Cromwell Property Group Privacy Notices

Version last revised: 27 June 2023

1. Important Contact Information

Controller Name: Cromwell European Management Services Limited

Controller Address: Registered Office: 5th Floor, Minerva House, 29 East Parade, Leeds, LS1 5PS, United Kingdom

GDPR Central Representative: EUprivacy@cromwellpropertygroup.co.uk

2. Introduction and Purpose of this European Website Privacy Notice

We, the above-named Controller (“Cromwell”, “we”, “us”) are committed to protecting your personal data and respecting your privacy.

This European Website Privacy Notice (the “Privacy Notice”) sets out the personal data we receive from you, how we process it, our legal obligations as Controller, and your rights in relation to your personal data.

Note that Cromwell’s Australian Website Privacy Notice is available on our website at: www.cromwellpropertygroup.com/

3. Your Personal Data

When you use our websites, we process certain personal data concerning you.

We are authorised by law to process your personal data in the pursuit of our legitimate business interests, for compliance with a legal or contractual obligation, and where you have given consent. A legitimate interest is when we have a business or commercial reason to use your information so long as this is not overridden by your own rights and interests.

Where it is necessary to process your personal data to fulfil legal or contractual obligations, if you fail to provide certain information when requested, we will not be able to fully perform our obligations under any contract we enter into with you, or we could be prevented from complying with our legal obligations.

If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time by emailing the GDPR Central Representative (EUprivacy@cromwellpropertygroup.co.uk).

4. Who Are We?

Under Regulation (EU) 2016/679 – The General Data Protection Regulation (“GDPR“) and other applicable data protection laws, the ‘Controller’ of this personal data is the company whose name and address is given at the top of this Privacy Notice.

5. Information we collect about you

We may collect and process the following personal data concerning you:

• Reception logs and CCTV if you visit our offices.
• Information that you provide by filling in forms on any of our sites. This includes information provided at the time of registering to use our site, subscribing to our service, posting material or requesting further services, including email addresses and other contact information.
• If you contact or correspond with us (i.e. make an inquiry, request information or otherwise correspond with us), we may keep a record of that correspondence and any personal information you provide
• We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
• Details of your visits to our site including, but not limited to, resources you access, traffic data, location data, weblogs, cookies and communication data, whether this is required for our own billing purposes or other legitimate business reason.
• We may collect information about your computer, including your IP address, operating system and browser type, for business reasons such as system administration.

6. Purposes for Processing your Personal Data

7. Secure storage and retention of your Personal Data

We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing we carry out to protect the confidentiality, integrity and availability of your personal data and to protect against unauthorised or unlawful processing and accidental loss, destruction or damage.

We will retain your personal data for as long as it is necessary to fulfil the purposes outlined in this notice unless a longer retention period is required or permitted by law.

8. International Data Transfers

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA“). Where such a transfer occurs, we have provided appropriate safeguards including the application of approved Standard Contractual Clauses to our legal relationship with any third-party processors, and have taken all steps reasonably necessary to ensure that your data is treated securely and your rights in relation to your personal data are protected. You may request a copy of these safeguards by emailing the GDPR Central Representative (EUprivacy@cromwellpropertygroup.co.uk).

9. Disclosure of Your Information

We may disclose your personal information to any member of our group, which means our direct and indirect subsidiaries, and our ultimate holding company and/or its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may disclose your personal information to third parties:

• If we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
• If Cromwell European Holdings Limited or substantially all its assets are acquired by a third party, in which case personal data held by it about its clients will be one of the transferred assets.
• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements, or to protect the rights, property, or safety of our clients, or others.

10. Partner Websites

Our site may, from time to time, contain links to the websites of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies or notices. Please check these policies when you visit, and before you submit any personal data to, these websites.

11. Changes to our Privacy Notice

We may need to update this Privacy Notice to reflect changes to our data processing practices. If we do this and the changes are material, we will post a notice on this website for at least 7 days before the changes are made. You can see the date this Privacy Notice was last revised at the top of the page.

12. Your Rights

The GDPR, and other applicable data protection legislation give you certain specific rights relating to your personal data, as set out below.

Please note that not all of these rights are absolute, and they do not apply in all circumstances. However, you are always welcome to contact us with any request relating to processing of your personal data and, even if we are not obliged by law to comply with your request, we will try to accommodate your wishes.

1. Access – you have the right to access your personal data and certain information about how and why we are processing it;
2. Rectification – you have the right to have any inaccurate or incomplete personal data rectified without undue delay;
3. Erasure – sometimes called the ‘right to be forgotten’, in certain circumstances, you have the right to have your personal data erased without undue delay;
4. Restriction – in certain circumstances, you have the right to have our processing of your personal data restricted;
5. Data portability – in certain limited circumstances, you have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly-used and machine-readable format and the right to transmit those data to another controller without hindrance; and
6. Objection – in certain circumstances, you have the right to object to the processing of your personal data carried out by us or on our behalf.
7. Not to be subject to automated individual decision making – you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

13. Contact Us

If you would like further information on anything in this Privacy Notice, for all questions or concerns you have about your personal data, or if you think you would like to exercise any of your rights as a data subject, please contact us using the contact details at the top of this Privacy Notice.

14. Making A Complaint

If you think we have not complied with the requirements of the GDPR or other data protection legislation as it applies to your personal data, you have a right to lodge a complaint with any data protection supervisory authority in the EU. The UK supervisory authority is The Information Commissioner’s Office (ICO): casework@ico.org.uk or 0303 123 1113 / +44 1625 545 700; www.ico.org.uk.[1] You can find contact details of other EU supervisory authorities here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

^{[1] Please note these details are subject to change outside our control, so please check online for up-to-date contact information.}

Version last revised: May 2023

1. Important Contact Information

Controller Name:
Cromwell Group European Entities, whose list is shown below;

• Cromwell Netherlands BV
• Cromwell Property Group Poland Sp. z o.o.
• Cromwell Property Group Czech Republic s.r.o.
• Cromwell Germany GmbH
• Cromwell European Management Services Limited
• Cromwell France SAS
• Cromwell Property Group Italy SRL
• Cromwell Investment Luxembourg S.à r.l.
• Cromwell Finland Oy
• Cromwell Sweden AB
• Cromwell Denmark A/S

As joint controllers and represented for the purpose of this Privacy Policy by Cromwell European Management Services Limited (including its affiliated entities and group companies)

Controller Address: For the purpose of this Privacy Policy: Fifth floor, Minerva House, 29 East Parade, Leeds, LS1 5PS, United Kingdom

GDPR Central Representative: EUprivacy@cromwellpropertygroup.co.uk

2. Purpose of this document

2.1 We, the above-named Controller (“Cromwell”, “we”, “us”), are committed to protecting the privacy and security of your personal data. We will comply with the following data protection principles when gathering and using personal data:

• we will process personal data lawfully, fairly and in a transparent manner;
• we will collect personal data for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;
• we will only process the personal data that is adequate, relevant and necessary for the relevant purposes;
• we will keep accurate and up to date personal data and take reasonable steps to ensure that inaccurate personal data is deleted or corrected without delay;
• we will keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the information is processed; and
• we will take appropriate technical and organisational measures to ensure that personal data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

2.2 This privacy notice describes how we collect and use personal data concerning you in connection with our marketing practices and in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 – The General Data Protection Regulation (the “GDPR”).

2.3 It applies to all individuals who we collect marketing data from and are located in the European Union (the “EU”).

2.4 We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice if we make any substantial updates.

3. Your Personal Data

3.1 Cromwell will keep and otherwise process personal data concerning you for marketing purposes. Except as specifically indicated in this privacy notice, personal data we hold and process will only be used within Cromwell and the other companies in Cromwell’s group whose list is shown below;

• Cromwell Netherlands BV
• Cromwell Property Group Poland Sp. z o.o.
• Cromwell Property Group Czech Republic s.r.o.
• Cromwell Germany GmbH
• Cromwell European Management Services Limited
• Cromwell France SAS
• Cromwell Property Group Italy SRL
• Cromwell Investment Luxembourg S.à r.l.
• Cromwell Finland Oy
• Cromwell Sweden AB
• Cromwell Denmark A/S

4. How your information will be used

4.1 The information we hold and process in connection with this Marketing Privacy Policy will be used for marketing purposes only. As the case may be, with you consent where required by law, we will use it in connection with:

• keeping you up to date with our latest research or other relevant content we have published that we believe may be of interest to you;
• to invite you to any events we may be putting on;
• or for sending notices for direct marketing of our products and services and compliance with legal or regulatory requirements.

4.2 If in the future we intend to process your personal data for a purpose other than that for which it was collected we will provide you with information on that purpose and any other relevant information.

5. How is your personal data collected?

5.1 “Personal data” relates to information that can be used to directly or indirectly identify you. Personal data also includes anonymous information that is linked to information that can be used to directly or indirectly identify you. Personal data does not include information that has been irreversibly anonymised or aggregated so that it can no longer enable us, whether in combination with other information or otherwise, to identify you.

5.2 For the Marketing purposes covered by this Privacy Policy, we are collecting the following personal data, subject to your provision thereof:

• Personal data that is usually included in a business card such as your contact details such as name, title, company email address, company name, company address and telephone numbers.
• automatic identifiers such as IP address, geographic location, browser type, operating system, screen size and company that we automatically collect when you visit our websites. These automatic identifiers are anonymous unless you provide additional information to us (such as by filling out a form on our website) that connects the automatic identifiers to you.
• cookies, web beacons or other online tracking identifiers (when you visit our website). These tracking identifiers are anonymous unless you provide additional information to us (such as by filling out a form on our website) that connects the tracking identifiers to you. You can enable or disable cookies by modifying the settings in your browser.
• data that shows the web pages you may view, marketing content you have requested and any sales that may have resulted from your interaction with marketing content. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

6. Legal basis for processing

6.1 We will only use your personal data when the law allows us to. In connection with our marketing activities, we will rely on

6.1.1 our legitimate interests (or those of a third party) of engaging in marketing activities, where your fundamental rights do not override those interests.

6.1.2 Where required by law, your consent;

6.2 Please note that we may process your personal data using more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us using the details set out in the “How To Contact Us” section below if you need details about the specific legal ground we are relying on to process your personal data on any given occasion.

6.3 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by applicable data protection legislation.

7. How we may share your information

7.1 We will only share your personal data with the following third parties: All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies.

7.2 We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

7.3 The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). Where such a transfer occurs, we have provided appropriate safeguards including the application of approved Standard Contractual Clauses to our legal relationship with any third-party processors, and have taken all steps reasonably necessary to ensure that your data is treated securely and your rights in relation to your personal data are protected.

8. Retention of personal data

8.1 We retain marketing data for as long as is reasonable for the original purpose for which it was collected and for furthering our legitimate interest for marketing. In general, we retain marketing data related to (i) a customer for as long as they remain a customer and (ii) for prospect, for a period of 36 months from their last engagement with us.

8.2 In all cases, you are given the right to opt out of receiving further marketing communications. In that case, we will only retain the amount of information needed to be sure we do not contact you again for direct marketing purpose. You may tailor further communications from us at any time by visiting our website.

9. Your Rights

9.1 The GDPR, and other applicable data protection legislation gives you certain specific rights relating to your personal data which are set out below.

9.2 Please note that not all these rights are absolute, and they do not apply in all circumstances. However, you are always welcome to contact us with any request relating to processing of your personal data and, even if we are not obliged by law to comply with your request, we will do everything reasonable to accommodate your wishes.

9.3 It is also important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.

Access – you have the right to access your personal data and certain information about how and why Cromwell is processing it;

Rectification – you have the right to have any inaccurate or incomplete personal data rectified without undue delay;

Erasure – Sometimes called the ‘right to be forgotten’, in certain circumstances, you have the right to have your personal data erased without undue delay;

Restriction – in certain circumstances, you have the right to have the processing of your personal data by Cromwell restricted;

Data portability – where the processing is carried out under the legal basis of your consent or the necessity to perform a contract with you, and is carried out by automated means, you have the right to receive the personal data concerning you that you have provided to Cromwell, in a structured, commonly-used and machine-readable format and the right to transmit those data to another controller without hindrance; and

Objection – in certain circumstances, you have the right to object to the processing of your personal data carried out by Cromwell or on its behalf.

10. Information Security

10.1 Cromwell has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing it carries out to protect the confidentiality, integrity and availability of your personal data and to protect against unauthorised or unlawful processing and accidental loss, destruction or damage. These measures include:

• Physical safeguards, such as locked doors and file cabinets and controlled access to our facilities.
• Technological safeguards, such as use of anti-virus and endpoint protection software, encryption, and monitoring of our systems and data centres to ensure compliance with our security policies.
• Organisational safeguards, through training and awareness programs on security and privacy, to ensure employees understand the importance and means by which they must protect personal data, as well as through privacy policies and policy standards that govern how we treat personal data.

11. Contact Us

If you would like further information on anything in this privacy notice, for all questions or concerns you have about your personal data, or if you think you would like to exercise any of your rights as a data subject, please contact the GDPR Central Representative named at the top of this Privacy Notice at: 5th Floor, Minerva House, 29 East Parade, Leeds, LS1 5PS, United Kingdom or EUprivacy@cromwellpropertygroup.co.uk.

12. Making a Complaint

If you think we have not complied with the requirements of the GDPR as it applies to your personal data, please contact us using the contact information above.

You also have a right to lodge a complaint with any data protection supervisory authority in the EU. You can find details of all of the EU supervisory authorities here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

The UK’s supervisory authority is the Information Commissioner’s Office (ICO): casework@ico.org.uk or 0303 123 1113 / +44 1625 545 700; www.ico.org.uk.