26 minute read
Data privacy and protection
In this clause, the terms ‘personal data’, ‘special categories of personal data’ and ‘processing’ each have the meaning attributed to them by the UK Data Protection Act of 2018, the UK General Data Protection Regulation (UK GDPR) and associated laws and regulations, including the EU General Data Protection Regulation (EU GDPR). Further, in this clause, ‘CBRE’ refers to the CBRE Group Inc. global corporate group of companies.
The Company holds a variety of information on employees, clients, suppliers and professional advisers to the business and has an obligation to comply with the UK GDPR, the EU GDPR, and all EU Data Protection Laws and, to the extent applicable, all data protection and data privacy laws and regulations of any other jurisdiction (collectively, Data Protection Legislation).
The CBRE Group has enacted global policies related to the processing of personal data, which can be accessed on the Company Intranet, by clicking the following link: https://www.cbre.com/about-us/global-web-privacy-and-cookie-policy including Global Policy 6.22: Data Privacy.
Your personal data
This below explains how the Company collects, uses, transfers, and discloses Personal Information relating to Company employees and contractors.
“Personal Information” here refers to information capable of identifying you, your spouse, dependents /family members and other persons, when used alone or in combination with other information. The Company is committed to protecting your Personal Information. It’s your information, it’s personal, and we respect that. We also want to maintain the trust and confidence of all employees.
Personal Information We Collect and Sources
a. Categories of Personal Information We Collect
Where we may lawfully do so under applicable law, we collect the following categories of Personal Information directly from you or from other sources, (for more information on data sources, see Sources from Whom We Collect Personal Information, below).
– Employee Authentication Information: such as your work email, password, authentication token, and CBRE employee ID number.
– Basic data: such as your name, gender, place of birth, date of birth, current nationality, any prior nationalities, language(s) spoken, title, organization, job responsibilities, phone number, mailing address, email address, contact details and information about family life (excluding special categories of data) including your marital status, spouse or partner, other family members, children, dependents, hobbies and interests.
– Contact and Employment Information: such as your worksite addresses, business telephone number, business email address, job title, and name and email address of your supervisor.
– Professional information: such as educational and employment history, relevant skills and/or qualifications, professional certifications and affiliations, compensation history (where allowed by law) and any other information included in curriculum vitaes/resumés, online professional profiles, and job applications.
– Job Applicant Evaluation Information: such as the opinions of references you provide, willingness to relocate, your current notice period, expected salary, credit history, and, where allowed by law: psychometrics and/or skills test and assessment results, pre-joining medical questionnaire, reference letters, information about your outside activities or family relationships that may give rise to a conflict of interest and information about criminal offense, conviction, pending investigations and administrative sanctions.
– Employee Onboarding Information: such as information necessary to form an employment or contractual relationship with the applicant and for legal compliance (such as signature, national insurance number, copies of your national ID card, driving license, passport, residency permits, and visas demonstrating the Right to Work), to processing payroll and provide employee benefits (such as employment start date, bank account information, tax withholding elections, existing private medical insurance, private medical insurance application details and beneficiary information), and disability or other data (where allowed by law) needed to provide workplace accommodations.
– Employee Relations Information: such as records and correspondence relating to redundancies, disciplinary actions, capability hearings, sickness/absence hearings and grievances, litigation documentation, resignation letters, settlement agreements, without prejudice correspondence, garden leave documentation, training attendance records, training certificates, termination letters, exit interview notes, recognition or exceptional award letters, performance management plans and succession planning exercises.
– Benefits Information: such as information about stock options, stock grants, and other awards, pension contributions, health insurance, incentive schemes and car allowances.
– Special categories of data: such as religious or other beliefs, racial or ethnic origin, sexual orientation, health data such as medical questionnaires and doctor's notes, and details of trade union membership where allowed by applicable law and if you choose to provide it.
– Diversity Data: such as gender/gender identity, race, ethnicity, sexual orientation, military/veteran status, and disability status (only where allowed by applicable law and if you choose to provide it). If you do not wish to provide your personal diversity data, please select the ‘Prefer not to say’ option and we will respect that decision.
Biometric, Electronic Identifiers, Security and Monitoring: such as photographs, iris recognition, video and CCTV recordings, Instant Messenger Recordings or messages, email monitoring and entry and exit records, geo-location data, usernames and passwords, and internet usage history
– Working Time and Leave: such as documentation relating to annual leave, hours worked, days worked, flexible working arrangements, jury service leave, working patterns, pensionable employment, disability, sabbatical leave and reserve forces
– Family Related Data: such as documentation and details related to life assurance/death in service nomination details, maternity, paternity and adoption leave, compassionate leave, marital status and childcare reimbursement/vouchers.
– Client service data: such as Personal Information received from clients in respect of employees, customers or other individuals known to clients, invoicing details and payment history, and client feedback.
– Marketing data: such as your participation in conferences and in-person seminars, credentials, associations, product interests, and preferences.
– Compliance data: such as Government identifiers, passport or other governmentissued identification documents, beneficial ownership data, and due diligence data.
– Self-Certification Information: such as date, location of the CBRE worksite you wish to access, confirmation of your compliance with Workplace Infection Riskmitigation protocols, and Special Category health-related data such as the absence of Workplace Infection Risks symptoms (e.g., Covid-19-related symptoms).
– Physical Access Data relating to your visits to our premises, such as your name and date and time of your visit.
– Miscellaneous Data: such as repayment agreements for relocation, structure charts, tuition reimbursement support documents, car lease documentation, cycle to work documentation reference letters for mortgages and tenancies, references for travel and visas, expenses documentation, immigration documentation, salary planning merit data, employee bonus information, employment probation details, changes to pay and conditions, agreements for relocation, promotion, demotion information and TUPE data, and information about unspent points or fines on your driving license.
b. Special Categories of Personal Information
To the extent we may lawfully do so under applicable law, we may collect and process categories of Personal Information relating to you which (depending on the applicable legal regulations and law to which you are subject, such as in the EU/EEA and UK) enjoy special protection by qualifying as special categories of Personal Information, sensitive Personal Information or similarly. Examples of such special categories of Personal Information include the Sensitive Data described herein. Where we may lawfully do so under applicable law, as part of our employment responsibilities, we may collect information (also known as special category or sensitive Personal Information in some jurisdictions)
c. Sources From Whom We Collect Personal Information
We collect and process Personal Information:
– when you contact the People Department directly, whether in person, via telephone or by email and provide your personal data as a necessary part of your enquiry;
– when you apply for a vacancy internally;
– when we collect data through the implementation of any CBRE People employeerelations policy e.g., CBRE’s disciplinary policy;
– in the course of managing your employment with the Company, for example, payroll administration;
– when you input your Personal Information on myPortal (CBRE’s Employee Self Service Platform (PeopleSoft)) or CBRE’s internal staff directory; d. Consequences of Not Providing Personal Information e. Use of Personal Information and Legal Bases
If you fail to provide certain information when requested, we may not be able to perform our contract with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
The purposes for which we use your Personal Information and the legal bases for such processing are as follows:
In broad terms, processing Company employee’s Personal Information is either a statutory or contractual requirement and/or necessary to fulfil a legal obligation or to meet a legitimate interest. The Company may also process employee’s Personal Information to perform tasks in the public interest and in emergency situations, such as to ensure the safety of employees or other individuals, or to save a life. In limited circumstances, the Company processes employee data based on consent.
The Company only relies on consent as a basis for processing your Personal Information for data processing not connected with your employment contract. For example, when you complete surveys that we use for administrative purposes. In such cases, you have the right to withdraw your consent at any time, without affecting the lawfulness of the prior processing based on consent.
Processing your Personal Information is necessary for pursuing the Company’s legitimate interest in monitoring and administering our human resources, the operation of our business including managing our relationships with third parties and providing services to clients. For detailed information regarding the purposes for which each category of your Personal Information may be collected, used, transferred, and disclosed, please see below.
– To manage our workforce and personnel generally, we collect and use your Employee Authentication Information, Basic Data, Contact and Employment Information, Benefits Information, Special categories of data, Professional Information, Job Applicant Evaluation Information, Employee Onboarding Information and Employee Relations Information. We process this Personal Information where necessary for Employment Law purposes and for the overriding legitimate business interests of the Company or based on your consent (if required by law).
–
To ensure the smooth operation of our business, we process your Basic data and Contact and Employment Information. We process this Personal Information where necessary for the overriding legitimate business interests of the Company or based on your consent (if required by law).
– To provide IT Support including hosting, we process Contact and Employment Information and Employee Authentication Information. We process this Personal Information where necessary for the overriding legitimate business interests of the Company or based on your consent (if required by law).
– To ensure compliance with the Company’s legal and other requirements, we process Contact and Employment Information, Family Related Data, Self-Certification Data and Compliance Data. We process this Personal Information based on the Company’s legal obligations, for other overriding legitimate business interests of the Company (described in more detail below), and/or based on your consent (if required by law).
– To manage access to our premises and for security purposes, we use physical access data. We process this Personal Information where necessary for the overriding legitimate business interests of the Company or based on your consent (if required by law).
–
To communicate with you about workplace health and safety issues, including Incidents, emergencies, Self-Certifications and Workplace Infection Risks, where necessary, we process your Contact Information. We process this based on the Company’s overriding legitimate business interests (described in more detail below) and/or based on your consent (if required by law).
– To communicate with your supervisor where legally permissible to do so about Observations (workplace safety concerns) and any associated Incident (a workplace injury, illness, or health-related event) you have reported, witnessed or been involved in, Workplace Infection Risks to which you may have been exposed, and absences from work resulting from Incidents or Workplace Infection Risks, where necessary, we process your Employment Information, Observation Information, Incident Information and Self-Certification Information. We process this Personal Information based on the Company’s legal obligations in the fields of employment or occupational health and safety laws, for other the overriding legitimate business interests of the Company (described in more detail below), and/or based on your consent (if required by law).
– To manage our business operations and administer our client relationships, we use Basic Data, Sensitive Data, Registration Data, Marketing Data and Client Service Data. We process this Personal Information where necessary in order to perform our obligations under our contracts with our clients (e.g., issuing and processing invoices) and suppliers (e.g., managing the supply of goods and services).
– To reduce unsafe and unhealthy workplace conditions, process property damage claims, and report to regulators, where necessary, we process Observation Information. We process this Personal Information based on the Company’s legal obligations in the fields of employment law and occupational health and safety law, for other overriding legitimate business interests of the Company (described in more detail below), and/or based on your consent (if required by law).
–
To create workplace health and safety metrics to measure the Company’s performance in providing employees and contractors with a safe workplace, reduce Incidents and Workplace Infection Risks, process workers’ insurance claims, and report to regulators, where necessary, we process Incident Information and sensitive Personal Information relating to Workplace Infection Risks. We process this Personal Information based on the Company’s legal obligations in the fields of employment law and occupational health and safety law, for other overriding legitimate business interests of the Company (described in more detail below), and/or based on your consent (if required by law)).
– To establish, exercise or defend our legal rights, to comply with lawful government requests for disclosure of Personal Information or otherwise to comply with legal obligations, we use any of the Personal Information we collect about you where legally permissible to do so. We process this Personal Information where necessary to comply with the Company’s legal obligations or for other overriding legitimate business interests.
– To achieve lawful Diversity Equity & Inclusion objectives, we may (where allowed by law and to the extent possible in an aggregated, pseudonymized format) collect Diversity Data you choose to provide as necessary to comply with applicable employment law obligations, for the overriding legitimate business interests of the Company, and for reasons of substantial public interest (such as reviewing and monitoring equality of employment opportunity and treatment of job applicants), or based on your consent (if required by law). We protect Diversity Data with suitable and specific measures (such as encryption) to safeguard the fundamental rights and interests of the applicant providing such Diversity Data. We will not, and do not, use Diversity Data to make Talent Acquisition or other employment-related decisions about you or other individuals.
f. Legitimate Business Interests
To the extent, the Company relies on its overriding legitimate business interests for the processing of your Personal Information, such business interests are in particular:
– to manage our business operations.
– To manage our relationship with our employees, including, where applicable, our contractual obligations to our employees.
– providing advice and services to clients.
– managing our contractual relationship with clients and to allow clients to manage their relationship with us.
– establishing, exercising or defending our legal rights and claims.
To the extent any of the processing purposes listed above require the processing of Special Categories of Information, such processing may in particular be permitted or required under applicable law as the processing is necessary to carry out certain obligations or exercise certain rights in the field of employment, social security and social protection, to establish, exercise or defend a legal claim, for reasons of substantial public interest or of public interest in the area of public health, and other necessary objectives or based on your consent (if required by law). We will collect and process those categories of personal information only where allowed by law, subject to any restrictions and additional safeguards as required by law and where relevant to and necessary in relation to your employment. g. Automated Decision-Making the Company does not process any personal data it collects to make automated decisions.
Sharing of Personal Information
Where we can do so lawfully under applicable law, the Personal Information we collect may be shared and processed with the following categories of recipients, some of whom may be located in a country that does not provide an adequate level of data privacy and protection rights as your home country, as necessary for the purposes identified in Section 3 – Use of Personal Information and Legal Bases, above. The Company has in place appropriate safeguards regarding internal Personal Information sharing. See International Data Transfers below for more information. To the extent possible, Personal Information is shared in an aggregated, pseudonymized or anonymized format.
a. Internally with Other CBRE Entities
CBRE is a global firm and the Personal Information we collect, or you provide may be shared and processed with CBRE entities as necessary for the purposes identified in Section 3 – Use of Personal Information and Legal Bases, above. Access to Personal Information within CBRE will be limited to those individuals who have a need to know the information for the purposes described in Section 3 – Use of Personal Information and may include your managers and their designees, personnel in the People, IT, audit, finance, legal and compliance, data processing departments or service providers. In particular:
– When you log into your CBRE account, use www.cbre.com or any of our applications , CBRE, Inc. and other CBRE entities employing site administrators and digital and technology and systems support and management staff (referred to as data processors in some jurisdictions) will process certain elements of your Personal Information in order to manage your access to, maintain, and improve the functionality of the site. CBRE, Inc. and these CBRE entities employing such individuals may be located outside your home country.
– As part of CBRE’s responsibilities as an employer, CBRE's global matrix structure may require that your Personal Information (including, Sensitive Data) is transferred to other CBRE entities outside your home country where other CBRE employees who are responsible and accountable for managing your employment with CBRE are located, including employees in your business line or sector, and our People, Quality, Health, Safety and Environment, Global Security and Crisis Management, and Legal & Compliance departments.
– Where legally permissible to process and transfer Sensitive Data outside your home country, and if you provide it, your Sensitive Data may be shared with other CBRE entities outside your home country. To the extent possible, we will share such data in an aggregated, pseudonymized format.
– In order to facilitate communication, all personnel within CBRE will have access to your business contact information, such as name, position, workplace telephone numbers, addresses and email addresses.
b. With Third Parties
The potentially relevant third parties including:
– Service Providers who provide services to the Company and/or its employees, or assist us with insurance claims processing and benefits, IT, cyber security and data hosting providers.
– Clients and suppliers in managing our relationships with them in the course of our business operations.
– Insurers, brokers and/or loss adjusters as necessary to file and manage property and workers insurance claims and benefits.
– Owners and operators of sites at which Observations, Incidents, and Workplace Infection Risks Occur and with whom the Company has a contractual or other legal obligation to share your Personal Information, and only to the extent legally permissible to do so.
– Consultants and advisors who assist us with legal, regulatory, and business operations activities, such as legal counsel, compliance consultants and business auditors.
– Governmental Regulators as necessary to comply with the Company’s legal obligations in the fields of employment law and occupational health and safety law in certain countries.
– Diversity & Inclusion (Governmental) Regulators, as necessary to comply with the Company’s legal obligations in the area of employment law in certain countries; we may share Diversity Data on an aggregated, de-identified basis only.
– Business partners in case of a merger or sale, such as if the Company is merged with another organization, or in the event of a transfer of our assets or operations.
Legally Compelled Disclosure
We may be required to disclose your Personal Information to governmental and regulatory authorities, law enforcement agencies, courts and/or litigants when legally compelled to do so, for example, in response to a court order, summons/subpoena or other lawful, legally binding request, including to meet national security or law enforcement agencies requirements, or in connection with legal proceedings or similar processes as necessary to exercise or defend our legal rights.
the Company is committed to not disclose your Personal Information in response to an international court order or a summons or subpoena or other legal obligation, unless we are legally compelled to do so under applicable law. In particular, CBRE, Inc. has assessed and is of the view that neither it nor its US subsidiaries qualify as a provider of electronic communication service, as defined in 18 U.S.C. § 2510, nor a provider of a remote computing service, as defined in 18 U.S.C. § 2711, and thus US public authorities cannot issue a legally binding demand for disclosure of data under Section 702 of the US Foreign Intelligence Surveillance Act ("FISA 702") upon CBRE, Inc. or its US subsidiaries. In case CBRE nevertheless receives at some point a disclosure demand for Personal Information under FISA 702, we will publish a Transparency Report on cbre.com and our
EEA websites (see our Schrems II statement). All personal data transferred by the Company to the US is encrypted in transit.
Retention of Personal Information
We will retain your Personal Information only for as long as required to satisfy the purpose for which such information was collected, unless otherwise required by law or regulation to be retained for a longer period. the Company will take reasonable steps to ensure that the Personal Information we process is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described in this Notice. the Company retains employee data based on statutory retention periods, commonly recommended data retention periods and for the period necessary to fulfil the purposes outlined in this Notice, unless a longer retention period is required or permitted by law. These retention periods are set out in the Company’s data retention policy/schedule. Please contact the Company’s group data protection officer for a detailed copy of this policy/schedule. Furthermore, the Company may need to retain your personal data for statistical purposes. In such cases, the data retention will be carried out with appropriate safeguards, to ensure that your data is fully protected. Should you require further information as to the retention period, please do not hesitate to contact us.
How We Secure Personal Information
We implement appropriate technical and organizational security measures to safeguard the Personal Information we collect and process about you against loss and unauthorized alteration or disclosure. The information you provide is encrypted in transit and at rest. We utilize role-based access controls to limit access to your Personal Information on a strict need-to-know basis consistent with the purposes for which we have collected such information. We utilize anti-malware and intrusion detection systems to guard against unauthorized access to our network, and we have an incident response plan in place to quickly respond to any suspected leak or breach of Personal Information.
Where we share your Personal Information with our service providers, we have assessed that their technical and organizational measures provide an appropriate level of security.
International Data Transfers
Depending on the recipients (see Sharing of Personal Information above), your Personal Information may be processed and hosted in countries other than your home country, such as e.g., United States, United Kingdom, Australia, Philippines, Singapore, and India. Those other countries may have less stringent data protection laws than the country in which you reside, in which you initially provided the information and/or in which your information was originally collected.
In case of international data transfers, we will protect your Personal Information as required by all applicable data protection laws.
a. EEA and UK to Non-EEA Data Transfers
With respect to international data transfers initiated by the Company from the European Economic Area ("EEA") or UK to recipients in any non-EEA jurisdictions,
– some recipients are located in countries which are considered as providing for an adequate level of data protection under EU law (or UK law, as applicable). These transfers do not, therefore, require any additional safeguards under EU (or UK, as applicable) data protection law.
– other recipients are located in countries not providing an adequate level of data protection under EU or UK law, such as e.g., the US or India and, where required by law, we have implemented appropriate safeguards, such as EU Standard Contractual Clauses, and/or are relying on binding corporate rules of the recipient or an appropriate derogation. Where applicable, we implement supplementary technical and contractual safeguards. Under applicable law you may have the right to ask for further information on such appropriate safeguards (see Section 9 - Contact below). As stated above (see Legally Compelled Disclosures), CBRE, Inc. has assessed and is of the view that US public authorities cannot issue a lawful disclosure demand for personal data under FISA 702 upon CBRE, Inc. or its US subsidiaries. All personal data transferred by the Company to the US is encrypted in transit.
Your Data Privacy Rights
Depending on the legal regulations in your country and the applicable laws to which you are subject, you may have all or some of the following rights set out below and may submit a request(s) to exercise any such rights through our Data Subject Rights Portal or by contacting us at dsr@cbre.com. Irrespective of the CBRE entity that is responsible for the processing of your Personal Information, you may use such centralized contact details and CBRE will ensure that the responsible CBRE entity receives your request and addresses it promptly as required by applicable law. CBRE will respond to your request comprehensively, even if you do not identify the particular CBRE entity against whom you make the request.
– Right of access: You may have the right to obtain confirmation from CBRE as to whether your Personal Information is being processed, and, where that is the case, to request access to your Personal Information. You may have the right to obtain a copy of your Personal Information undergoing processing. For additional copies requested by you, CBRE may charge a reasonable fee based on administrative costs.
– Right to rectification: You may have the right to obtain from CBRE the rectification of inaccurate Personal Information concerning you.
– Right to erasure (right to be forgotten) or anonymization: You may have the right to ask us to erase (or in some jurisdictions, anonymize) your Personal Information. In some jurisdictions, this right may be limited to deletion or anonymization of data that is unnecessary, excessive, or unlawfully processed, or deletion of data that is processed based on your consent.
– Right to restriction of processing: You may have the right to request the restriction of processing your Personal Information.
– Right to data portability: You may have the right to receive your Personal Information which you have provided to CBRE in a structured, commonly used, and machine-readable format and you may have the right to transmit that Personal Information to another entity without hindrance.
Right to withdraw consent: If we rely on your consent for any Personal Information processing activities, you have the right to withdraw or revoke this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. This right to withdraw consent applies to consents given for marketing and profiling purposes, if any.
– Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your situation, at any time to the processing of your Personal Information by CBRE, and CBRE can be required to no longer process your Personal Information unless CBRE demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise or defence of legal claims. The right to object may not exist if the processing of your Personal Information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
– Right to request an explanation of our processing activity of your Personal Information
– Right to information on the possibility to withhold consent and information on the consequences of doing so.
– Right to information on third parties with whom we have shared your data.
– Right to lodge a complaint with the competent data protection authority in your home country or in the country in which the responsible CBRE entity is located, in particular with respect to the result of automated decision-making. A list of European Union Data Protection Authorities is available from the European Data Protection Board.
Contact
a. General Inquiries
You may contact CBRE’s Global Data Privacy Office (“GDPO”) at Privacy.Office@cbre.com or by writing to us at 321 North Clark Street, Suite 3400, Chicago, Illinois 60654, Attention: Global Director, Data Privacy. You may also e-mail us via the GDPO at EMEAPrivacyDirector@cbre.com or write to us at Henrietta House, Henrietta Place, London W1G 0NB, United Kingdom, Attention: EMEA Director, Data Privacy
You may also contact your local People team. You may raise questions or concerns about the GDPO or your local People team to CBRE’s Ethics & Compliance department via the CBRE Ethics Helpline
b. Data Protection Officers
In some countries, CBRE has appointed a Data Protection Officer (“DPO”), whom you may contact with questions or concerns about how CBRE processes your Personal Information. Contact information for our DPO’s in the European Union and the UK are available in our Global Privacy and Cookie Notice
c. EU and UK Representative
We have appointed a representative for the responsible CBRE entities located outside of the EEA and UK that process your Personal Information subject to the EU General Data Protection Regulation and UK data protection law. The representatives contact details are available in our Global Privacy and Cookie Notice.
The above information is published in the Employee Privacy Notice, available on the CBRE Global Data Privacy Office Intranet Page. Further information relating to Data Protection, including your rights under data protection legislation, may be found on the Company Intranet.
Your obligations
You must only process personal data (whether related to clients, third parties, such as tenants, or other employees of the Company) for the following purposes:
– as instructed directly by the relevant Data Controller (including but not limited to clients and, with respect to CBRE employees, CBRE); in accordance with the relevant contractual data processing terms or data processing agreement;
– as set out in the applicable Privacy Notice;
– protecting and promoting CBRE’s legitimate interests and objectives (for example ensuring site security, managing fraud/money laundering prevention), subject to consultation with CBRE management, Legal & Compliance, and or the CBRE Global Data Privacy Office (GDPO); and
– to fulfil CBRE's contractual and other legal obligations
Use of personal data: If you intent to use personal data for purposes other than as described above, you must consult with your supervisor/line manager and, where appropriate, the CBRE GDPO, and insure that CBRE has a lawful reason for using the personal data in such manner, and that all requirements under applicable Data Protection Law have been satisfied.
If, whether under the instruction of a Data Controller or otherwise, you are processing or using personal data in a way which you think an individual to whom the data relates (Data Subject) might think is unfair or which you believe does not meet the abovedescribed requirements, please contact your line manager or the GDPO before continuing to do so..
A breach of this policy may be treated as misconduct and could result in disciplinary action including in serious cases, dismissal.
A member of Staff who deliberately or recklessly misuses or discloses personal data held by CBRE without proper authority or other than as described in this section may also be guilty of a criminal offence.
You must –
– undertake the compulsory data protection training within a month of starting your new role at CBRE and annual refresher training, or as otherwise assigned to you;
– familiarise yourself with the Data Protection Policy set out in the People intranet and/or Employee Handbook;
– familiarise yourself with CBRE’s Employee Privacy Notice;
– take all reasonable steps to prevent the unauthorised disclosure of or access to personal data and special categories of personal data you process or transfer during your employment;
– comply with the UK GDPR, the EU GDPR and all other Data Protection Laws when processing any personal data and special categories of personal data during your employment;
– share personal data on a “need to know” basis only;
– take all reasonable steps to ensure that any third party to whom you transfer any personal data and special categories of personal data not only complies with relevant Data Protection Laws but also prevents it from disclosure to or access by unauthorised persons;
– be able to recognise when someone is exercising their rights in their Personal Data in order that you can refer the matter to the GDPO.
– inform your line manager and/or the GDPO immediately on becoming aware of any actual or suspected breach of the requirements of data protection legislation; and
– inform the Company immediately of any changes to your personal data.
Electronic communication policy
The purpose of this policy is to ensure the proper use by employees of the Company’s various electronic communications systems, including its computers, Blackberrys, desk and mobile telephones, iPads, voice-mail, internet access and e-mail systems (collectively “electronic communication systems”). The Company’s electronic communication systems are tools for business communication, and all employees have the responsibility to use these resources in an efficient, effective, ethical and lawful manner for the benefit of the Company.
Violations of this policy may result in disciplinary action, including the possibility of dismissal and may subject the violator to legal action.
All computers, mobile telephones and iPads issued by the Company, voice-mail, Internet and e-mail accounts maintained by CBRE Investment Management, are the sole property of CBRE Investment Management. CBRE Investment Management has the right to monitor any employee’s computer, mobile telephone and iPad issued by the Company, voice mail, e-mail accounts and Internet use to help assure compliance with this policy, for training purposes, or to determine if the systems are being used for other than legitimate business reasons. Employees have no individual right of privacy regarding any information created, stored or sent in or by the Company’s computer, mobile telephone, iPad, voice mail and/or e-mail systems or Internet access systems.
The following actions and uses of CBRE Investment Management’ electronic communication systems are strictly prohibited and may result in disciplinary action, including termination of employment:
The access, storage, creation and exchange of material that is or could be considered to be offensive, harassing, obscene or threatening, or which otherwise violates any law or Company policy
The intentional creation or dissemination of computer viruses
– The unauthorised exchange of proprietary information, trade secrets or any other privileged, confidential or sensitive information, relating to CBRE Investment Management, a client or the business of these parties. (Caution should be taken to ensure that messages are addressed to the appropriate recipient; it is easy to inadvertently address e-mail messages incorrectly. Confidential messages should include a warning regarding accidental transmission to an unintended third party. Please remember that e-mails are legally binding)
– The creation and exchange of advertisements, solicitations, sale of tickets or personal property, joke and joke attachments or chain letters
– The creation and/or exchange of information in violation of any copyright laws
– Registration on mailing lists without proper authorisation. (Subscription to such a service can result in an overload of received messages directly impacting the performance of the e-mail system)
– Messages read or sent from another user’s account except under proper delegation arrangements
– Activities that cause the wasting of networked resources, including the effort of users involved in the support of those resources
Users receiving material, or becoming aware of material or activities, in violation of the above policies should immediately report the incident to their immediate supervisor or manager who should report such violation to the Managing Director.
– All users of CBRE Investment Management’ e-mail systems should observe the following practices:
– Users must not compromise the privacy of their password by giving it to others or exposing it to public view. Passwords should be changed on a regular basis.
Users should retain messages only if relevant to the business. Back-up copies of e-mail messages will be retained by CBRE Investment Managements’ e-mail system.
– Address messages to recipients who need to know. (Messages sent unnecessarily can impact the system and user performance.)
– Construct messages professionally (spelling, grammar) and efficiently (subject, field, attachments). Use prudence sending attachments in order to minimise network load.
– E-mail communications should follow the same standards expected in written business communications and public meetings.
Incidental personal use of the e-mail system is permissible so long as it does not interfere with the performance of the e-mail system or the accomplishment of the user’s responsibility and does not otherwise violate the above restrictions.
Use of all electronic communications systems must be in line with all published standards, as issued from time to time.
You will be required to sign a declaration during your induction process to confirm you have received and read the policy, and that you will abide by its content.
Confidentiality
In the ordinary course of your employment you will be exposed to information about the business of the Company, its clients and other members of the CBRE Group which is confidential or is commercially sensitive and which may not be readily available to competitors or the general public and which if disclosed will be liable to cause significant harm to the Company or members of the CBRE Group. Confidentiality provisions are therefore necessary and reasonable to protect the legitimate interest of the Company and members of the CBRE Group.
Consequently you must not, whether during or after your employment, except as authorised or required by your duties as an employee of the Company, reveal (whether deliberately or through lack of care or diligence) to any person, Company or organisation or otherwise make use of any of the trade secrets, secret or confidential operations, processes or business methods or any information (other than that within the public domain) concerning the organisation, business, finances, transactions or affairs of the Company or its clients and members of the CBRE Group.
