Privacy notice

Privacy notice for clients, suppliers, contractors and other business contacts

As part of our obligations under the UK and EU General Data Protection Regulations (GDPR), we’ve published this Privacy Notice to make it easier for you to find out how we use and protect your information. This notice applies to personal data we process about clients and prospective clients, suppliers and service providers (including contractors and consultants), other business contacts (including referrers), and visitors to our offices or sites.

This Privacy Notice is to let you know how Hollis may collect, store and process your personal information. This includes information you provide to us, information we generate through our dealings with you (for example when you engage us as a client, work with us as a supplier or contractor, or interact with us as a business contact), and the preferences you make about what type of communications you want to receive from us. This Privacy Notice explains how we do this and tells you about your privacy rights and how the law protects you where we process your personal data.

This Notice will provide you with information such as:

  • The types of information Hollis collects about you and individuals connected to your business, and how we use it
  • The legal grounds for how we use personal information
  • The rights which individuals have in relation to the information we hold about them
  • How we keep information secure.

Registered offices

Hollis Global Limited and its wholly owned subsidiary companies together referred to as the Hollis Group and trading as ‘Hollis’, (Data Controller) with registered offices below, needs to collect and process information about individuals including clients, suppliers and other business contacts in order to conduct its business.

  • Hollis Global Limited, Floor 3, 138 Cheapside, London EC2V 6BJ
  • Malcolm Hollis Limited, 14 Fitzwilliam Square, Dublin, D02 W298
  • Malcolm Hollis S.L.U., Calle Arrieta, 7, 4a, 28013, Madrid
  • Malcolm Hollis B.V., SPACES ZUIDAS, Barbara Strozzilaan 101-201, Amsterdam, 1083HN
  • Malcolm Hollis GmbH, Kurfürstendamm 195 3rd Floor, 10707, Berlin

Each legal entity as listed above may store and process personal data is a separate Data Controller where personal data is collected. All offices process personal data, and you can identify your local country office as your Data Controller from the list above. Hollis manages its obligations in relation to data protection on a group wide basis so all queries regardless of the Data Controller can be addressed to the same contact as detailed below.

Our privacy promise

We promise:

  • To keep your data safe and private,
  • Not to sell your data,
  • To give you ways to manage and review your marketing choices at any time.

This Privacy Notice sets out most of your rights regarding personal data.

We will process all personal data in accordance with the following principles:

  1. All personal data will be processed lawfully, fairly and in a transparent manner
  2. All personal data will be collected for one or more specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes
  3. All personal data collected will be restricted to what is adequate, relevant and limited for those purposes
  4. All personal data will be kept accurate and up to date (and reasonable steps will be taken to erase or rectify inaccurate personal data)
  5. All personal data will not be kept for no longer than is necessary for those purposes
  6. All personal data will be protected by appropriate technical and organisational security measures to prevent unauthorised or unlawful processing and accidental loss, destruction or damage.

Hollis as the data controller will be responsible for compliance with these principles at all times.

Who does this Privacy Notice relate to?

This Privacy Notice relates to personal data processed by Hollis about: (a) clients and prospective clients (whether businesses and the individuals connected to them, or individuals); (b) suppliers and other third-party businesses and individuals we work with to provide or receive services (including contractors, sub-contractors, consultants and referrers); and (c) visitors to Hollis’ offices or other sites (for example where CCTV is in use). Where Hollis processes personal data about employees and job applicants, this is generally covered by separate employee/applicant privacy information provided through HR processes; however, some information in this notice may also be relevant where employees act as business contacts (for example when attending external events or engaging with suppliers).

Individuals connected to your business

When providing you with our services, we may receive and process personal data relating to individuals connected to your business (for example, your employees, contractors, customers, tenants, occupiers or other contacts). In many circumstances, you (or the relevant client organisation) will determine the purposes for which that personal data is used in the context of the services, meaning you are the data controller and we act as a data processor on your behalf (except where we process personal data for our own independent purposes as described in this notice, such as marketing, compliance, finance, quality management and security).

If you (or anyone acting on your behalf) provide personal data to us about an individual connected to your business, you must ensure you have a lawful basis to disclose that data to Hollis and that you have provided the individual with any required privacy information (including how and why their data will be shared with us). Where applicable law requires consent for a particular disclosure or marketing activity, you are responsible for obtaining and recording that consent before sharing the data with us.

Which products and services does the Privacy Notice relate to?

The notice applies to all products and services offered and provided by Hollis. A table setting out the information collected and processed by Hollis and the basis under which we do so are included in a table at the end of this policy.

What type of personal information does the Privacy Notice relate to?

Hollis will only request details that are genuinely required in order to provide information or services that you have requested, or to comply with our contractual or legal obligations in relation to you or the services that we provide, or for the purposes of maintaining a balanced, genuine business relationship between you and us (including may making contact with you on an unsolicited basis where you have not requested that we do not do so, provided that such activity is in compliance with applicable laws in the country in which you are located).

Across all of the Hollis offices there may be other restrictions on data processing or additional data protection legislation that we must adhere to alongside the GDPR. Hollis will comply with all applicable legislation relating to the collection, retention or processing of personal, or other, data in the jurisdictions in which it operates and where required will make you aware of the requirements that apply.

We will only collect and process data when this is permissible in line with applicable law and depending on the purpose the data is being used for, the type and sensitivity of the data that is being collected.

Given the varied nature of local law it isn’t possible to list all circumstances and exceptions applicable to the collection of personal data. However depending on the reasons, you are working with us, the personal data we collect process and retain may include (unless prohibited by local law)::

  • Name
  • Business contact details including mobile/landline numbers, email address and business address
  • Role title, position and responsibility details
  • Additional information around the nature of your role, this may include qualifications and experience that you wish to tell us about
  • Sex/gender
  • Photographs taken at events
  • CCTV footage if you attend our premises
  • Hobbies and interests where relevant for marketing purposes
  • Event-related preferences and requirements you choose to provide (for example dietary preferences for catering, accessibility requirements, or practical details such as clothing/shoe size for a specific activity), collected only where relevant to the event and limited to what is necessary
  • Where event-related information reveals special category data (for example health information), we will only process it where a valid condition applies under applicable data protection law (typically explicit consent) and will handle it with additional care
  • Open data / public records which includes data that you have made freely available in a public domain such as via social media or publications and news articles
  • Permissions – so we can record how you would like to receive information from us, or if you would prefer not to
  • Extra information that you choose to tell us..

Personal data will be collected, stored and processed for the following purposes:

  • In order to provide commercial real estate consultancy service to our Clients
  • In order to comply with applicable legislation and statutory requirements for the prevention of money laundering
  • In order to maintain adequate accounting and financial records and to invoice the Client as and when appropriate
  • To carry out HR activities using employee data such as screening, job applications etc.
  • To carry out research activities, such as customer satisfaction surveys, or to establish market behaviour or trends
  • To provide you with marketing and other information about us (or other members of the Malcolm Hollis Group) and other goods and services we offer and to allow you or Contact Persons to any events organised alone or jointly by us (or other members of the Malcolm Hollis Group)
  • To obtain credit checks and or references in relation to the Client, if necessary and not prohibited by applicable legislation
  • In order to be provided with the services of a 3rd party
  • To allow Hollis to invite the Client, 3rd Party and/or Contact Persons to any events organised alone or jointly by Hollis
  • To carry out any other activities that may be ancillary or related to the above. (For marketing, advertising, or research purposes contact by email and text message)
  • To make such Personal Data available to third parties who provide products or services to us or other members of the Malcolm Hollis Group (but only to the extent necessary for the provision of such services and where Hollis would be able to process similar data in this manner) and/or to potential purchasers of Hollis Global LLP or our business..

Lawful processing basis – definitions

Under the GDPR, we must justify a lawful basis for processing your personal data. The most common basis are explained below:

  • Legitimate interest – using people’s data in ways they would reasonably expect in the context of our business, and which have a minimal privacy impact, or where there is a compelling justification for the processing which outweighs the potential privacy interests of the data subject
  • Contractual – where we need to fulfil our contractual or agreement obligations to you, or you have asked you to do something before entering into a contract (e.g. provide a quote)
  • Consent – asking individuals to ‘opt-in’ as a preference to sign up to a newsletter or networking event, for example. Where consent is not a lawful processing basis, it will not be relied on
  • Legal / Statutory obligation – using your data because we have a statutory duty to do so, e.g. retaining invoices based on tax legislation..

Reasons for processing your personal data

All individual personal data is regarded as company confidential data and will be handled appropriately at all times. All staff working for Hollis will have controlled role-based access to your personal data, but only on a strict ‘need-to-know’ basis, for the purposes described in this Privacy Notice. This list gives detail regarding the type of activity and what we process, why we process it and the lawful basis for us doing do.

Processing ActivityJustification for ProcessingPrimary Lawful Processing Basis
Collecting personal data for new clients, suppliers/contractors and other business contacts (e.g. receiving a business card, exchanging details at events)To respond to enquiries, develop and manage business relationships, and (where permitted by applicable law and your preferences) keep you updated about our services and eventsLegitimate Interest
Buying in mail listsTo offer our services and invite clients to events where there is a balanced business interest (and providing such activity is permitted under local law)Legitimate Interest
Responding to requests for work, quotes and tendersNecessary in order to commence with a business prospect, processing would be expected by the client or 3rd partyLegitimate Interest /Contractual
Carrying out work related requests and activities in line with an existing contract/agreementTo carry out duties in line with contractual/agreement related obligations. To give relevant updates to clients/3rd parties and conduct billing activitiesContractual
Supplier / contractor onboarding and due diligence (including setting up supplier records)To assess and appoint suppliers/contractors, manage procurement and due diligence, comply with legal/regulatory requirements, and administer contracts (including verifying contact and business details).Contractual / Legal obligation / Legitimate interest
Supplier account management, purchasing and paymentsTo manage our supplier/contractor relationship (including ordering, receiving services, query handling), maintain accounting records, process invoices and payments, and manage audit and fraud-prevention controls.Contractual / Legal obligation / Legitimate interest
Adding or amending contact details in our management systemIn order to keep records up to date, fulfil contractual obligations, carry out data cleansing activitiesLegitimate Interest /Consent
Maintaining purchase history on client recordsIn order to continue offering relevant services, ensuring records are kept up to dateLegitimate Interest
Conduct marketing activities to prospective clients, invite clients to events and promote campaignsTo carry out marketing activities, inform clients of relevant services available, attend relevant events and give company and industry updatesLegitimate Interest/Consent
Conduct marketing activities to existing contacts, invite clients/3rd parties to events and promote campaignsTo carry out marketing activities, inform clients/3rd parties of relevant services available, attend relevant events and give company and industry updatesLegitimate Interest/Consent
Update attendance records for eventsAssist with future marketing activities and identify which events are of interest to clients and 3rd partiesLegitimate Interest
To address complaints from clients or 3rd partiesTo comply with legal and regulatory requirements.
To resolve situations where the contact is dissatisfied and assess any measures of redress where justified.
To identify trends linked to repeated issues and improve our service and relationship to clients and 3rd parties.
Legitimate Interest
Record responses to questionnairesTo maintain business relationships and monitor the quality and relevance of our servicesContractual / Legitimate Interest
Address any requests from clients or 3rd parties

To ensure clients/3rd parties receive the appropriate level of information requested

To identify trends linked to repeated issues and improve our service and relationship with contacts

Legitimate Interest
To address complaints from clients or 3rd parties

To comply with legal and regulatory requirements

To resolve situations where the contact is dissatisfied and assess any measures of redress where justified

To identify trends linked to repeated issues and improve our service and relationship to clients and 3rd parties.

Legal / Contractual / Legitimate Interest

What we mean by marketing

  • Using your personal information by way of contact details in order to inform you and your business about new services, events and conduct campaigns
  • Profiling your data in order for us to justify why we have previously processed your data and why we would continue to do so
  • To identify what type of marketing information we believe may be of use to you and what you may be interested in
  • We will only use your information for marketing purposes when we justify our reasons to be a lawful basis using either ‘legitimate interest’ or ‘consent’
  • We will only use your information for marketing purposes in accordance with applicable law and where you have not indicated a preference not to hear from us
  • We may periodically ask you to review your preferences about how we contact you and will make it easy for you to change your mind..

Your rights under GDPR

Your rights include:

  • Right of access (Subject Access Request): ask for a copy of the personal data we hold about you and other supplementary information. We will not usually charge a fee unless a request is manifestly unfounded or excessive (for example, repetitive requests), or where you request further copies. We will respond within one month; this can be extended by up to two further months where requests are complex or numerous, and we will tell you within one month if we need to extend
  • Right to rectification: ask us to correct inaccurate personal data and/or complete incomplete data. Where we are required to keep certain records for legal, regulatory or professional obligations, we may need to retain the original record but will correct it (for example by adding an accurate update or note) where appropriate
  • Right to erasure: ask us to delete your personal data in certain circumstances (this is not an absolute right and may not apply where we have a lawful reason to keep the data)
  • Right to restrict processing: ask us to limit how we use your personal data in certain circumstances
  • Right to object: object to processing based on legitimate interests and, at any time, object to direct marketing (including profiling related to direct marketing)
  • Right to data portability: where our processing is based on consent or contract and carried out by automated means, ask to receive certain personal data you have provided to us in a structured, commonly used, machine-readable format and/or have it transmitted to another organisation where technically feasible
  • Rights relating to automated decision-making: where applicable, not to be subject to a decision based solely on automated processing that produces legal (or similarly significant) effects
  • Right to withdraw consent: where we rely on consent, you can withdraw it at any time (this won’t affect processing already carried out)
  • Right to complain: you can complain to the ICO (or your local supervisory authority) if you are unhappy with how we handle your personal data..

Please contact us using the contact details below if you wish to speak to us about this or want to exercise any of these rights.

Consequences of not providing us with certain data

Providing Hollis with certain levels of personal data is the choice of the individual of which that data belongs. You may choose not to give us certain information we ask for, or ask us to delete or stop using information that we already hold on you, and this is your right to do so. However, we may have overriding interests or obligations concerning certain data and we must also highlight some possible consequences of us not be able to process certain data belonging to you.

  • We may not be able to keep you informed about our new products and services or any relevant changes
  • We may not be able to keep you up to date with industry or regulatory changes, news and market reports
  • We may not be able to keep you informed around any upcoming events or invite you to our events, or as a guest to accompany us to 3rd party events
  • We may not be able to fulfil our contractual obligations to you in order to provide our service
  • We may not be able to continue using your products or services
  • We may not be able to consider new business with you or arrange networking opportunities to benefit both you and us.

Withdrawing consent

If we have asked for your consent at any time and you now wish to withdraw it, please contact us and we will update our records accordingly.

Some of our services are dependent on the use of Personal Data. If you withdraw your consent to use this data, we may no longer be able to continue to provide certain products and services, however, if this is the case we will discuss this with you.

If we are processing your data using the lawful processing basis of ‘legitimate interest’ you will not have given us ‘consent’ to process this data, however, you still have the right to object (see section ‘Your Rights Under GDPR‘).

If you have any questions please contact us [email protected].

How to complain

If you are not happy about how we are processing, or have processed, your personal information, in line with the EU and UK GDPR then you are able to raise a complaint with us or the relevant data protection regulator. Also, if you have instructed us around how to process your data in terms of your individual rights and you are not happy, please let us know.

How long we will keep your data for

Whilst you are still an active client of Hollis, we still have regular contact with you and you haven’t instructed us to delete your data, we will continue to retain your data in a secure environment.

We will retain, cleanse and delete your personal data in line with our Data Retention Policy, this policy defines retention requirements based on the nature and function of the document rather than the type of personal information that it contains, but all documents detailed below may require the inclusion of some personal data..

Document TypeRetention Period
Risk Assessments3 years from last review date
Documents of External Origin6 years
Emails and other electronic informationRelevant client or supplier related data – 6 years
Property documents such as leases and lease termination agreements6 years after lease termination
Client/3rd party feedback/complaints7 years
Invoices7 years
Client project related records15 years

Unless the circumstances require it, your personal data will be deleted at the end of the retention period at which time your rights may be limited as Hollis will no longer have your personal data. Circumstances that will result in us keeping your data outside of these retention periods includes legal and regulatory requirements and other commercial reasons (including ongoing contractual disputes).

Will Hollis make use of automated decision-making?

Automated decisions are defined as decision about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

As a rule, Hollis does not make use of the automated decision-making as described above. Hollis does not base its decision whether or not to hire you solely on automated processing of your personal data.

How we keep your data secure

Security of your personal data is vitally important to Hollis and we strive to maintain security in many ways:

  • Testing and reviewing our systems, networks and locations that process data
  • Maintaining security policies and procedures which are tested and reviewed periodically
  • Ensuring employees are given the tools and training to handle data responsibly
  • Ensuring employees are under a statutory or contractual obligation of confidentiality
  • Controlling access to data across various levels including system and application access, physical access and 3rd party access, robust password management procedures
  • Access, at all levels, is role-based and only granted on a ‘need to know’ basis
  • Ensuring data is periodically cleansed, archived or deleted in line with policy
  • Employees undergo screening upon joining Hollis and training is mandatory for topics such as information security and data protection
  • Ensuring data is encrypted both in transit and at rest
  • Information assets are logged and equipped with up-to-date antivirus software
  • Data is regularly backed up and stored in a secure environment
  • Data breaches and security incidents are reported in line with policy and are followed up with analysis, risk assessments and corrective action where necessary.

In line with our security obligations we would also ask that you notify us of any changes to your data so we can keep our records as accurate as possible.

Transfers outside the UK or EEA

We will only transfer personal data outside the EEA (including to the UK) subject to appropriate data transfer mechanisms that include adequate safeguards. These international transfers may be permitted because the EU has determined that the non-EEA country has adequate data protection laws such that a similar level of protection exists in that country as is in place under EU law (the EU has already made such a determination in respect of data transfers to the UK). Alternatively it may take the form of a contract containing a set of standard data protection clauses which we will adopt and implement with the relevant data processor or third party service provider. We will inform you in advance if other safeguards are to apply.

We will only transfer personal data outside the UK subject to appropriate safeguards. These safeguards may arise because the UK has determined that the other country has adequate data protection laws such that a similar level of protection exists in that country as is in place under UK law (the UK has already made such a determination in respect of transfers of personal data to the EEA) or it may take the form of a contract containing a set of standard data protection clauses which we will adopt and implement with the relevant data processor or third party service provider. We will inform you in advance if other safeguards are to apply.

Data from 3rd parties we work with

We work with various industries and may receive your contact details as a referral in some cases by other businesses. We will only process your data when there is legal justification for doing so such as where we reasonably believe it is in within our balanced business interests. If that occurs, we will provide you information about the source of the personal information.

Parties we share data with

We may share your data with companies such as the following:

  • Regulators and other government authorities or law enforcement agencies
  • Any party linked with you or your business’s product or service
  • Companies we have a joint venture or agreement to co-operate with, where appropriate to do so
  • Parties providing services to Hollis (whether working on a matter for your benefit or otherwise) such as contractors, sub-consultants and consultants
  • Our external advisors, such as auditors, accountants or lawyers where they are under a duty of confidentiality
  • Banks and Insurers where such disclosure is necessary
  • Companies who conduct requested credit checks on our behalf
  • Organisations that introduce you to us
  • Third-party IT, hosting and cloud service providers (e.g. email, collaboration and security platforms) that process personal data on our behalf under contract, including providers such as Microsoft
  • Any entity in Malcolm Hollis Group of companies as detailed above.

Where we use third-party service providers to support our IT and business operations, they will act as processors (or, in some cases, as independent controllers) and are permitted to process personal data only in accordance with our documented instructions and contractual obligations, including appropriate confidentiality and security requirements. Depending on the service, this may involve processing and/or support access from locations outside the UK/EEA; where this occurs, we ensure appropriate safeguards are in place as described in the “Transfers outside the UK or EEA” section.

Where we share your personal data with the parties above, we will ensure that your personal data is subject to controls at least as stringent as those that apply to Hollis when it collects processes or stores your personal data.

We also have to share information or data in order to::

  • Comply with any applicable law, regulation, legal process or enforceable governmental request
  • Meet our contractual obligations for the purpose of legally required audits
  • Enforce our policies, including investigations into potential violations of those policies
  • Detect, prevent, or otherwise address fraud, security or technical issues
  • Protect against harm to the rights, property or safety of our users, the public or to Hollis and/or as required or permitted by law.

Use of Cookies

Personal data may be collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our websites, subscribes to our service, or makes an enquiry.

For more information, please visit our Cookie Policy available on our website.

Changes to our Privacy Notice

We may need to make changes to our policies and notices from time to time, where the processing of personal data is impacted, within the limitation set out by GDPR and the applicable data protection legislation. When we have made changes we will update the Privacy Notice on our website for you to read.

Use of Artificial Intelligence (AI)

At Hollis Global Limited, we are committed to ensuring that our use of AI complies with all relevant regulations including the EU AI Act (Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence). The EU AI Act governs the use of AI systems within the EU and aims to ensure that AI is used in a safe and ethical manner. Where AI tools are used in support of our professional services, we aim to use them in a way that remains consistent with applicable law and relevant professional standards (including RICS professional and ethical requirements where applicable).

We categorise our AI systems based on the level of risk. We do not engage in prohibited AI practices, such as manipulative AI systems, social scoring, or the exploitation of vulnerable groups.

We are transparent about how we use AI and ensure that our AI systems support human decision making and do not replace it. Our Data Protection Officer (DPO) is responsible for ensuring that our use of AI aligns with legal and regulatory obligations.

We use AI tools for efficiency and productivity, support, and data insights. These tools help us to analyse data, automate process, and improve our services. We do not use AI to process special category data, such as health, biometric, or racial data.

We prohibit the uploading of confidential, client, or sensitive business data into AI platforms or large language models (LLM) used for training AI systems not controlled by Hollis.

Hollis contact details

If you have any questions, require further information or wish to complain, please contact us.

You can contact Hollis directly using the details on our website or contact our Data Protection Officer (DPO)

Email: [email protected]

Phone: +44 20 7622 9555

If you wish to write to one of our offices, please follow this link: https://www.hollisglobal.com/contact-us/

Or post to: 3rd Floor, 138 Cheapside, London EC2V 6BJ

Data protection regulators (supervisory authorities)

UK (Lead Authority)

The Information Commissioner (ICO) is the UK regulator of the Data Protection Act 2018 and now the regulator for the UK GDPR.

www.ico.org.uk

Germany

Berliner Beauftragter für Datenschutz und Informationsfreiheit

https://www.datenschutz-berlin.de//

http://www.datenschutz-wiki.de/Aufsichtsbeh%c3%b6rden_und_Land

Spain

Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD)

www.aepd.es

Republic of Ireland

Data Protection Commissioner

www.dataprotection.ie

Netherlands

Dutch Data Protection Authority – Autoriteit Persoonsgegevens

https://autoriteitpersoonsgegevens.nl/nl