top of page

Hines Property Investment Ltd 

​

Privacy Policy

 

The purpose of this client privacy notice is to give you information  about what personal data we process about you, how, why and what your rights are.

As a valued client we are committed to ensuring that your privacy is protected. Should we ask you to provide certain data by which you can be identified when using the services, then you can be assured that it will only be used in accordance with this privacy notice. 

Hines Property Investment ltd is a registered Data Controller with the Information Commissioner’s Office (ICO) under registration number.

 

  1. Data We Collect About You?

We collect, process and retain personal data about you when we:

  • respond to your request – e.g. a query

  • carry out Anti-Money Laundering (AML) checks

  • provide you with ‘Sourcing’ services

  • keep you informed of any services, which will be of benefit to you

This data can include:

  • client name

  • registered business 

  • phone number

  • email address

  • home address

  • financial statements

  • reason to buy/sell

  • investment criteria

 

 

Unless you voluntarily submit your personal data to us (for example, by sending us an e-mail, or contractual agreement), we cannot personally identify an individual. 

 

  1. Legal Grounds for Processing

executing any contractual agreement with Hines Property Investment ltd hereinafter referred to as the “Company”. 

The Company shall have the right to process your personal data, including for example, your bank details and NI number, provided to the Company by you or some other party, to enable t1he Company to fulfil its legal and contractual obligations in its capacity as a Land and/or Property Sourcing Agent, or in order to take steps at the request of you prior to entering into a contractual agreement.

The Company may rely on one or more of the following legal grounds to process your personal data: 

  • Contract: Article 6(1)(b) of the UK GDPR, which relates to the processing necessary for the performance of a contract or to take steps from a successful quote or tender, before entering a contract. The Company will use it when entering into a contract or agreement with you.

  • Consent: Article 6(1)(a) of the UK GDPR, which relies on your freely-given consent at the time you provide your personal data to the Company. The Company will always make it clear what your personal data will be used for and provide you with the facility to withdraw your consent – refer to section 8. Your Rights (below). 

  • Legal Obligation: Article 6(1)(c) of the UK GDPR, where the processing is necessary in order for the Company to comply with a legal obligation. For example, carrying out the AML checks to ensure that we can legally contract with you.

  • Legitimate Interests: Article 6(1)(f) of the UK GDPR, which relates to our legitimate interests pursued by us the Company or by a third party (such as Company partners), except where such interests are overridden by the interests or your fundamental rights and freedoms which require protection of your personal data. Examples of our legitimate interests are as follows:

  1. running our business (e.g. to keep our records updated)

  2. communicating with our clients to introduce them to services, or market similar services that may be of interest and benefit to them

 

  1. Purposes of Processing

Purposes of processing personal data include:

  • Using your data to carry out administrative and management of our contractual agreement.

  • Using your personal data so that we can provide the ‘Sourcing’ services, as set out in the agreement.

 

  1. Transfers to Third Parties 

While processing your personal data for the purposes indicated above, the Company may use the services of third parties such as Zoho Corporation for electronic mail, and Dropbox Inc for cloud data storage.  

The Company uses data processors who are third parties who provide elements of services on behalf of the business. The Company will have contracts in place with the data processors. This means that the data processors cannot do anything with your personal data unless the Company has instructed them to do so. They will not share your personal data with any organisation apart from the Company. The data processor will hold it securely and retain it for the period the Company instruct.

However, the Company may share data (including personal data) if the Company has a legal obligation to do so, or if the Company must enforce or apply the Company’s terms of use and other agreements. This may include submitting data for legal reasons. 

 

  1. Cross-Border Data Transfers

The Company’s business processes increasingly go beyond the borders of one country. This globalisation demands not only the availability of communications and information systems across the Company but also the worldwide processing and use of data within the Company. Consequently, your data may be subject to cross-border data transfers.

The Company stores your personal data in digital format on secure local and cloud servers and systems hosted in the European Union (EU) and the United States (US). Where data is stored on servers located in the US, we rely on the Privacy Shield Framework and/or the EU model clauses (called the Data Transfer Agreements) to transfer this data. 

You may request a copy of the Data Transfer Agreements or data on the other applicable safeguards I use to protect your personal data.

 

  1. Retention

Your personal data will be stored for no longer than necessary considering the purposes of the processing activities.

The retention will not exceed 7 years from the end of the contract/agreement after which your personal data will be destroyed securely. However, the Company reserves the right to keep personal data for longer if we feel that this is in the legitimate interests of the Company.

 

  1. Keeping Your Personal Data Secure

The Company has policies, procedures and security in place to keep your personal data secure once it is in our systems. All personal data is stored securely in accordance with the principles of the UK GDPR. 

Any personal data collected in paper form (e.g. contractual agreements, etc.) are securely filed at our site located in the UK. All-access to your personal data is highly restricted for approved business purposes only.

 

  1. Your Rights

You can exercise your data subject rights and utilise our Data Subject Access Request (DSAR) procedure by contacting our Data Compliance Lead in writing at the address Hines Property Investment Ltd Henleaze House Business Centre 13 Harbury Road Henleaze Bristol BS9 4PN or by emailing  hpiltd18@gmail.com rights are as follows: 

  • You have the right to ask for a copy of your personal data. 

  • You have the right to have your personal data rectified. If you find your personal data held is inaccurate or incomplete, you can request to see this data, rectified. 

  • You have the right to have your personal data deleted. Though it should be noted this is not an absolute right. 

  • You have the right to demand the restriction of the data processing of your personal data.  This may include, but is not limited to the use of data for direct marketing purposes.

  • You have the right to receive your personal data in a structured, commonly used and machine-readable format (e.g. PDF or CSV) and to request the transmittance of your data to another controller;

  • You have the right to object to the data processing. This is not an absolute right and only applies under certain circumstances;

  • You have the right to withdraw a given consent at any time to stop a data processing that is based on your consent.

You may make any of the requests outlined above by contacting us by email at hpiltd18@gmail.com or in writing marked for the attention of our Data Compliance Lead at the following address Hines Property Investment Ltd Henleaze House Business Centre 13 Harbury Road Henleaze Bristol BS9 4PN

If you wish to complain about how we have handled your personal data, please contact our Client Service Manager in first instance by email at hpiltd18@gmail.com

Our Client Service Manager will then investigate your complaint and work with you to resolve the matter. 

If you still feel that your personal data has not been handled appropriately according to the law, you can contact the Information Commissioner’s Office in the UK here: https://ico.org.uk/concerns/ and file a complaint with them. 

 

  1. Changes to our privacy notice

  1. Changes to our privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 8th March 2023. 

 

10.    Data Breach’s 

Data Breach Policy

 

1. Introduction

 

This Data Breach Policy is established by the Company to comply with the General Data Protection Regulation (GDPR) and ensure that all employees and contractors are aware of their responsibilities in the event of a data breach. This policy outlines the procedures to be followed when a data breach is suspected, detected, or reported.

 

2. Definitions

 

- **Data Breach:** A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

 

- **Personal Data:** Any information relating to an identified or identifiable natural person (data subject) as defined in the GDPR.

 

- **Data Protection Officer (DPO):** The designated individual responsible for overseeing GDPR compliance within the organisation, if applicable.

 

3. Data Breach Identification and Reporting

 

3.1. Reporting Responsibility

 

 

 

 

 

- All employees, contractors, and third parties who process personal data on behalf of the Company must promptly report any suspected or actual data breaches to the Data Protection Officer (DPO) or a designated contact person.

 

3.2. Initial Assessment

 

- Upon receiving a report of a potential data breach, the DPO or designated contact person will conduct an initial assessment to determine the scope and severity of the breach.

 

3.3. Notification to Supervisory Authority

 

- If the data breach is likely to result in a risk to the rights and freedoms of individuals, the Company will report the breach to the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR. The DPO will handle this notification.

 

3.4. Notification to Data Subjects

 

- If a data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company will inform affected individuals without undue delay. The DPO will determine the need for notification and its content.

 

4. Data Breach Response

 

4.1. Containment and Mitigation

 

- the Company will take immediate action to contain and mitigate the effects of the data breach. This may include isolating affected systems, changing access credentials, or engaging relevant IT security experts.

 

4.2. Investigation

 

- The DPO, in coordination with relevant departments, will conduct a thorough investigation to determine the cause of the breach, identify the data affected, and assess the extent of the breach.

 

4.3. Documentation

 

- All aspects of the data breach, including its discovery, response, and resolution, will be documented in detail.

 

4.4. Communication

 

- The DPO or designated contact person will communicate with affected parties, supervisory authorities, and other stakeholders as necessary throughout the breach response process.

 

5. Remediation and Prevention

 

5.1. Remediation

 

The Company will take steps to remediate the vulnerabilities or weaknesses that led to the breach to prevent future occurrences.

 

5.2. Review and Update

 

- The Data Breach Policy and associated procedures will be regularly reviewed and updated to reflect changes in technology, regulations, and the organisations operations.

 

6. Training and Awareness

 

- All employees and contractors who handle personal data will receive training on this Data Breach Policy and their responsibilities in preventing and responding to data breaches.

 

7. Compliance

 

- Failure to comply with this Data Breach Policy may result in disciplinary actions as per the organisations internal policies.

 

8. Revision History

 

- This policy will be periodically reviewed and updated as necessary. The revision history will be maintained to document changes made to the policy.

 

The Company is committed to protecting the privacy and security of personal data and will take all necessary steps to prevent, detect, and respond to data breaches in accordance with GDPR and applicable data protection laws.

 

Policy Owner: Alexander Hines DPO or Designated hpiltd18@gmail.com

Date of Last Revision: [5th October 2023]

We keep our privacy notice under regular review. This privacy notice was last updated on 5th October 2023. 

download.png
NAPSA-Trademark-Badge-Dark.png

Hines Property Investment Ltd

Henleaze House Business Centre

13 Harbury Road,

Henleaze

Bristol

BS9 4PN

Tel: 01174631621

Em: hpiltd18@gmail.com

  • alt.text.label.Instagram
  • alt.text.label.Facebook

©2023 by Hines Property Investment Ltd. 14626079 created with Wix.com

bottom of page