Privacy Notice

1. How we use your personal data

We are committed to protecting the privacy and security of personal data.

Except where 1.3 below applies, the data controller of your information is Great Portland Estates Services Limited (company number 00517550) of 33 Cavendish Square, London, W1G 0PW. This is the property management company of Great Portland Estates plc (company number 00596137) of 33 Cavendish Square, London, W1G 0PW.

If you are a shareholder or former shareholder, the data controller is Great Portland Estates plc.

Any references to ‘we’, us’ or ‘our’ are to the relevant data controller that processes your information.

This section of our website is designed to help you understand the basis on which any personal data about you will be processed by us. Please take the time to read and understand this privacy notice.

As we undertake a wide range of activities, we’ve organised information into tables, reflecting the different ways you might interact with us, in order to help you get to the information you want quickly. This notice will apply to you if you:

occupy or visit one of our buildings, head office or app-enabled buildings;
have a lease agreement with us;
are a neighbour to our projects;
are one of our service partners;
are a party to a property transaction with us;
are a current shareholder or former shareholder;
are on our contact list for results presentations or investor relations events (e.g. investors, analysts and bankers);
have applied for a job with us;
use our website; or
participate in one of our corporate social responsibility (“CSR”) activities; or
have engaged with us for marketing or advertising.

Please note more than one section may apply to you. For example, a service partner may need to read the ‘service partner’ section and the visitor section.

Contacting us about data privacy
If you have any questions or concerns about the information on this page, or about what we do with personal data, please email us at dataprotectionmanager@gpe.co.uk, or write to us at the above address, for the attention of the Data Protection Manager.

2. Scope, purposes and lawful basis of personal data processed

2.1 Set out in the table below is a list of the ways that we may use your personal data, the reasons for doing so and lawful basis we rely on to do so. This is also where we tell you what our (or a third parties’) legitimate interests are.

Relating to	Description of personal data	Why we use your personal data	Lawful basis
Individual customer of, or visitor to, one of our buildings or our head office	First and last name, company and email address Photographs Information about your visit such as your name, company/floor, person visiting, date and time, location CCTV incl. images Medical records / health and safety records Access control information including entrance and exit data and duration on sites Company you are associated with and floor location worked on Vehicle Registration	Managing and operating our buildings; Identification; Crime prevention, security and public safety; For the purposes of fire or incident management including the safety of individuals; Crisis management and planning at our buildings; To maintain our operational records; In the handling of complaints, grievances and disciplinary proceedings; To record information (including relevant medical information) for health and safety purposes where you suffer an incident at one of our buildings and for control purposes; To issue you with a permit to work for health and safety purposes; and To manage individual contractors.	Consent Legal Obligation Contract Our Legitimate Interests: Building management including the safety and security of individuals; In wishing to provide an additional range of online services and information to you in order to improve your use of the building; We need to process your registration details and may moderate anything you post in order to ensure that the app/ portal is not used for illegal purposes or otherwise causes damage or distress; The processing we undertake is limited and concentrates on your use of the app/ portal insofar as it relates to the building; For evidential purposes; and In the exercise or defence of a legal claim. The Legitimate Interest of third parties: In managing the use of buildings, and in the case of corporate customers, of our buildings this may include them monitoring the access of individual customers, who are employed or engaged by them. If you are an individual customer, please see your company privacy policy for further detail on this; For evidential purposes; and In the exercise or defence of a legal claim.
Individual customer of, or visitor to, one of our app-enabled buildings	Information obtained from a portal, app or access card relating to use of a building including: First and last name, Company you are associated with and floor location worked on Email address Any other information individuals share Registration details Posts and communications made by users Access control information including entrance and exit data and duration on sites	To manage and operate some of our services and buildings; To provide access to a greater range of services; To provide information to you that is relevant to your use of the building; To provide you with a range of on-line services relating to that building; and So we can better understand how our buildings are used by their customers; Identification; crime prevention, security and public safety; For the purposes of fire or incident management including the safety of individuals; Crisis management and planning at our buildings; dietary requirements and to maintain our operational records.	Our Legitimate Interests: Building management including the safety and security of individuals; In wishing to provide an additional range of online services and information to you; In order to improve the use of a building; To prevent and detect any crime; and To manage the purposes the app/portal is used for including to prevent damage and distress. The Legitimate Interest of third parties: In managing the use of buildings, and in the case of corporate customers, of our buildings this may include them monitoring the access of individual customers, who are employed or engaged by them. If you are an individual customer, please see your company privacy policy for further detail on this; and To process your registration details and moderate anything you post in order to ensure that the app/ portal is not used for illegal purposes or otherwise causes damage or distress. The processing we undertake is limited and concentrates on your use of the app/portal insofar as it relates to the building.
Individuals with a lease agreement with us	First and last name, company and email address Photographs Information about your visit such as your name, company/floor, person visiting, date and time, location CCTV incl. images Medical records / health and safety records Duration on sites Bank account details and other financial information Contact details for your representatives Any information in your agreement that you provide Vehicle registration	To manage and administer your lease agreement; to carry out due diligence; In the handling of complaints, grievances and disciplinary proceedings; To manage our portfolio of buildings and perform those agreements; and To communicate and carry out marketing including on satisfaction surveys and provisions of a newsletter.	Consent Contract Our legitimate Interests: To communicate with you; To administer and manage your lease agreement with us; To carry out security verification checks on those we interact and contract with; For evidential purposes; In the exercise or defence of a legal claim; and To perform our obligations. The Legitimate Interest of third parties: For evidential purposes; and In the exercise or defence of a legal claim.
Neighbours to our projects	Contact details Photograph Dietary requirements	To communicate and handle any complaints; To manage our construction projects; To manage compliance with any third party consents; To manage relationships with third parties; For evidential purposes; to consult on construction projects; and To manage events including registration and health or disability requirements such as dietary needs and preferences or physical access needs.	Legal obligation Legitimate Interests of us third parties: To consult with our neighbours over our projects; and To grow our business.
Our service partners including contractors and any representatives of such	Contact information including first and last name, Bank account details CV Occupation	To facilitate communication; To manage our service partners and contractors in respect of our construction projects; For the maintenance of our buildings; For the supply of other goods and services that our business may need; and To perform our obligations including with respect to payments.	Contract Legal obligation including with respect to: The Modern Slavery Act 2015; and Health and safety. Our Legitimate Interest: In engaging and managing our contractors and other service partners (both in connection with individual buildings and more generally in our business).
Party to a property transaction with us	Contact details Occupation Nationality Reasons for purchasing a property Bank account Identification information Your interest including information extracted from share registers	To facilitate property transactions; To enter into a contract; To carry out checks and verification of people and funds; and For compliance purposes including to prevent money laundering and fraud.	Legal obligation Contract Legitimate Interests of us and our third parties: In verifying contacts and relationships; and Furthering the growth of our businesses.
Current shareholder or former shareholder	First and last name Registered address Shareholding and communication method preference Your email address Bank account details where provided	To manage your shareholding in Great Portland Estates plc; To keep your record on the share register up to date; Make shareholder communications and shareholder meeting materials available to you; Pay dividends to you; Allow you to exercise your rights as a shareholder, such as a right to vote at shareholder meetings; and Respond to any correspondence you send to us or to our registrar, Link Market Services.	Consent Contract Legal Obligation including in relation to: Companies Act 2006
You are on our results presentations/investor relations events contact list (e.g. investors, analysts and bankers)	First and last name Email addresses Telephone numbers Companies related to the investors, analysts and bankers	To invite you to events and presentations; To manage your registration; To facilitate communication; For the purposes of providing information on our financial performance to you; and To facilitate results presentations and manage investor relation events.	Our Legitimate Interests: Build and maintain relationships with third parties; and Grow our business.
Job applicants	CV First and last name, Email address Telephone number Any other information on an application form Medical information	To carry out pre-employment checks; To facilitate tests to assess the aptitude and ability of a candidate; and To gain references from former employers.	Consent Our Legitimate Interest: Selecting and recruiting appropriate suitable and competent candidates and Personnel.
Website user	Information via cookie such as Google Analytics, Meta, LinkedIn identifiers, IP address, browser type, pages visited etc. (for more information on cookies see our cookie policy) Subscribers to emails and alerts: Name Email address Your choice of news and information services Submission of enquiries: First and last name Company Email address Telephone Your choice of space type and size Location Your enquiry text	To allow you to subscribe to emails and alerts; To allow you to apply for a job/role; to allow you to submit an query; To facilitate your use of the website; To provide the services requested; To communicate with you about services; To deal with any query you raise; To provide you with details of our properties; and To enable us to monitor and improve our website	Consent Our Legitimate Interests in: Managing our website; and Developing our business.
You are a participant in one of our CSR activities	First and last names Company names Email addresses Money raised by the individual Room sharing allocation of the participants	To manage and facilitate events and CSR activities including registration; To communicate with participants; and To record charity funds.	Legal obligation Consent Our Legitimate Interests: To participate and raise funds for charity.
You are engaged with us for marketing or advertising	First and last names Email addresses Telephone numbers Photography or videography relating to you Sensitive data including health or disability needs or requirements Any other information provided on your registration for which you may provide	To facilitate communication; To invite you to and manage your registration at events, workshops and presentations; To manage events, workshops and presentations including security, health and safety, and disability requirements; To facilitate communication; For marketing / advertising including on social media, websites and email; For publications, press releases and other communications; and To facilitate and manage competitions.	Legal obligation Legitimate Interests of us and our third parties: To build and maintain relationships; Build our brand and implement our strategy; and Grow our business

2.2 We do not use your personal data for automated decision making.

2.3 If you do not provide personal data then, depending on the purpose for which the data is required, we may be unable to comply with our legal or contractual obligations. This may mean we may not be able to provide you with contractual or legal entitlements and may in certain situations not be able to enter into or continue our contract of employment and/or any other applicable engagement with you. Where information is not mandatory, we will make this clear, for instance we will explain if any data fields in our application or staff survey processes are optional and can be left blank.

2.4 Generally, we will only use your personal data for the purposes for which we collected it. If over time we consider that we have a different purpose we will ensure the reason is compatible with the original purpose and where appropriate and/or permitted, generally seek your consent to any new or changed processing.

3. Sharing of personal data

3.1 This table describes our sharing of personal data including who we share with, the reasons why and if any personal data is transferred outside of the UK.

Relating to	Third Parties	Data Sharing Purposes	Transfers out of the UK
Individual customer of, or visitor to, one of our buildings or our head office	Our suppliers Corporate customers that you may be engaged or employed by or visiting Lawyers, insurance brokers, and other professional advisers Police	Our suppliers: to the extent necessary for them to perform their services to us. Customers: where access control information or a permit to work relates to a particular corporate customer's own premises; to provide reports to corporate customers on building usage by their personnel and visitors, including access control information; and to share fire evacuation information. Lawyers, insurance brokers, and other professional advisers: where information relates to health and safety incidents; for security events; and for matters giving rise to an insurance claim or relevant to our insurance coverage. Police: in the event of a criminal incident.	We do not transfer any of this personal data outside the UK.
Individual customer of, or visitor to, one of our app-enabled buildings	D2 Interactive Limited Privée Limited Corporate customers that you may be engaged or employed by or visiting	D2 Interactive Limited: to operate the Sesame app/portal including managing access and booking meeting rooms; Please see their privacy notice at for further information on how they handle personal data. Stripe to the extent necessary to perform agreed services including the processing of payments and expenses on the Sesame app. Privée Limited: to provide a concierge service (branded as 'Lifestyle') on our behalf linked to the portal. Customers: to provide reports to corporate customers on building usage by their personnel and visitors, including access control information.	We do not transfer any of this personal data outside the UK.
Individuals with an lease agreement with us	Utility companies Joint venture partners and banks Agents and other professional advisers	Utility companies: when you move into or out of one of our buildings. Joint venture partners and banks: to manage and administer our portfolio of buildings and perform our agreements. Agents and other professional advisers: to progress and complete transactions.	We do not transfer any of this personal data outside the UK.
Neighbours to our projects	Local and statutory authorities Our suppliers who constitute the project team Joint hosts or event organisers	Local and statutory authorities: to meet our legal obligations to them. Our suppliers who constitute the project team: to communicate and consult with our neighbours. Joint hosts or event organisers: to share the attendance list when we hold a joint event with a third party in respect of a project.	We do not transfer any of this personal data outside the UK.
Our service partners	Our service partners Joint venture partners Project's principal designer and project manager	Our service partners: to the extent necessary for them to perform their services to us. Joint venture partners: to manage and administer our construction projects and the maintenance of our buildings. Project's principal designer and project manager: for health and safety reasons, where the data was collected from our consultants, contractors, and sub-contractors.	Some of our third-party service partners are based outside of UK, and therefore, some of your data will be transferred there. Please see section 5 for further information on how we safeguard your personal data in these circumstances.
Party to a property transaction with us	Auditors Agents Solicitors Joint venture partners	Auditors: to audit the transactions undertaken, in accordance with legal obligations. Agents, solicitors, and joint venture partners: for the purposes of executing the property transaction.	Some of our joint venture partners are based outside of UK, and therefore, some of your data may be transferred there. Please see section 5 for further information on how we safeguard your personal data in these circumstances.
Current shareholder or former shareholder	Link Market Services	Link Market Services: To manage, on your behalf, your shareholding in Great Portland Estates plc; To keep your record on the share register up to date; and To respond to, or assist us to respond to, any correspondence you send.	We do not transfer any of this personal data outside the UK.
You are on our results presentations/ investor relations events contact list (e.g. investors, analysts and bankers)	Corporate PR agency	Corporate PR agency: To the extent necessary for them to perform their services to us, including facilitating results presentations and managing investor relations events.	We do not transfer any of this personal data outside the UK.
Job applicants	Background check suppliers Applicant testing suppliers Recruitment agencies	Background check suppliers: perform background checks as part of our recruitment and pre-employment process. Applicant testing suppliers: to conduct applicant testing to assess candidates' suitability for roles. Recruitment agencies: to manage the recruitment process, including holding a copy of the CV if it was submitted via the agency.	Some of our third-party suppliers are based outside of UK, and therefore, some of your data will be transferred there. Please see section 5 for further information on how we safeguard your personal data in these circumstances.
Website user	Website service providers Email alert service providers RNS alert service providers	Website service providers: to the extent necessary for them to perform their services to us, including maintaining and improving our website. Email alert service providers: to provide the requested email alerts and notifications. RNS alert service providers: to provide the requested RNS alerts and notifications.	We do not transfer any of this personal data outside the UK.
You are a participant in one of our CSR activities	Event organisers	Event organisers: to manage and coordinate the CSR events, including inviting previous participants to enter each year's event; and communicating with and managing each year's participants.	We do not transfer any of this personal data outside the UK.
You are engaged with us for marketing or advertising	Joint hosts Event organisers	For marketing / advertising; To manage events; To manage registration and security including sharing the attendance list; To manage health or disability requirements including dietary needs and access requirements at events; and To facilitate and manage competitions.	We do not transfer any of this personal data outside the UK.

3.2 Our suppliers, service providers and agents are only permitted to process your personal data for specified purposes, in accordance with our instructions.

4. Sources of personal data

4.1 We may collect personal data about you from any of the following sources:

4.1.1 Within our group or associated companies;
4.1.2 Directly from you;
4.1.3 Publicly available information that you post online on social or business networking sites such as Facebook and LinkedIn.
4.1.4 Public information sources such as the Electoral Register or Companies House.
4.1.5 Third parties: Referees, recruitment agencies, fraud prevention agencies, government bodies and departments, law enforcement agencies and our suppliers, advisers and agents.

5. International transfers of personal data outside the UK

5.1 We only send your personal data outside the UK to:

5.1.1 Follow your instructions;
5.1.2 Comply with a legal duty;
5.1.3 Work with our group companies, suppliers and service providers that are based outside the UK; or
5.1.4 Work with financial institutions and joint venture partners that are based outside the UK.

5.2 If we transfer your personal data outside the UK, we will implement one of the following safeguards:

5.2.1 Transfers to a non-EEA country that has been deemed to provide an adequate level of protection for personal information by the European Commission. For further details, see . (The UK has published “adequacy regulations” in relation to countries within the EEA and some countries outside of the EEA, which means that these countries are considered under UK data protection law, to provide an adequate level of protection for personal data. (see .)
5.2.2 Put in place a contract with the recipient that means they must protect it to the equivalent standards as the UK including ; the and any other appropriate safeguard in place from time to time.

6. Data security

6.1 We have put in place appropriate security measures to prevent your personal information from being accidentally or unlawfully lost, destroyed or altered and to protect against unauthorised access to or disclosure of your personal data.

6.2 Where we process your personal data or use third party suppliers and service providers to do so, we limit access to your personal information to those officers, employees, agents, contractors and other third parties who have a business need to do so. They will only process your personal data for specified purposes, and they are subject to a duty of confidentiality.

6.3 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

6.4 The website contains links to other websites which are outside our control and are not covered by this Privacy Notice. We are not responsible or liable for these websites, their privacy policies or their use of your personal information. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours. We strongly recommend that you read the privacy notices of each and every website that collects personally identifiable information from you.

7. Data retention

7.1 We will only retain your personal information for as long as is necessary to fulfil the purposes we collected it for.

7.2 To determine the appropriate retention period for personal data, we consider:

7.2.1 the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data,
7.2.2 the purposes for which we process your personal data and whether we can achieve those purposes through other means,
7.2.3 if you have made a request to have your personal data deleted (see section 9 of this notice);
7.2.4 guidelines issued by relevant data protection regulators; and
7.2.5 the applicable legal requirements.

7.3 This is recorded in our retention policy, details of which are available from our Data Protection Manager.

7.4 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

8. Your data access rights

8.1 The law gives you certain rights in respect of the information that we hold about you. These rights include:

Rights	What does this mean?
The right to be informed	You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This notice is an example of this right.
The right of access	You have the right to obtain a copy of personal data relating to you (and other information) from us where we are processing it. This is so you are aware and can check that we are using your information in accordance with data protection law.
The right to rectification	You are entitled to have your information corrected if it is inaccurate or incomplete. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
The right to erasure	This enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it.
The right to object	Under certain circumstances individuals have the right to stop or prevent the processing of their personal data by GPE. Individuals also have an absolute right to stop their data being used for direct marketing.
The right to restrict processing	You have the right to ‘block’ or suppress further use of your personal data that we process. This means that it can only be used for certain things, such as legal claims or to exercise legal rights. You can ask us to restrict the use of your personal data if it is not accurate; it has been used unlawfully but you don’t want us to delete it; it is not relevant any more, but you want us to keep it for use in legal claims; or you have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it. If we do restrict your information in this way, we will not use or share it in other ways while it is restricted.
The right to data portability	You have the right to receive your personal data in a structured, commonly used and machine-readable format and to request that this data is transmitted to another party/controller where this is technically feasible. This right only applies to personal data you have directly provided to us (not any other information).
The right to lodge a complaint	You have the right to lodge a complaint about our handling or processing of your personal data to data protection regulators. (See section 9 for further details).
The right to withdraw consent	Where you have given your consent to us for the processing of any personal data, you have the right to withdraw your consent at any time (although this does not mean that any processing of personal data carried out by us with your consent up to that point is unlawful).

8.2 If you want us to stop sending you information, the quickest and most efficient way is to use the provided “unsubscribe” links in our communications.

9. Contact information

9.1 To exercise your rights, raise any complaints or to contact us with any questions regarding the processing of your personal data, please contact us by emailing or to write to us at 33 Cavendish Square, London, W1G 0PW for the attention of the Data Protection Manager.

9.2 You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s contact details are:

9.3 Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9.4 Helpline number: 0303 123 1113

9.5 ICO website:

10. Changes to this privacy notice

10.1 We reserve the right to modify and/or update this privacy notice at any time. We may modify this notice to ensure it is accurate and up to date and to reflect changes in the law, the practice of the competent data protection authority, business needs and any new activity involving personal data processing. We will notify you when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

10.2 Last updated: May 2026