Privacy notice

Privacy notice for clients and suppliers

As part of our obligations under the UK and EU General Data Protection Regulations (GDPR), we’ve published this Privacy Notice to make it easier for you to find out how we use and protect your information and information about individuals who are connected to your business.

This Privacy Notice is to let you know how Hollis may store and process your personal information. This includes what you tell us about yourself, what we learn by having you as a client or working with you as a service provider, and the preferences you make about what type of marketing you want us to send you. This Privacy Notice explains how we do this and tells you about your privacy rights and how the law protects you where we process your personal data.

This Notice will provide you with information such as:

              • The types of information Hollis collects about you and individuals connected to your business, and how we use it.
              • The legal grounds for how we use personal information.
              • The rights which individuals have in relation to the information we hold about them.
              • How we keep information secure.

Registered offices

Hollis Global Limited and its wholly owned subsidiary companies together referred to as the Hollis Group and trading as ‘Hollis’, (Data Controller) with registered offices below, needs to collect and process information about individuals including clients, suppliers and other business contacts in order to conduct its business.

              • Hollis Global Limited, Battersea Studios, 80-82 Silverthorne Road, London SW8 3HE, United Kingdom
              • Malcolm Hollis Limited c/o Smith & Williamson Freaney, Paramount Court, Corrig Road, Sandyford Business Park, Dublin 18
              • Malcolm Hollis S.L.U. Calle José Lázaro Galdiano nº 4, 2d plta, 28036 Madrid
              • Malcolm Hollis B.V., SPACES ZUIDAS, Barbara Strozzilaan 101-201, Amsterdam, 1083HN
              • Malcolm Hollis GmbH, Kurfürstendamm 195 3rd Floor, 10707,Berlin

Each legal entity as listed above may store and process personal data is a separate Data Controller where personal data is collected. All offices process personal data, and you can identify your local country office as your Data Controller from the list above. Hollis manages its obligations in relation to data protection on a group wide basis so all queries regardless of the Data Controller can be addressed to the same contact as detailed below.

Our privacy promise

We promise:

              • To keep your data safe and private,
              • Not to sell your data,
              • To give you ways to manage and review your marketing choices at any time.

This Privacy Notice sets out most of your rights regarding personal data.

We will process all personal data in accordance with the following principles:

  1. all personal data will be processed lawfully, fairly and in a transparent manner,
  2. all personal data will be collected for one or more specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes,
  3. all personal data collected will be restricted to what is adequate, relevant and limited for those purposes,
  4. all personal data will be kept accurate and up to date (and reasonable steps will be taken to erase or rectify inaccurate personal data),
  5. all personal data will not be kept for no longer than is necessary for those purposes,
  6. all personal data will be protected by appropriate technical and organisational security measures to prevent unauthorised or unlawful processing and accidental loss, destruction or damage.

Hollis as the data controller will be responsible for compliance with these principles at all times.

Who does this Privacy Notice relate to?

This Privacy Notice relates to all Hollis clients and potential clients, who are a business (and individuals associated with them) or individuals, all 3rdparty businesses and individuals who work with Hollis to provide a service of whom may be a supplier, contractor, sub-contractor or referrer of business for example as well as any visitors to Hollis’ offices or other sites.

Individuals connected to your business

When providing you with our services we will collect information on individuals connected to your business. This information may be collected from you or other independent sources. All relevant individuals will have access to this Privacy Notice and if you, or anyone else on your behalf, has provided or provides personal information to us about an individual connected to your business, you or they must first ensure that you or they have the authority to do so, and that you have provided access to this Privacy Notice to ensure that they are informed.

Which products and services does the Privacy Notice relate to?

The notice applies to all products and services offered and provided by Hollis. A table setting out the information collected and processed by Hollis and the basis under which we do so are included in a table at the end of this policy.

What type of personal information does the Privacy Notice relate to?

Hollis will only request details that are genuinely required in order to provide information or services that you have requested, or to comply with our contractual or legal obligations in relation to you or the services that we provide, or for the purposes of maintaining a balanced, genuine business relationship between you and us (including may making contact with you on an unsolicited basis where you have not requested that we do not do so, provided that such activity is in compliance with applicable laws in the country in which you are located).

Across all of the Hollis offices there may be other restrictions on data processing or additional data protection legislation that we must adhere to alongside the GDPR. Hollis will comply with all applicable legislation relating to the collection, retention or processing of personal, or other, data in the jurisdictions in which it operates and where required will make you aware of the requirements that apply.

We will only collect and process data when this is permissible in line with applicable law and depending on the purpose the data is being used for, the type and sensitivity of the data that is being collected.

Given the varied nature of local law it isn’t possible to list all circumstances and exceptions applicable to the collection of personal data. However depending on the reasons you are working with us, the personal data we collect process and retain may include (unless prohibited by local law):

              • Name,
              • Business contact details including mobile/landline numbers, email address and business address,
              • Role title, position and responsibility details,
              • Additional information around the nature of your role, this may include qualifications and experience that you wish to tell us about,
              • Sex/gender,
              • Photographs taken at events,
              • CCTV footage if you attend our premises
              • Hobbies and interests where relevant for marketing purposes,
              • Personal preferences including dietary requirements, personal details linked to an event (e.g. shoe size for a bowling evening), details around physical ability (e.g. ability to swim for a sailing event), or travel preferences (this list is not exhaustive, however, only appropriate types of data will be collected depending on the processing activity),
              • Open data / public records which includes data that you have made freely available in a public domain such as via social media or publications and news articles,
              • Permissions – so we can record how you would like to receive information from us, or if you would prefer not to,
              • Extra information that you choose to tell us.

Personal data will be collected, stored and processed for the following purposes:

              • In order to provide commercial real estate consultancy service to our Clients,
              • In order to comply with applicable legislation and statutory requirements for the prevention of money laundering,
              • In order to maintain adequate accounting and financial records and to invoice the Client as and when appropriate,
              • To carry out HR activities using employee data such as screening, job applications etc.,
              • To carry out research activities, such as customer satisfaction surveys, or to establish market behaviour or trends,
              • To provide you with marketing and other information about us (or other members of the Hollis Group) and other goods and services we offer and to allow the company to invite you and/or Contact Persons to any events organised alone or jointly by us (or other members of the Hollis Group),
              • To obtain credit checks and or references in relation to the Client, if necessary and not prohibited by applicable legislation,
              • In order to be provided with the services of a 3rdparty,
              • To allow Hollis to invite the Client, 3rd Party and/or Contact Persons to any events organised alone or jointly by Hollis,
              • To carry out any other activities that may be ancillary or related to the above. (For marketing, advertising, or research purposes contact by email and text message),
              • To make such Personal Data available to third parties who provide products or services to us or other members of the Hollis Group (but only to the extent necessary for the provision of such services and where Hollis would be able to process similar data in this manner) and/or to potential purchasers of Hollis Group.

Lawful processing basis – definitions

Under the GDPR, we must justify a lawful basis for processing your personal data. The most common basis are explained below:

              • Legitimate interest – using people’s data in ways they would reasonably expect in the context of our business, and which have a minimal privacy impact, or where there is a compelling justification for the processing which outweighs the potential privacy interests of the data subject.
              • Contractual – where we need to fulfil our contractual or agreement obligations to you, or you have asked you to do something before entering into a contract (e.g. provide a quote).
              • Consent – asking individuals to ‘opt-in’ as a preference to sign up to a newsletter or networking event, for example. Where consent is not a lawful processing basis, it will not be relied on.
              • Legal / Statutory obligation – using your data because we have a statutory duty to do so, e.g. retaining invoices based on tax legislation.

Reasons for processing your personal data

All individual personal data is regarded as company confidential data and will be handled appropriately at all times. All staff working for Hollis will have controlled role-based access to your personal data, but only on a strict ‘need-to-know’ basis, for the purposes described in this Privacy Notice. This list gives detail regarding the type of activity and what we process, why we process it and the lawful basis for us doing do.

Processing Activity Justification for Processing Primary Lawful Processing Basis
Collecting personal data for new clients/3rd parties e.g. receiving a business card, exchanging details at events We conclude that data has been given to Hollis in order to update you about our services and events Legitimate Interest
Buying in mail lists To offer our services and invite clients to events where there is a balanced business interest (and providing such activity is permitted under local law) Legitimate Interest
Responding to requests for work, quotes and tenders Necessary in order to commence with a business prospect, processing would be expected by the client or 3rd party Legitimate Interest /Contractual
Carrying out work related requests and activities in line with an existing contract/agreement To carry out duties in line with contractual/agreement related obligations.  To give relevant updates to clients/3rd parties and conduct billing activities. Contractual
Adding or amending contact details in our management system In order to keep records up to date, fulfil contractual obligations, carry out data cleansing activities Legitimate Interest/Legal Obligation
Maintaining purchase history on client records In order to continue offering relevant services, ensuring records are kept up to date Legitimate Interest
Conduct marketing activities to prospective clients, invite clients to events and promote campaigns To carry out marketing activities, inform clients of relevant services available, attend relevant events and give company and industry updates Legitimate Interest /Consent
Conduct marketing activities to existing contacts, invite clients/3rd parties to events and promote campaigns To carry out marketing activities, inform clients/3rd parties of relevant services available, attend relevant events and give company and industry updates Legitimate Interest/Consent
Update attendance records for events Assist with future marketing activities and identify which events are of interest to clients and 3rd parties Legitimate Interest
Record responses to questionnaires To maintain business relationships and monitor the quality and relevance of our services Contractual / Legitimate Interest
Address any requests from clients or 3rd parties To ensure clients/3rd parties receive the appropriate level of information requested.
To identify trends linked to repeated issues and improve our service and relationship with contacts
Legitimate Interest
To address complaints from clients or 3rd parties To comply with legal and regulatory requirements.
To resolve situations where the contact is dissatisfied and assess any measures of redress where justified.
To identify trends linked to repeated issues and improve our service and relationship to clients and 3rd parties.
Legal / Contractual / Legitimate Interest


What we mean by marketing

              • Using your personal information by way of contact details in order to inform you and your business about new services, events and conduct campaigns,
              • Profiling your data in order for us to justify why we have previously processed your data and why we would continue to do so,
              • To identify what type of marketing information we believe may be of use to you and what you may be interested in,
              • We will only use your information for marketing purposes when we justify our reasons to be a lawful basis using either ‘legitimate interest’ or ‘consent’,
              • We will only use your information for marketing purposes in accordance with applicable law and where you have notindicated a preference not to hear from us,
              • We may periodically ask you to review your preferences about how we contact you and will make it easy for you to change your mind.

Your rights under GDPR

Your rights include:

              • Asking us to tell you what data we hold about you and requesting a copy. This is called a Subject Access Request. We will not charge for this unless a request is manifestly unfounded or excessive, particularly if it is repetitive, or if further copies are requested. We will have 1 month to comply with your request unless circumstances allow for an extension.
              • Objecting to your personal information being processed. You may also ask us to delete it (known as ‘the right to be forgotten’) and we will consider all such requests. If there are legal reasons for us keeping your data despite your request, we will notify you of this. These rights are not absolute rights and there may be reasons for retaining the data.
              • Asking us to amend or stop using your information because it’s inaccurate, incomplete or you want to restrict how we process it.
              • You have the right to be informed about the collection and use of your data.
              • Asking us to move, copy or transfer your personal data easily from one IT environment to another, in a safe and secure way, without hindrance to usability when you have provided to us your personal information.

Please contact us using the contact details below if you wish to speak to us about this or want to exercise any of these rights.

Consequences of not providing us with certain data

Providing Hollis with certain levels of personal data is the choice of the individual of which that data belongs. You may choose not to give us certain information we ask for, or ask us to delete or stop using information that we already hold on you, and this is your right to do so.  However, we may have overriding interests or obligations concerning certain data and we must also highlight some possible consequences of us not be able to process certain data belonging to you.

              • We may not be able to keep you informed about our new products and services or any relevant changes
              • We may not be able to keep you up to date with industry or regulatory changes, news and market reports
              • We may not be able to keep you informed around any upcoming events or invite you to our events, or as a guest to accompany us to 3rdparty events
              • We may not be able to fulfil our contractual obligations to you in order to provide our service.
              • We may not be able to continue using your products or services
              • We may not be able to consider new business with you or arrange networking opportunities to benefit both you and us

Withdrawing consent

If we have asked for your consent at any time and you now wish to withdraw it, please contact us and we will update our records accordingly.

Some of our services are dependent on the use of Personal Data. If you withdraw your consent to use this data we may no longer be able to continue to provide certain products and services, however, if this is the case we will discuss this with you.

If we are processing your data using the lawful processing basis of ‘legitimate interest’ you will not have given us ‘consent’ to process this data, however, you still have the right to object (see section ‘Your Rights Under GDPR‘).

If you have any questions please contact us.

How to complain

If you are not happy about how we are processing, or have processed, your personal information, in line with the EU and UK GDPR then you are able to raise a complaint with us or the relevant data protection regulator. Also, if you have instructed us around how to process your data in terms of your individual rights and you are not happy, please let us know.

How long we will keep your data for

Whilst you are still an active client of Hollis, we still have regular contact with you and you haven’t instructed us to delete your data, we will continue to retain your data in a secure environment.

We will retain, cleanse and delete your personal data in line with our Data Retention Policy, This policy defines retention requirements based on the nature and function of the document rather than the type of personal information that it contains, but all documents detailed below may require the inclusion of some personal data.

Document Type Retention Period
Risk Assessments 3 years from last review date
Documents of External Origin 6 years
Emails and other electronic information Relevant client or supplier related data – 6 years
Property documents such as leases and lease termination agreements 6 years after lease termination
Client/3rd party feedback/complaints 7 years
Invoices 7 years
Client project related records 15 years


Unless the circumstances so require it your personal data will be deleted at the end of the retention period at which time your rights may be limited as Hollis will no longer have your personal data. Circumstances that will result in us keeping your data outside of these retention periods includes legal and regulatory requirements and other commercial reasons (including ongoing contractual disputes).

Will Hollis make use of automated decision-making?

Automated decisions are defined as decision about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

As a rule, Hollis does not make use of the automated decision-making as described above. Hollis does not base its decision whether or not to hire you solely on automated processing of your personal data.

How we keep your data secure

Security of your personal data is vitally important to Hollis and we strive to maintain security in many ways:

              • Testing and reviewing our systems, networks and locations that process data,
              • Maintaining security policies and procedures which are tested and reviewed periodically,
              • Ensuring employees are given the tools and training to handle data responsibly,
              • Ensuring employees are under a statutory or contractual obligation of confidentiality,
              • Controlling access to data across various levels including system and application access, physical access and 3rd party access, robust password management procedures,
              • Access, at all levels, is role-based and only granted on a ‘need to know’ basis,
              • Ensuring data is periodically cleansed, archived or deleted in line with policy,
              • Employees undergo screening upon joining Hollis and training is mandatory for topics such as information security and data protection,
              • Ensuring data is encrypted both in transit and at rest,
              • Information assets are logged and equipped with up to date antivirus software,
              • Data is regularly backed up and stored in a secure environment,
              • Data breaches and security incidents are reported in line with policy and are followed up with analysis, risk assessments and corrective action where necessary.

In line with our security obligations we would also ask that you notify us of any changes to your data so we can keep our records as accurate as possible.

Transfers outside the UK or EEA

We will only transfer personal data outside the EEA (including to the UK) subject to appropriate data transfer mechanisms that include adequate safeguards.  These international transfers may be permitted because the EU has determined that the non-EEA country has adequate data protection laws such that a similar level of protection exists in that country as is in place under EU law (the EU has already made such a determination in respect of data transfers to the UK). Alternatively  it may take the form of a contract containing a set of standard data protection clauses which we will adopt and implement with the relevant data processor or third party service provider. We will inform you in advance if other safeguards are to apply.

We will only transfer personal data outside the UK subject to appropriate safeguards. These safeguards may arise because the UK has determined that the other country has adequate data protection laws such that a similar level of protection exists in that country as is in place under UK law (the UK has already made such a determination in respect of transfers of personal data to the EEA) or it may take the form of a contract containing a set of standard data protection clauses which we will adopt and implement with the relevant data processor or third party service provider. We will inform you in advance if other safeguards are to apply.

Data from 3rd parties we work with

We work with various industries and may receive your contact details as a referral in some cases by other businesses.  We will only process your data when there is legal justification for doing so such as where we reasonably believe it is in within our balanced business interests. If that occurs, we will provide you information about the source of the personal information.

Parties we share data with

We may share your data with companies such as the following:

              • Regulators and other government authorities or law enforcement agencies,
              • Any party linked with you or your business’s product or service,
              • Companies we have a joint venture or agreement to co-operate with, where appropriate to do so,
              • Parties providing services to Hollis (whether working on a matter for your benefit or otherwise) such as contractors, sub-consultants and consultants,
              • Our external advisors, such as auditors, accountants or lawyers where they are under a duty of confidentiality,
              • Banks and Insurers where such disclosure is necessary
              • Companies who conduct requested credit checks on our behalf,
              • Organisations that introduce you to us,
              • Companies that we introduce you to, where appropriate to do so,
              • Companies you ask us to share your data with,
              • Any entity in Hollis Group of companies as detailed above.

Where we share your personal data with the parties above we will ensure that your personal data is subject to controls at least as stringent as those that apply to Hollis when it collects processes or stores your personal data..

We also have to share information or data in order to:

              • Comply with any applicable law, regulation, legal process or enforceable governmental request,
              • Meet our contractual obligations for the purpose of legally required audits,
              • Enforce our policies, including investigations into potential violations of those policies,
              • Detect, prevent, or otherwise address fraud, security or technical issues,
              • Protect against harm to the rights, property or safety of our users, the public or to Hollis and/or as required or permitted by law.

Use of Cookies

Personal data may be collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our websites, subscribes to our service, or makes an enquiry.

For more information, please visit our Cookie Policy available on our website.

Changes to our Privacy Notice

We may need to make changes to our policies and notices from time to time, where the processing of personal data is impacted, within the limitation set out by GDPR and the applicable data protection legislation. When we have made changes we will update the Privacy Notice on our website for you to read.

Hollis contact details

If you have any questions, require further information or wish to complain, please contact us.

You can contact Hollis directly using the details on our website or contact our Data Protection Officer


Phone:  +44 20 7622 9555

If you wish to write to one of our offices, please follow this link:

Or post to: Battersea Studios, 80-82 Silverthorne Road, London. SW8 3HE

Data protection regulators (supervisory authorities)

UK (Lead Authority)

The Information Commissioner (ICO) is the UK regulator of the Data Protection Act 2018 and now the regulator for the UK GDPR.


Berliner Beauftragter für Datenschutz und Informationsfreiheit


Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD)

Republic of Ireland

Data Protection Commissioner


Dutch Data Protection Authority – Autoriteit Persoonsgegevens