Privacy notice for clients and 3rd parties
As part of our obligations under the General Data Protection Regulations (GDPR), we’ve published this Privacy Notice to make it easier for you to find out how we use and protect your information and information about individuals who are connected to your business.
This Privacy Notice is to let you know how Hollis promise to look after your personal information. This includes what you tell us about yourself, what we learn by having you as a client or working with you as a service provider, and the preferences you make about what type of marketing you want us to send you. This Privacy Notice explains how we do this and tells you about your privacy rights and how the law protects you where we process your personal data.
We won’t be changing the ways we use this information, but this Notice will provide you with additional details such as:
- The types of information Hollis collects about you and individuals connected to your business, and how we use it.
- The legal grounds for how we use personal information.
- Increased rights which individuals have in relation to the information we hold about them.
- How we keep information secure.
Hollis, (Data Controller) with registered offices below, needs to collect and Process information about individuals including Staff, clients, suppliers and other business contacts in order to conduct its business.
- Malcolm Hollis LLP, Battersea Studios, 80-82 Silverthorne Road, London SW8 3HE
- Malcolm Hollis Limited, 115 Baggot Street Lower, Dublin 2, D02 FN88
- Malcolm Hollis S.L.U. Paseo de la Castellana, 18, 7a, Madrid 28046
- Malcolm Hollis B.V. Barbara Strozzilaan, 101 Spaces Zuidas, 1083HN, Amsterdam
- Malcolm Hollis GmbH, Kurfürstendamm 195 3rd Floor, Berlin, Germany
Each legal entity as listed above is a separate Data Controller where personal data is collected. All offices will process personal data, and you can identify your local country office as your Data Controller from the list above. Hollis are only required to have one appointed Data Protection Officer.
Our privacy promise
- To keep your data safe and private,
- Not to sell your data,
- To give you ways to manage and review your marketing choices at any time.
Data Protection law changed on 25 May 2018 and this Privacy Notice sets out most of your rights under the new regulation. We may make further updates to this Notice to reflect the changing legislation and will periodically review this notice for accuracy in the future.
We will process all personal data in accordance with the following principles:
- all personal data must be processed lawfully, fairly and in a transparent manner,
- all personal data must be collected for one or more specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes,
- all personal data shall be restricted to what is adequate, relevant and limited for those purposes,
- all personal data shall be kept accurate and up to date (and reasonable steps must be taken to erase or rectify inaccurate personal data),
- all personal data must be kept for no longer than is necessary for those purposes,
- all personal data must be protected by appropriate technical and organisational security measures to prevent unauthorised or unlawful processing and accidental loss, destruction or damage.
Hollis as the data controller will be responsible for compliance with these principles and must be able to demonstrate its compliance.
Who does this Privacy Notice relate to?
This Privacy Notice relates to all Hollis clients, who are a business (and individuals associated with them) or individuals, all 3rdparty businesses and individuals who work with Hollis to provide a service of whom may be a supplier, contractor, sub-contractor or referrer of business for example.
Individuals Connected to Your Business
When providing you with our services we will collect information on individuals connected to your business. This information may be collected from you or other independent sources. All relevant individuals will have access to this Privacy Notice and if you, or anyone else on your behalf, has provided or provides personal information to us about an individual connected to your business, you or they must first ensure that you or they have the authority to do so, and that you have provided access to this Privacy Notice to ensure that they are informed.
Which products and services does the Privacy Notice relate to?
The notice applies to all products and services offered and provided by Hollis. This includes but is not limited to:
- Access consultancy
- Building defects
- Cost management
- Development monitoring
- Dispute resolution
- Environment, energy and sustainability
- Health and safety
- Leasehold advice
- Mechanical and electrical
- Measured surveys
- Party wall and neighbourly issues
- Planned maintenance
- Project management
- Reinstatement cost assessments
- Rights of light and daylight and sunlight
- Schedules of condition
- Service charges
- Technical due diligence
- Tenant alterations
- Workspace consultancy
What type of personal information does the Privacy Notice relate to?
Hollis will only request details that are genuinely required e.g. in order to carry out our contractual and statutory obligations to you, or for the purposes of a balanced, genuine business interest for you and us.
Across all of the Hollis offices in the EU, there are variances in applicable data protection legislation that we must adhere to alongside the GDPR. Applicable legislation will be adhered to when it prohibits the processing of types of personal data. For example, exceptions will be made under applicable legislation around the processing of data concerning an individual’s health in the Netherlands and special category data in Germany.
We will only collect and process data when this is permissible in line with applicable legislation and depending on the purpose, type (which may include special category and diversity related data) and nature of the role applied for within Hollis.
Given the specific nature of this local legislation it isn’t possible to list all circumstances and exceptions for the collection of data. However depending on the reasons you are working with us, data and exceptions may include:
Data may include but not be limited to:
- Business contact details including mobile/landline numbers, email address and business address,
- Role title, position and responsibility details,
- Additional information around the nature of your role, this may include qualifications and experience that you wish to tell us about,
- Photographs taken at events (exceptions in Spain and Germany),
- CCTV footage if you attend our premises (exceptions in Germany and Netherlands),
- Hobbies and interests,
- Personal preferences including dietary requirements, personal details linked to an event (e.g. shoe size for a bowling evening), details around physical ability (e.g. ability to swim for a sailing event), or travel preferences (this list is not exhaustive, however, only appropriate types of data will be collected depending on the processing activity),
- Open data / public records which includes data that you have made freely available in a public domain such as via social media or publications and news articles,
- Permissions – so we can record how you would like to receive information from us, or if you would prefer not to,
- Extra information that you choose to tell us.
Please note that the above list of categories of personal data we may collect is not exhaustive.
Personal data relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation are subject to additional protection and are referred to as “special categories of personal data”.
Personal data will be collected, stored and processed for the following purposes:
- In order to provide commercial building consultancy service to our Clients,
- In order to comply with applicable legislation and statutory requirements for the prevention of money laundering,
- In order to maintain adequate accounting and financial records and to invoice the Client as and when appropriate,
- To carry out research activities,
- To provide you with marketing and other information about us (or other members of the Malcolm Hollis group) and other goods and services we offer and to allow the LLP to invite you and/or Contact Persons to any events organised alone or jointly by us (or other members of the Malcolm Hollis group),
- To obtain credit checks and or references in relation to the Client, if necessary and not prohibited by applicable legislation,
- In order to be provided with the services of a 3rd party,
- To allow Hollis to invite the Client, 3rd Party and/or Contact Persons to any events organised alone or jointly by Hollis,
- To carry out any other activities that may be ancillary or related to the above. (For marketing, advertising, or research purposes contact by email and text message),
- To make such Personal Data available (but only to the extent absolutely necessary) to third parties who provide products or services to us (or other members of the Malcolm Hollis group) and/or to potential purchasers of Malcolm Hollis LLP or our business.
Lawful Processing Basis – Definitions
Under the GDPR, we must justify a lawful basis for processing your personal data. The most common basis are explained below.
- Legitimate interest – using people’s data in ways they would reasonably expect in the context of our business, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- Contractual – where we need to fulfil our contractual or agreement obligations to you, or you have asked you to do something before entering into a contract (e.g. provide a quote).
- Consent – asking individuals to ‘opt-in’ as a preference to sign up to a newsletter or networking event, for example. Where consent is not a lawful processing basis, it will not be relied on.
- Legal / Statutory obligation – using your data because we are statutory required to do so, e.g. retaining invoices based on tax legislation.
For further information, please visit the data commissioner’s website, given in the ‘Data Protection Regulators’ section of this page.
Reasons for processing your personal data
We will use this personal data in order to carry out activities, some of which will include marketing purposes, event invitations and carrying out our contractual and statutory duties to you.
If Hollis requests sensitive personal data we will ensure that the correct lawful basis for processing is used and, if consent is required, that this can easily be both freely given and withdrawn and your appropriate preferences recorded. If we haven’t had to gain consent, you may still be able to exercise your right to object (see section ‘Your rights under GDPR’). Applicable legislation will be adhered to when it prohibits the processing of individual’s special category data, in the Netherlands, Germany and Spain for example.
All individual personal data is regarded as company confidential data and will be handled appropriately at all times. All Staff working for Hollis will have controlled role-based access to your personal data, but only on a strict ‘need-to-know’ basis, for the purposes described in this Privacy Notice. This list gives detail regarding the type of activity and what we process, why we process it and the lawful basis for us doing do.
|Processing Activity||Justification for Processing||Primary Lawful Processing Basis|
|Collecting personal data for new clients/3rd parties e.g. receiving a business card, exchanging details at events||We conclude that data has been given to Hollis in order to update you about our services and events||Legitimate Interest|
|Buying in mail lists||To offer our services and invite clients to events where there is a balanced business interest||Legitimate Interest|
|Responding to requests for work, quotes and tenders||Necessary in order to commence with a business prospect, processing would be expected by the client or 3rd party||Legitimate Interest /Contractual|
|Carrying out work related requests and activities in line with an existing contract/agreement||To carry out duties in line with contractual/agreement related obligations. To give relevant updates to clients/3rd parties and conduct billing activities.||Contractual|
|Adding or amending contact details in our management system||In order to keep records up to date, fulfil contractual obligations, carry out data cleansing activities||Legitimate Interest|
|Maintaining purchase history on client records||In order to continue offering relevant services, ensuring records are kept up to date||Legitimate Interest|
|Conduct marketing activities to prospective clients, invite clients to events and promote campaigns||To carry out marketing activities, inform clients of relevant services available, attend relevant events and give company and industry updates||Legitimate Interest /Consent|
|Conduct marketing activities to existing contacts, invite clients/3rd parties to events and promote campaigns||To carry out marketing activities, inform clients/3rd parties of relevant services available, attend relevant events and give company and industry updates||Legitimate Interest|
|Update attendance records for events||Assist with future marketing activities and identify which events are of interest to clients and 3rd parties||Legitimate Interest|
|Record responses to questionnaires||To maintain business relationships and monitor the quality and relevance of our services||Contractual / Legitimate Interest|
|Address any requests from clients or 3rd parties||To ensure clients/3rd parties receive the appropriate level of information requested.|
To identify trends linked to repeated issues and improve our service and relationship with contacts
|To address complaints from clients or 3rd parties||To comply with legal and regulatory requirements.|
To resolve situations where the contact is dissatisfied and assess any measures of redress where justified.
To identify trends linked to repeated issues and improve our service and relationship to clients and 3rd parties.
|Legal / Contractual|
What we mean by Marketing
- Using your personal information by way of contact details in order to inform you and your business about new services, events and conduct campaigns,
- Profiling your data in order for us to justify why we have previously processed your data and why we would continue to do so,
- To identify what type of marketing information we believe may be of use to you and what you may be interested in,
- We will only use your information for marketing purposes when we justify our reasons to be a lawful basis using either ‘legitimate interest’ or ‘consent’,
- We will only use your information for marketing purposes where you have not ‘opted out’ or otherwise indicated a preference not to hear from us,
- We may periodically ask you to review your preferences about how we contact you and will make it easy for you to change your mind.
GDPR and PECR – Electronic Marketing
The GDPR and Privacy and Electronic Communications Regulations (PECR) cross over when it comes to identifying a lawful basis of processing personal data. GDPR does not replace PECR, however, it may affect whether we use legitimate interest in order to continue contacting you, or will need to ask for consent. This means we will have to factor certain circumstances like whether you work within a corporate organisation or are perhaps a partnership or sole trader. We will also consider our approach depending on whether or not you have ever used our services in the past, if you have ever opted out of our marketing activities, we consider that contacting you may impact you in a negative way or that you may be likely to object.
Your Rights Under GDPR
Changes to the regulation mean that every individual whose personal data is processed now has more rights about how their information is used, and why.
Your rights include:
- Asking us to tell you what data we hold about you and requesting a copy. This is called a Subject Access Request. We will not charge for this unless a request is manifestly unfounded or excessive, particularly if it is repetitive, or if further copies are requested. We will have 1 month to comply with your request unless circumstances allow for an extension.
- Objecting to your personal information being processed. You may also ask us to delete it (known as ‘the right to be forgotten’) and we will consider all such requests. If there are legal reasons for us keeping your data despite your request, we will discuss this with you. These rights are not absolute rights and there may be reasons for retaining the data.
- Asking us to amend or stop using your information because it’s inaccurate, incomplete or you want to restrict how we process it.
- You have the right to be informed about the collection and use of your data.
- Asking us to move, copy or transfer your personal data easily from one IT environment to another, in a safe and secure way, without hindrance to usability when you have provided to us your personal information.
Please contact us if you wish to speak to us about this.
Consequences of not providing us with certain data
Providing Hollis with certain levels of personal data is the choice of the individual of which that data belongs. You may choose not to give us certain information we ask for, or ask us to delete or stop using information that we already hold on you, and this is your right to do so. However, we may have overriding interests or obligations concerning certain data and we must also highlight some possible consequences of us not be able to process certain data belonging to you.
- We may not be able to keep you informed about our new products and services or any relevant changes
- We may not be able to keep you up to date with industry or regulatory changes, news and market reports
- We may not be able to keep you informed around any upcoming events or invite you to our events, or as a guest to accompany us to 3rd party events
- We may not be able to fulfil our contractual obligations to you in order to provide our service
- We may not be able to continue using your products or services
- We may not be able to consider new business with you or arrange networking opportunities to benefit both you and us
If we have asked for your consent at any time and you now wish to withdraw it, please contact us and we will update our records accordingly.
Please remember that if you withdraw consent we may not be able to continue offering you our products and services, however, if this is the case we will discuss this with you.
If we are processing your data using the lawful processing basis of ‘legitimate interest’ you will not have given us ‘consent’ to process this data, however, you still have the right to object (see section ‘Your Rights Under GDPR‘).
If you have any questions please contact us.
How To Complain
If you are not happy about how we are processing, or have processed, your personal information, in line with the GDPR then you are able to raise a compliant with us or the relevant data protection regulator. Also, if you have instructed us around how to process your data in terms of your individual rights and you are not happy, please let us know.
How long we will keep your data for
Whilst you are still an active client of Hollis, we still have regular contact with you and you haven’t instructed us to delete your data, we will continue to retain your data in a secure environment.
We will retain, cleanse and delete you data in line with our Data Retention Policy, an extract is below:
|Document Type||Retention Period|
|Risk Assessments||3 years from last review date|
|Documents of External Origin||6 years|
|Emails and other electronic information||Relevant client or supplier related data – 6 years|
|Property documents such as leases and lease termination agreements||6 years after lease termination|
|Client/3rd party feedback/complaints||7 years|
|Client project related records||15 years|
Circumstances that will result in us keeping your data outside of these retention periods includes legal and regulatory reasons and those that are bound by applicable legislation.
Will Hollis make use of automated decision-making?
Automated decisions are defined as decision about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.
As a rule, Hollis does not make use of the automated decision-making as described above. Hollis does not base its decision whether or not to hire you solely on automated processing of your personal data.
How we keep your data secure
Security of your personal data is vitally important to Hollis and we strive to maintain security in many ways:
- Testing and reviewing our systems, networks and locations that process data,
- Maintaining security policies and procedures which are tested and reviewed periodically,
- Ensuring employees are given the tools and training to handle data responsibly,
- Ensuring employees are under a statutory or contractual obligation of confidentiality,
- Controlling access to data across various levels including system and application access, physical access and 3rd party access, robust password management procedures,
- Access, at all levels, is role-based and only granted on a ‘need to know’ basis,
- Ensuring data is periodically cleansed, archived or deleted in line with policy,
- Hollis are certified to the Cyber Essentials standard and are working towards the ISO27001 certification,
- Employees undergo screening upon joining Hollis and training is mandatory for topics such as information security and data protection,
- Ensuring data is encrypted both in transit and at rest,
- Information assets are logged and equipped with up to date antivirus software,
- Data is regularly backed up and stored in a secure environment,
- Data breaches and security incidents are reported in line with policy and are followed up with analysis, risk assessments and corrective action where necessary.
In line with our security obligations we would also ask that you notify us of any changes to your data so we can keep our records as accurate as possible.
Transfers outside the EEA
We will only transfer personal data outside the EU subject to appropriate safeguards. These safeguards will usually consist of standard data protection clauses which we will adopt and implement with the relevant data processor or third party service provider; we will inform you in advance if other safeguards are to apply.
Data from 3rd parties we work with
We work with various industries and may receive your contact details as a referral in some cases by other businesses. We will only process your data when there is legal justification for doing so e.g. where we reasonably believe it is in within our balanced business interests. If that occurs, we will provide you information about the source of the personal information.
Parties we share data with
We may share your data with companies such as the following:
- Regulators and other authorities,
- Any party linked with you or your business’s product or service,
- Companies we have a joint venture or agreement to co-operate with, where appropriate to do so, such as contractors, sub-consultants and consultants,
- Companies who conduct requested credit checks on our behalf,
- Organisations that introduce you to us,
- Companies that we introduce you to, where appropriate to do so,
- Companies you ask us to share your data with,
- The Malcolm Hollis group of registered offices.
We will ensure that, where Hollis are the data processor or where both parties are a data controller, or joint data controller, under the GDPR when sharing your data with the above mentioned parties, we will enter into agreements/arrangements with you.
We also have to share information or data in order to:
- Meet any applicable law, regulation, legal process or enforceable governmental request,
- Meet our contractual clauses for the purpose of audit,
- Enforce applicable policies, including investigations,
- Detect, prevent, or otherwise address fraud, security or technical issues,
- Protect against harm to the rights, property or safety of our users, the public or to Hollis and/or as required or permitted by law.
Personal data may be collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our websites, subscribes to our service, or makes an enquiry.
Changes to our Privacy Notice
We may need to make changes to our policies and notices from time to time, where the processing of personal data is impacted, within the limitation set out by GDPR and the applicable data protection legislation. When we have made changes we will update the Privacy Notices on our website for you to read.
Our commercial Terms & Conditions have also been updated to comply with the GDPR and are available upon request.
Hollis contact details
If you have any questions, require further information or wish to complain, please contact us.
You can contact our Data Protection Officer
Phone: +44 20 7622 9555
If you wish to write to one of our offices, please follow this link: https://www.hollisglobal.com/contact-us/
Or post to: Battersea Studios, 80-82 Silverthorne Road, London. SW8 3HE
Data protection regulators (supervisory authorities)
UK (Lead Authority)
The Information Commissioner (ICO) is the UK regulator of the Data Protection Act 1998 and now the regulator for the GDPR.
Berliner Beauftragter für Datenschutz und Informationsfreiheit
Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD)
Republic of Ireland
Data Protection Commissioner
Dutch Data Protection Authority – Autoriteit Persoonsgegevens