Privacy Notice for Tenancies
As of September 2022
Greystar Europe Holdings Limited (“Greystar”), is appointed by Cherry Park Rentco Limited (“CPR”) as a manager of the properties at 1 Cherry Park Lane Coppermaker Square, Stratford, E20 1NX (“Coppermaker Square”). Greystar and CPR process the personal information of individuals who:
(a) apply to rent an apartment at Coppermaker Square and
(b) enter into a lease to rent an apartment at Coppermaker Square.
For the purposes of the UK General Data Protection Regulation (EU) 2016/679 and the UK Data Protection Act 2018 (collectively referred to as the “Data Protection Laws”), both Greystar and CPR act as data controller when processing information about you in the course of your tenancy. This Privacy Notice is therefore provided by both Greystar and CPR (“we, “our”, “us”).
This Privacy Notice describes what personal information we collect, how we use it, who we share it with and how you can access, delete, correct, change, and limit our use of it.
The personal information we collect, why we process your personal information and how we are legally permitted to process your personal data
In order to rent an apartment at Coppermaker Square, you are required to provide personal information that may identify you or relate to you as an individual. If you provide us with information about other individuals (e.g. family members), you confirm that you have informed them accordingly and have obtained from that person any consents necessary for the use and disclosure of that person’s personal information as described in this Privacy Notice.
We collect the following categories of information:
Contact Information such as name, postal address, email address, date of birth, picture, gender, social media handle, contact number and emergency contact details.
Personal Identifiers such as taxpayer identification number, passport number, identity card or student card, and resident identification number, utility bills.
Financial Information such as bank account/credit card number, rent amount, rent payment details, rent start/end dates, rental history, guarantees
Eligibility information such as credit history, sanctions and Politically Exposed Persons (“PEP”) screening results, source of employment, profession, income levels, and other financial or tax documentation.
Demographic Information such as nationality, citizenship and marital status, in each case subject to applicable laws.
Health data such as disabilities or other health-related restrictions so that we can provide you with adequate accommodations.
Miscellaneous such as personal data of other occupiers, correspondence with tenants, feedback from surveys.
The table below sets out:
(a) What personal information we collect,
(b) The purposes for which we use your personal information
(c) The legal bases on which we rely to process your personal information and
(d) Whether CPR or Greystar is the controller for that purpose.
We collect personal information either directly from you or from sources such as public databases or credit agencies.
You can object to processing that we carry out on the grounds of legitimate interests. See paragraph ‘Your Rights’ to find out how. Please note that where we required personal information in order to carry out the lease, if you do not provide the necessary information, we will not be able to enter into/perform the lease.
How and when we share your personal information
We may share personal information with the following third parties to provide services to you, following a specific request from you, or to fulfil our legal obligations.
Service Providers. We disclose personal information to third parties who perform services such as hosting our websites, processing payments, conducting research and analytics, providing on-site services, providing benefits, conducting financial, identity and other legal checks and providing professional advice.
Marketplace Vendors. We disclose personal information to third parties so that they can provide certain services to you when you order them, for example, a provider of dog walking services.
Greystar and CPR. Where Greystar acts as a processor for CPR under its property management agreement, Greystar will have access to your data. Where Greystar acts as controller but needs to share data with CPR, Greystar will make available details on a case by case basis.
Our group companies. We disclose your personal information to our group companies as necessary to communicate with you, provide you services, fulfil our contract with you and to accomplish our business purposes.
Legal obligations. We may also use and disclose your personal information as necessary to comply with applicable laws, respond to requests or requirements from government authorities, enforce our terms and conditions, or to otherwise protect the rights, property, or safety of our employees, residents and other persons, including exchanging information with third parties for fraud protection and credit risk reduction.
If you want to know the identity of any of our service providers, please contact us using the information in the “Contact Information” section.
You have the following rights under the data protection laws:
- The right to object to processing of your personal data;
- The right of access to personal data relating to you (known as data subject access request);
- The right to correct any mistakes in your information;
- The right to ask us to stop contacting you with direct marketing;
- The right to restrict your personal data being processed;
- The right to have your personal data ported to another controller;
- The right to withdraw your consent;
- The right to erasure; and
- Rights in relation to automated decision making
These rights are explained in more detail below. If you want to exercise any of your rights, please contact us using the information in the “Contact Information” section.
We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with Data Protection Laws.
1. Right to object to processing of your personal data
You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.
If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed “How is processing your personal data lawful”. The key point to note is that much of the processing under this heading is beneficial to you, such as assisting with your career development or keeping you safe on our premises.
2. Right to access personal data relating to you
You may ask to see what personal data we hold about you and be provided with:
A copy of the personal data;
Details of the purpose for which the personal data is being or is to be processed;
Details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers;
The period for which the personal data is held (or the criteria we use to determine how long it is held);
Any information available about the source of that data; and
Whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.
To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
3. Right to correct any mistakes in your information
You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.
4. Right to restrict processing of personal data
You may request that we stop processing your personal data temporarily if:
You do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
The processing is unlawful but you do not want us to erase your data;
We no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
You have objected to processing because you believe that your interests should override our legitimate interests.
5. Right to data portability
You may ask for an electronic copy of your personal data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.
6. Right to withdraw consent
For the uses of data specified in this Privacy Notice, you have the right to withdraw consent you have given us at any point. This is a vital and necessary aspect of consent. To withdraw your consent, please contact us using the information in the “Contact Information” section. Note that any processing carried out prior to the date of withdrawal of your consent will still be valid and any published personal data cannot be retracted.
7. Right to erasure
You can ask us to erase your personal data where:
You do not believe that we need your data in order to process it for the purposes set out in this Privacy Notice;
If you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
You object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
Your data has been processed unlawfully or have not been erased when it should have been.
8. Rights in relation to automated decision making
You may ask us to ensure that, if we are evaluating you (for example when doing a credit check on you), we don’t base any decisions solely on an automated process and to have any decision reviewed by a member of staff.
These rights will not apply in all circumstances, for example where the decision is authorised or required by law and steps have been taken to safeguard your interests.
What will happen if your rights are breached?
You may be entitled to compensation for damage caused by contravention of Data Protection Laws.
Complaints to the regulator
It is important that you ensure you have read this Privacy Notice – and if you do not think that we have processed your data in accordance with this Privacy Notice – you should let us know as soon as possible. You may also complain to the Information Commissioner’s Office. Information about how to do this is available on its website at www.ico.org.uk.
We take reasonable technical and organizational measures to safeguard your personal information. While we strive to protect your personal information, we cannot guarantee the security of any personal information you disclose online and therefore you must be aware of this risk.
We limit access to personal information to those individuals and organizations who we believe reasonably need to receive such information to provide our services or to do their jobs, and we take reasonable precautions in line with good industry practice to protect the security of users’ personal information in accordance with applicable law. Because the security of all personal information associated with our users is of utmost concern to us, we periodically review and improve our security when new technology becomes available.
If you have any questions about security, please contact us using the information in the “Contact Information” section.
We will retain your personal information for the period we reasonably believe is required to fulfil the purposes outlined in this Privacy Notice. We would usually expect this to be up to 6 years after your tenancy at Coppermaker Square ends, unless a longer retention period is required or permitted by law.
The criteria used to determine our retention periods include:
The length of time we have an ongoing relationship with you and provide the services to you.
Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them).
Whether retention is advisable considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations).
Data transfers – international users
Greystar is a global company and as a result, we may, subject to law need to transfer your personal information outside of the UK and European Economic Area. We would only do so where our service providers provide their services to us from outside of these areas or where our group companies, who are involved in the provision of the services, are based outside of these areas, including in the U.S. In those circumstances, any transfer of your personal information will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms. If you want to know more about how data is transferred, please contact us using the information in the “Contact Information” section.
Profiling and automatic decision-making
In certain circumstances and subject to applicable law, we may use automatic decision-making to evaluate your credit against our required criteria. Credit-checking is a mandatory step in our application review process.
In certain circumstances and subject to applicable law, we will use automated means to conduct sanctions and PEP screenings and in some cases for background checks. This processing is in accordance with our legal obligations and legitimate interests and has meaningful human intervention before making final decisions that may impact your application.
Sanctions screening involves comparing applicants against public lists maintained by the UK government and central government bodies. We do this through a secure online service. For common names, the system will sometimes return a result known as a “false positive.” A human analyst will then use additional data you provided, such as your address, to make a final decision about the match.
Updates to this Privacy Notice
Any changes we make to this Privacy Notice will become effective upon posting. If we change our Privacy Notice, we will advise users of those changes through a general description at the top of this Privacy Notice and may also post these details to other places we deem appropriate. If we are legally permitted to do so, we may also email you.
If you have any questions about this Privacy Notice please contact Greystar at firstname.lastname@example.org or Finsbury Circus House, 15 Finsbury Circus, London, EC2M 7EB.