This privacy notice applies to all visitors to Floreat Group (defined as Floreat Holding Limited and its subsidiaries).
We take your Data Protection seriously and in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), we have reviewed our policies, processes and security procedures to ensure compliance with the regulations.
This privacy notice is to inform you, visitors to our office, of the types of data we process about you, the reasons for processing your data, the lawful basis for processing, your rights and the retention periods for your data.
This notice applies to all visitors to Floreat Group's offices at 33 Grosvenor Street, London, W1K 4QU for any pupose whatsoever.
If you have any questions about your data or how we handle it, please contact firstname.lastname@example.org
Data protection principles
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant GDPR procedures for international transferring of personal data
Types of data held
Floreat Group collects specific categories of personal data for a variety of reasons. Under GDPR, these are known as the Legal Basis for obtaining and processing personal data.
We keep this data in our electronic filings systems.
Specifically, we hold the following types of data:
a) Personal details such as name, address, email address, phone numbers
b) Arrival and departure times
c) CCTV footage
d) Building access records
e) Temperature testing results (taken on each separate visit to the office)
f) Health questionnaires including travel history
Collecting your data
You provide personal data to us directly when completing the 'health attestation' upon arrival in the office.
Personal data is stored on our protected internal networks.
Lawful basis for processing
The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement or in order to protect the health and safety of our visitors and employees.
The information below categorises the types of data processing we undertake and the lawful basis we rely on.
CCTV image recording and storing
Activities relating to the COVID-19 pandemic and collecting information in order to
provide and maintain a safe working environment
Legitimate Interests and Employment, Social Security and Social Protection Law
Activities relating to contact tracing in order to assist NHS Track and Trace
Special categories of data
Under GDPR special categories of data require explicit consent for processing. Floreat Group only process special categories of data where required in order to meet a legal obligation.
Special categories of data include data related to information such as your: health, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data.
We only carry out processing activities using special category data in circumstances where we are obliged to, such as:
a) for the purposes of ensuring the health and safety of our employees and visitors
b) security (CCTV)
Most commonly, we will process special categories of data when the following applies:
a) you have given explicit consent to the processing
b) we must process the data in order to carry out legal obligations
c) we must process data for reasons of substantial public interest
d) you have already made the data public.
Failure to provide data
Your failure to provide us with data may mean that we are unable to allow you to access the office.
Who we share your data with
NHS Track and Trace
We have a data processing agreement in place with any third parties we use to process your data under our instructions, to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
We do not share your data with bodies outside of the European Economic Area, unless you have consented for us to do so.
Protecting your data
We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. As part of our ongoing compliance with GDPR, we have implemented processes to protect your data and will continue to monitor the effectiveness of these processes.
We only keep your data for as long as we need it for and in line with legal requirements.
- NHS track and trace data will be retained for 21 days.
- CCTV retained for 90 days.
Automated decision making
Automated decision-making means making decisions about you using no human involvement. E.g. using computerised algorithms or programmes.
We do not undertake any automated decision making with your data.
You have the following rights in relation to the personal data we hold on you:
a) the right to be informed about the data we hold on you and what we do with it
b) the right of access to the data we hold on you
c) the right for any inaccuracies in the data we hold on you to be corrected (rectified)
d) the right to have data deleted in certain circumstances (erasure)
e) the right to restrict the processing of the data
f) the right to transfer the data we hold on you to another party (portability)
g) the right to object to the inclusion of any information;
h) the right to regulate any automated decision-making and profiling of personal data.
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. In certain instances, this may not be permissible and we will explain the reasons for this as part of our response.
Making a complaint
We will make every attempt to ensure you are satisfied with our handling of your data requests, however, you are entitled to raise a complaint with the Information Commissioner (ICO) if you are not satisfied. You can contact the ICO here or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
Last updated: September 2020