the performance or formulation of a contract.
We also use this information to ensure the security of electronic communications and information systems. We do this as necessary for the performance or formulation of a contract.
We use this information to provide to landlords to enable them to conduct their due diligence procedures prior to contract formation. We do this as it is necessary for the performance or formulation of a contract.
Photographs of you.
Where you choose to upload a photograph, we use this information to complete your account profile avatar. We do this on the basis of our legitimate business interests.
The data will be retained for these purposes for a maximum of three years.
We may obtain your personal data from third parties to whom you may choose to delegate the digital signing process.
Where necessary to fulfil the purposes described in this Privacy Notice, CBRE may disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below.
Vendors and Service Providers
CBRE may share your personal data with companies acting as our authorised agents and service providers. Because CBRE operates globally, we may transfer your information to countries or jurisdictions that do not provide the same level of data protection as the country in which you reside. If we make such a transfer we will, or our service providers and vendors will, as applicable, provide safeguards appropriate to any applicable laws. See International Data Transfers, below, for more information.
Such third parties may include:
|Software Providers||We use this information to manage customer relations with CBRE.|
Legally Affiliated Entities
If CBRE is merged with another organization, or in the event of a transfer of our assets or operations, CBRE may disclose or transfer your personal data in connection with such transaction.
We use appropriate technical and organizational security measures to safeguard the personal data we collect and process about you from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These security measures are designed to provide a level of security appropriate to the risk. We also have a process to address and remediate any suspected personal data breach and will notify you and any applicable regulator in the event of a breach where we are legally required to do so.
CBRE is a global business. We may transfer the personal information we collect about you to recipients, and your personal information may be stored and processed, in countries other than the country in which the information was originally collected, including the United States and elsewhere that may have less stringent data protection laws than the country in which you initially provided the information. When we transfer your information to countries other than the country in which the information was originally collected, we will protect your information as described in this Notice and will comply with all applicable data protection laws in making such transfers.
If you are located outside the United States, the transfer of personal information is necessary to provide you with the requested information and/or to perform any requested service. To the extent permitted by law, such submission also constitutes your consent for the cross-border transfer.
With respect to transfers originating from the European Economic Area to the United States and other non-EEA jurisdictions:
CBRE US affiliates are EU-US and Swiss-US Privacy Shield certified, and
CBRE has executed EU Standard Contractual Clauses with respect to personal information collected in the European Economic Area and transferred to CBRE in the United States and elsewhere.
Where allowed by applicable law, you may ask for further information on the safeguards that we have put in place to safeguard the transfer of your data to outside of the EEA by contacting us as indicated below.
Privacy Shield Certification:
CBRE complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding personal information that is collected by CBRE affiliates or corporate customers located in the European Economic Area and/or United Kingdom and/or Switzerland and transferred to CBRE, Inc. and its wholly owned US-based affiliates, which include CBRE Global Investors LLC, CBRE GWS Puerto Rico Inc., CBRE Clarion Securities LLC, CBRE Security Services, Inc., CBRE Heery Inc., CBRE HMF, Inc., CBRE Multifamily Capital, Inc., CBRE Capital Markets, Inc., CBRE Technical Services, LLC, CBRE Hana Operations, LLC, Forum Analytics, LLC and Trammell Crow Company LLC in the United States (“CBRE US”). This Policy supplements the data protection notices that Clients and Client contacts may have received. CBRE has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ CBRE is subject to investigatory enforcement powers of the Federal Trade Commission as it relates to conformation with Privacy Shield requirements.
Disclosure and Liability for Onward Transfer:
CBRE is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. CBRE may, as disclosed above in How We Share Your Personal Data, transfer personal information onward to third parties. CBRE remains liable under the Privacy Shield Principles if a third party processes such personal information in a manner inconsistent with the Principles, unless we prove we are not responsible for the event giving rise to the damage.
Independent Recourse of Privacy Shield Complaints:
In compliance with the EU-US and Swiss-US Privacy Shield Principles, CBRE commits to resolve complaints about our collection or use of your personal information. EU, United Kingdom and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact CBRE at: Privacy.Office@cbre.com
CBRE has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you. You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by JAMS. For additional information on binding arbitration, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
The privacy laws in many countries grant you certain rights concerning your personal data. CBRE honours requests to exercise rights granted to you by applicable law.
If we collect or process your data in the context of our operations within the European Economic Area, you have the following rights under Regulation 2016/679, the General Data Protection Regulation (GDPR):
If you do not receive a timely response to your request or are not satisfied with the response you receive, you have the right to file a complaint with the applicable Data Protection Authority. A list of Data Protection Authorities is available from the European Data Protection Board.
As a consumer residing in the state of the State of California, you have the right under the California Consumer Privacy Act (“CCPA”) to request that: (i) CBRE discloses the categories of Personal Information that we collected, the categories of the sources of such Personal Information, the business or commercial purposes for collecting such Personal Information, the categories of third parties to whom we disclosed such Personal Information, and/or, if we sold or disclosed your Personal Information, the categories of Personal Information that each category of recipient purchased or obtained, and/or (ii) that we provide you with copies of such Personal Information. You may make two such (2) requests in any 12-month period.
Subject to certain exceptions, you may also request that we delete any Personal Information about you that we may hold. We may have grounds to deny your deletion request as provided for in the CCPA.
Upon receipt of your request to know, for access, or for deletion, we will need to reasonably verify that you are the person about whom we collected Personal Information. We may do so by asking for additional information (“Verifiable Information”) to compare against the information we hold about you, or if you have an account with us, by asking you to log in to that account. We will only use Verifiable Information to verify your identity or authority to make the request. We may also ask you to provide additional detail or clarify your request to allow us to properly understand, evaluate and respond to it.
Types of Verifiable Information we may ask for depend on the context of your relationship with CBRE, but may include:
You may exercise your rights to know, access, delete or opt out by completing the form in our Data Subject Rights Portal or by calling us at +1 (866) 428 4722. We will ask for your name, email address, and your relationship to us in order to begin processing your request.
You may authorise someone to submit a rights request on your behalf. You may do this by providing that person with power of attorney pursuant to the California Probate Code. Alternatively, you may provide that person with signed, written permission to submit requests on your behalf, but we will still require you to verify your identity with us directly by one of the methods listed above. In either case, we will also require that person to verify their personal identity via one of the above methods, or, in the case of a business entity, by response to communications directed at a well-known internet domain associated with that business or to contacts provided in that entity’s official filings with the California Secretary of State.
You may also have rights under applicable law to request to review, access, correct, delete, port or object to our processing your personal information processed by us. If so, you may do so by making a request on CBRE’s Data Subject Rights Portal or submitting your request to firstname.lastname@example.org. If we do not respond to your satisfaction, you may also have the right to lodge a complaint with a supervisory authority. Information on privacy laws and supervisory authorities around the world is available from the French Commission Nationale de l'Informatique et des Libertés.