We are committed to protecting the privacy and security of personal data.
Except where 1.3 below applies, the data controller of your information is Great Portland Estates Services Limited (company number 00517550) of 33 Cavendish Square, London, W1G 0PW. This is the property management company of Great Portland Estates plc (company number 00596137) of 33 Cavendish Square, London, W1G 0PW.
If you are a shareholder or former shareholder, the data controller is Great Portland Estates plc.
Any references to ‘we’, us’ or ‘our’ are to the relevant data controller that processes your information.
This section of our website is designed to help you understand the basis on which any personal data about you will be processed by us. Please take the time to read and understand this privacy notice.
As we undertake a wide range of activities, we’ve organised information into tables, reflecting the different ways you might interact with us, in order to help you get to the information you want quickly. This notice will apply to you if you:
- occupy or visit one of our buildings, head office or app-enabled buildings;
- have a lease agreement with us;
- are a neighbour to our projects;
- are one of our service partners;
- are a party to a property transaction with us;
- are a current shareholder or former shareholder;
- are on our contact list for results presentations or investor relations events (e.g. investors, analysts and bankers);
- have applied for a job with us;
- use our website; or
- participate in one of our corporate social responsibility (“CSR”) activities; or
- have engaged with us for marketing or advertising.
Please note more than one section may apply to you. For example, a service partner may need to read the ‘service partner’ section and the visitor section.
Contacting us about data privacy
If you have any questions or concerns about the information on this page, or about what we do with personal data, please email us at dataprotectionmanager@gpe.co.uk, or write to us at the above address, for the attention of the Data Protection Manager.
2.1 Set out in the table below is a list of the ways that we may use your personal data, the reasons for doing so and lawful basis we rely on to do so. This is also where we tell you what our (or a third parties’) legitimate interests are.
| Relating to | Description of personal data | Why we use your personal data | Lawful basis |
|---|---|---|---|
| Individual customer of, or visitor to, one of our buildings or our head office |
First and last name, company and email address Photographs Information about your visit such as your name, company/floor, person visiting, date and time, location CCTV incl. images Medical records / health and safety records Access control information including entrance and exit data and duration on sites Company you are associated with and floor location worked on Vehicle Registration |
Managing and operating our buildings; Identification; Crime prevention, security and public safety; For the purposes of fire or incident management including the safety of individuals; Crisis management and planning at our buildings; To maintain our operational records; In the handling of complaints, grievances and disciplinary proceedings; To record information (including relevant medical information) for health and safety purposes where you suffer an incident at one of our buildings and for control purposes; To issue you with a permit to work for health and safety purposes; and To manage individual contractors. |
Consent, Legal Obligation, Contract, Our Legitimate Interests: Building management including safety and security; providing online services; processing registration; evidential purposes; defence of legal claims. Third party legitimate interests: monitoring access by corporate customers. |
| Individual customer of, or visitor to, one of our app-enabled buildings |
First and last name, company and floor location Email address Any other information individuals share Registration details, posts and communications Access control information including entrance and exit data and duration on sites |
To manage and operate some of our services and buildings; To provide access to a greater range of services; To provide information relevant to your use of the building; Provide online services; better understand building usage; identification; crime prevention; fire/incident management; crisis management; dietary requirements; maintain operational records. |
Our Legitimate Interests: building management, safety, improve building use, prevent crime. Third party legitimate interests: monitoring access, moderation of portal content. |
| Individuals with a lease agreement with us |
First and last name, company and email address Photographs, visit info, CCTV Medical/health records, duration on sites Bank account details and financial information, contact details for representatives, any information in agreement, vehicle registration |
To manage and administer your lease agreement; carry out due diligence; handling complaints, grievances; manage portfolio of buildings and perform agreements; communicate and carry out marketing including satisfaction surveys and newsletters. |
Consent, Contract, Our Legitimate Interests: communicate, administer lease, security verification, evidential purposes, legal claims, perform obligations. Third party legitimate interests: evidential and legal defence. |
| Neighbours to our projects |
Contact details Photograph Dietary requirements |
To communicate and handle any complaints; manage construction projects; manage compliance with third party consents; manage relationships with third parties; evidential purposes; consult on construction projects; manage events including registration and health/disability requirements. |
Legal obligation, Legitimate Interests of us/third parties: consult with neighbours, grow our business. |
| Our service partners including contractors and representatives |
Contact information (first/last name) Bank account details, CV, occupation |
To facilitate communication; manage service partners and contractors for construction projects; maintenance of buildings; supply of goods/services; perform obligations including payments. |
Contract, Legal obligation (Modern Slavery Act, health & safety), Our Legitimate Interest: engaging and managing contractors and service partners. |
| Party to a property transaction with us |
Contact details, occupation, nationality, reasons for purchasing, bank account, identification information, interest including share registers |
To facilitate property transactions; enter into a contract; carry out checks and verification of people and funds; compliance purposes including to prevent money laundering and fraud. |
Legal obligation, Contract, Legitimate Interests of us/third parties: verifying contacts and relationships, furthering business growth. |
| Current shareholder or former shareholder |
First and last name, registered address, shareholding and communication preference, email address, bank account details where provided |
To manage your shareholding; keep share register up to date; make shareholder communications and meeting materials available; pay dividends; allow you to exercise shareholder rights; respond to correspondence. |
Consent, Contract, Legal Obligation (Companies Act 2006). |
| Results presentations / investor relations events contact list |
First and last name, email addresses, telephone numbers, companies related to investors/analysts/bankers |
To invite you to events and presentations; manage registration; facilitate communication; provide information on financial performance; facilitate results presentations and manage investor relation events. |
Our Legitimate Interests: build and maintain relationships with third parties; grow our business. |
| Job applicants |
CV, first and last name, email address, telephone number, any other information on application form, medical information |
To carry out pre-employment checks; facilitate tests to assess aptitude and ability; gain references from former employers. |
Consent, Our Legitimate Interest: selecting and recruiting suitable candidates. |
| Website user |
Information via cookie (Google Analytics, Meta, LinkedIn identifiers, IP address, browser type, pages visited etc.) Subscribers: name, email, choice of news. Enquiries: first/last name, company, email, telephone, space type, location, enquiry text. |
Allow subscription to emails/alerts; allow job application, submit query, facilitate website use, provide services requested, communicate, deal with queries, provide property details, monitor and improve website. |
Consent, Our Legitimate Interests: managing and developing our website, business growth. |
| Participant in one of our CSR activities |
First and last names, company names, email addresses, money raised, room sharing allocation |
Manage and facilitate events and CSR activities including registration; communicate with participants; record charity funds. |
Legal obligation, Consent, Our Legitimate Interests: participate and raise funds for charity. |
| Engaged with us for marketing or advertising |
First/last names, email addresses, telephone numbers, photography/videography, sensitive data (health/disability needs), any other registration info |
Facilitate communication, invite to events, manage registration, manage events including security/health, marketing/advertising on social media/websites/email, publications, press releases, manage competitions. |
Legal obligation, Legitimate Interests of us and third parties: build and maintain relationships, build brand and implement strategy, grow business. |
2.2 We do not use your personal data for automated decision making.
2.3 If you do not provide personal data then, depending on the purpose for which the data is required, we may be unable to comply with our legal or contractual obligations. This may mean we may not be able to provide you with contractual or legal entitlements and may in certain situations not be able to enter into or continue our contract of employment and/or any other applicable engagement with you. Where information is not mandatory, we will make this clear, for instance we will explain if any data fields in our application or staff survey processes are optional and can be left blank.
2.4 Generally, we will only use your personal data for the purposes for which we collected it. If over time we consider that we have a different purpose we will ensure the reason is compatible with the original purpose and where appropriate and/or permitted, generally seek your consent to any new or changed processing.
3.1 This table describes our sharing of personal data including who we share with, the reasons why and if any personal data is transferred outside of the UK.
| Relating to | Third Parties | Data Sharing Purposes | Transfers out of the UK |
|---|---|---|---|
| Individual customer/visitor (buildings or head office) | Our suppliers, corporate customers, lawyers, insurance brokers, police | Suppliers: to perform services. Customers: access control reports, fire evacuation info. Professional advisers: health & safety incidents, security events, insurance claims. Police: criminal incidents. | We do not transfer any of this personal data outside the UK. |
| Individual customer/visitor (app-enabled buildings) | D2 Interactive Limited, Privée Limited, corporate customers | D2: operate Sesame app/portal; Stripe: payments; Privée: concierge service; Customers: building usage reports. | We do not transfer any of this personal data outside the UK. |
| Individuals with a lease agreement | Utility companies, joint venture partners and banks, agents and other professional advisers | Utility companies when moving in/out; joint venture partners: manage portfolio; agents: progress transactions. | We do not transfer any of this personal data outside the UK. |
| Neighbours to our projects | Local and statutory authorities, our suppliers (project team), joint hosts/event organisers | Meet legal obligations; communicate and consult with neighbours; share attendance list for joint events. | We do not transfer any of this personal data outside the UK. |
| Our service partners | Our service partners, joint venture partners, project's principal designer and project manager | Perform services; manage construction projects and maintenance; health and safety reasons. | Some third-party service partners are based outside UK, data may be transferred (see section 5 for safeguards). |
| Party to a property transaction | Auditors, agents, solicitors, joint venture partners | Audit transactions; execute property transaction. | Some joint venture partners outside UK; see section 5. |
| Current or former shareholder | Link Market Services | Manage shareholding, keep share register, respond to correspondence. | We do not transfer any of this personal data outside the UK. |
| Investor relations contact list | Corporate PR agency | Perform services including facilitating results presentations and managing events. | We do not transfer any of this personal data outside the UK. |
| Job applicants | Background check suppliers, applicant testing suppliers, recruitment agencies | Pre-employment checks, candidate testing, manage recruitment process. | Some third-party suppliers outside UK; see section 5. |
| Website user | Website service providers, email alert providers, RNS alert providers | Maintain/improve website; provide email/RNS alerts. | We do not transfer any of this personal data outside the UK. |
| CSR activities participant | Event organisers | Manage and coordinate CSR events, communicate with participants. | We do not transfer any of this personal data outside the UK. |
| Marketing or advertising contacts | Joint hosts, event organisers | Marketing/advertising, manage events, registration and security, health/disability requirements, manage competitions. | We do not transfer any of this personal data outside the UK. |
3.2 Our suppliers, service providers and agents are only permitted to process your personal data for specified purposes, in accordance with our instructions.
4.1 We may collect personal data about you from any of the following sources:
- Within our group or associated companies;
- Directly from you;
- Publicly available information that you post online on social or business networking sites such as Facebook and LinkedIn;
- Public information sources such as the Electoral Register or Companies House;
- Third parties: Referees, recruitment agencies, fraud prevention agencies, government bodies, law enforcement agencies and our suppliers, advisers and agents.
5.1 We only send your personal data outside the UK to: follow your instructions; comply with a legal duty; work with our group companies, suppliers and service providers that are based outside the UK; or work with financial institutions and joint venture partners based outside the UK.
5.2 If we transfer your personal data outside the UK, we will implement one of the following safeguards: (i) transfers to a country deemed adequate by the European Commission or UK adequacy regulations; (ii) put in place a contract with the recipient that ensures equivalent protection (including standard contractual clauses or UK International Data Transfer Agreement).
6.1 We have put in place appropriate security measures to prevent your personal information from being accidentally or unlawfully lost, destroyed or altered and to protect against unauthorised access.
6.2 Where we process your personal data or use third party suppliers, we limit access to those with a business need to know. They are subject to a duty of confidentiality.
6.3 We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator where legally required.
The website contains links to other websites which are outside our control and are not covered by this Privacy Notice. We are not responsible for those sites. We strongly recommend that you read the privacy notices of each website that collects personally identifiable information from you.
7.1 We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for.
7.2 To determine the retention period, we consider: amount, nature and sensitivity; potential risk of harm; purposes and whether we can achieve them otherwise; deletion requests; regulatory guidelines; legal requirements.
7.3 This is recorded in our retention policy, details available from our Data Protection Manager.
7.4 In some circumstances we may anonymise your personal information so that it can no longer be associated with you.
The law gives you certain rights in respect of the information that we hold about you. These rights include:
| Rights | What does this mean? |
|---|---|
| The right to be informed | Clear, transparent information about how we use your data. |
| The right of access | Obtain a copy of your personal data. |
| The right to rectification | Correct inaccurate or incomplete data. |
| The right to erasure | Request deletion where no compelling reason for retention. |
| The right to object | Stop or prevent processing, including absolute right to stop direct marketing. |
| The right to restrict processing | ‘Block’ further use in certain circumstances. |
| The right to data portability | Receive your data in structured, machine-readable format. |
| The right to lodge a complaint | Complain to data protection regulators (see section 9). |
| The right to withdraw consent | Withdraw consent at any time. |
8.1 If you want us to stop sending you information, the quickest and most efficient way is to use the provided “unsubscribe” links in our communications.
To exercise your rights, raise any complaints or to contact us with any questions regarding the processing of your personal data, please contact us by emailing dataprotectionmanager@gpe.co.uk or write to us at 33 Cavendish Square, London, W1G 0PW for the attention of the Data Protection Manager.
You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s contact details are:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk/make-a-complaint
10.1 We reserve the right to modify and/or update this privacy notice at any time. We may modify this notice to ensure it is accurate and up to date and to reflect changes in the law, the practice of the competent data protection authority, business needs and any new activity involving personal data processing. We will notify you when we make any substantial updates.
10.2 Last updated: November 2025