Structure of this policy
This privacy policy is provided in a layered format so you can click through to the section which relates to the information that we collect about you below.
- IMPORTANT INFORMATION AND WHO WE ARE
- CATEGORIES OF DATA SUBJECTS
(A) INVESTORS
(B) VISITORS TO OUR WEBSITE
(C) BUSINESS CONTACTS
- DISCLOSURES OF YOUR PERSONAL DATA
- DATA RETENTION
- INTERNATIONAL TRANSFERS
- DATA SECURITY
- YOUR LEGAL RIGHTS
- CHANGES TO THIS PRIVACY NOTICE
- FURTHER INFORMATION
- IMPORTANT INFORMATION AND WHO WE ARE
The Company is committed to protecting the privacy and security of personal data which is entrusted to us.
This privacy policy aims to give you information on how the Company collects and processes your personal data as a controller of data supplied by shareholders and potential investors in connection with holdings and/or investing in the Company including through your use of this website, by signing up to our newsletter and/or by sending us correspondence and/or providing us with products and/or services.
In addition, it outlines your data protection rights under the EU data protection regime introduced by the General Data Protection Regulation (Regulation 2016/679) (the “GDPR“).
This website is not intended for children and we do not knowingly collect data relating to children.
Please contact Ediston Property Investment Company plc (registered number 09090446), Level 4 Dashwood House, Old Broad Street, London, EC2M 1QS if you have any queries in relation to the processing of your personal data under this policy.
The Company has appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data privacy manager on 0131 225 5599 or gregg.carswell@ediston.com.
- CATEGORIES OF DATA SUBJECTS
(A) INVESTORS
The following section of this policy sets out how the Company, as controller of personal data supplied by, and collected in relation to, shareholders and potential investors in the Company, will process such personal data.
The kind of information we hold about you
We may hold personal data about investors in the Company which is provided to us by you directly as a result of your holding and/or investment in the Company (by completing application forms, through our website, telephone calls and/or corresponding with us) or which is provided to us by third parties including the Company’s registrar, Computershare Investor Services PLC, the Company’s company secretary and administrator, JTC (UK) Limited, the Company’s AIFM, Ediston Investment Services Limited or the Company’s investment manager, Ediston Properties Limited. We may also process personal data about individuals that are connected with you as an investor (for example directors, trustees, representatives, beneficiaries, shareholders, investors, clients, beneficial owners or agents).
In connection with your holding and/or investment in the Company, we may collect, store, and use the following categories of personal information about you: contact details (including name, title, address, telephone number, personal email address), your date of birth, copies of passport, driving licences and utility bills, bank account details, your tax residency and details relating to your investment activity.
How we will use information about you
Your personal data may be processed by the Company or its sub-processors (or any of its affiliates, agents, delegates or sub-contractors) for the following purposes:
- to provide you with information on the Company (including performance updates), which is being carried out to pursue the Company’s legitimate interests;
- to allow us to administer and manage your holding in the Company (including the payment of dividends) as necessary for the Company to comply with applicable laws and/or in its legitimate interest;
- to update and maintain records for the Company, including maintaining statutory registers, as necessary to comply with the Company’s legal obligations;
- to carry out anti-money laundering checks and other actions in an attempt to detect, prevent, investigate and prosecute fraud and crime, which the Company considers necessary for compliance with the Company’s legal obligations, for the performance of a task being carried out in the public interest and/ or to pursue the Company’s legitimate interests (including for the prevention of fraud, money laundering, sanctions, terrorist financing, bribery, corruption and tax evasion);
- to prepare tax related information in order to report to tax authorities in compliance with a legal obligation to which the Company is subject;
- to scan and monitor emails sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and
- such other actions as are necessary to manage the activities and/or to comply with the legal obligations of the Company, including by processing instructions, monitoring and recording electronic communications (including telephone calls and emails) as required by any sub-processors regulatory body and enforcing or defending the rights and/or interests of the Company, in order to comply with the Company’s legal obligations and/or to pursue the Company’s legitimate interests.
Basis on which we process your data
Where such processing is being carried out on the basis that it is necessary to pursue the Company’s legitimate interests, such legitimate interests are not overridden by your interests, fundamental rights or freedoms. Such processing may include the use of your personal data for the purposes of sending you electronic marketing communication, in relation to which you can at any time unsubscribe by following the instructions contained in each marketing communication.
The Company does not anticipate being required to obtain your consent for the processing of your personal data as listed above. If the Company wishes to use your personal data for other purposes which do require your consent, the Company will contact you to request this.
(B) VISITORS TO OUR WEBSITE
The following section of this policy sets out how the Company may process personal data (as a controller) about visitors to its website. We would also note that our website uses cookies to distinguish you from other users of our website. For detailed information on the cookies we use and the purposes for which we use them please refer to our Cookies Policy, available at www.ediston-reit.com.
The kind of information we hold about you
We may collect, use, store and transfer different kinds of personal data about you which you provide to us though our website: name, date of birth, address, email address, telephone numbers, technical data (including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website, usage data (including information about how you use our website, products and services, and marketing and communications preferences (including your preferences in receiving marketing from us and your communication preferences).
We do not collect any sensitive personal data or special categories of personal data about you through our website (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How we collect your data
We use different methods to collect data from and about you including through:
- direct interactions with you, including by filling in forms. This includes personal data you provide when you subscribe to our publications and/or request marketing to be sent to you;
- automated technologies or interactions. As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies; and
- technical data from the following parties:
- analytics providers such as Google based outside the EU; and
- search information providers such as Google based inside or outside the EU.
How we will use information about you
Your personal data may be processed by the Company or its sub-processors (or any of its affiliates, agents, delegates or sub-contractors) for the following purposes:
- to send you updates on the performance of the Company, newsletters, invitations to events and other electronic marketing communications which we will do (a) on the basis of our legitimate interests (such as if you are an investor in the Company); or (b) with your consent;
- to use data analytics to improve our website, marketing and customer experiences on the basis of our legitimate interests;
- to comply with legal or regulatory requirements;
- to scan and monitor emails sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and
- such other actions as are necessary to manage the activities of the Company, including by processing instructions, monitoring and recording electronic communications (including telephone calls and emails) as required by any sub-processors regulatory body and enforcing or defending the rights and/or interests of the Company, in order to comply with its legal obligations and/or to pursue its legitimate interests.
We will use your personal data in the following circumstances: where it is necessary for our legitimate interests, or those of a third party (including in relation to the sending of electronic marketing communications) and where your interests and fundamental rights are not overridden by those interests, or where we need to comply with a legal or regulatory obligation.
If we consider it necessary to obtain your consent in relation to the use of your personal data (such as for sending emails to individuals that have not invested in the Company) we will contact you to request this consent. In such circumstances, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processes based on consent before its withdrawal. To withdraw your consent or to opt out of receiving marketing communication, please contact us at gregg.carswell@ediston.com or follow the unsubscribe instructions included in each electronic marketing communication. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Links to websites
Where the website provides links to other websites, the Company is not responsible for the data protection/privacy/cookie usage policies of such other websites, and you should check these policies on such other websites if you have any concerns about them. If you use one of these links to leave our website, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting a linked website and such websites are not governed by this policy. You should always exercise caution and review the privacy policy applicable to the website in question.
(C) BUSINESS CONTACTS
The following section of this policy sets out how the Company may process personal data (as a controller) about its business contacts and (current, previous and/or potential) service providers and employees of service providers) and data subjects that have provided a business card to, or have corresponded with, the Company, and analysts, journalists and other interested parties who have requested further information on the Company and who have provided their contact and personal details.
The kind of information we hold about you
We may collect, use, store and transfer different kinds of personal data about you which you provide to us including: name, date of birth, address, email address, telephone numbers, place of work, job title and national identification number.
We do not collect any sensitive personal data or special categories of personal data about you through our website (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How we will use information about you
We will use your personal data in the following circumstances: where it is necessary for our legitimate interests, or those of a third party, (including in relation to the sending of electronic marketing communications) and where your interests and fundamental rights are not overridden or where we need to comply with a legal or regulatory obligation.
Your personal data may be processed by the Company or its sub-processors (or any of its affiliates, agents, delegates or sub-contractors) for the following purposes:
- to hold your personal data on our system and to contact you on the basis of the legitimate interests of the Company (including in connection with using the services that you provide);
- in respect of suppliers, to allow us to process payments and orders in respect of any goods and services provided;
- to send you updates on the performance of the Company, newsletters, invitations to events and other electronic marketing communications which we will do (a) on the basis of our legitimate interests if you are a business contact of the Company; or (b) with your consent;
- to comply with legal or regulatory requirements;
- to scan and monitor emails sent to us (including attachments) for viruses or malicious software, to process and encrypt personal data to protect and manage email traffic, and to store personal data on our systems to pursue our legitimate interests including for document retention purposes; and
- such other actions as are necessary to manage the activities of the Company, including by processing instructions, monitoring and recording electronic communications (including telephone calls and emails) as required by any sub-processors regulatory body and enforcing or defending the rights or interests of the Company, in order to comply with its legal obligations and/or to pursue its legitimate interests.
Basis on which we process your data and right to withdraw consent
If we consider it necessary to obtain your consent in relation to the use your personal data (such as for sending emails to individuals that have not invested in the Company), we will contact you to request this consent. In such circumstances, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processes based on consent before its withdrawal. To withdraw your consent or to opt out of receiving marketing communication, please contact us at rankin.laing@ediston.com or follow the unsubscribe instructions included in each electronic marketing communication. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Where such processing is being carried out on the basis that it is necessary to pursue the Company’s legitimate interests, such legitimate interests do not override your interests, fundamental rights or freedoms. Such processing may include the use of your personal data for the purposes of sending you electronic marketing communication, in relation to which you can at any time unsubscribe by following the instructions contained in each marketing communication.
- DISCLOSURES OF YOUR PERSONAL DATA
We will not disclose personal information we hold about you to any third party except as set out below.
We may disclose your personal data to other members of our group, to the board of the Company, to the company secretary, to third parties who are providing services to us, including IT service providers, event management, PR and marketing service providers, processors of the Company (including printers, registrars, administrators, investment managers, proxy service companies), depositaries, auditors, tax advisers, telephone service providers, document storage providers, backup and disaster recovery service providers.
We may also disclose personal data we hold to third parties:
- in the event that we sell any business or assets, in which case we may disclose personal data we hold about you to the prospective and actual buyer of such business or assets; and/or
- if we are permitted by law to disclose your personal data to that third party or are under a legal obligation to disclose your personal data to that third party.
- DATA RETENTION
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
- INTERNATIONAL TRANSFERS
We do not transfer your personal data outside the European Economic Area (EEA) however some of the external service providers and sub-processors used by us may do so and therefore their processing of your personal data may involve a transfer of data outside the EEA.
Whenever your personal data is transferred out of the EEA by us or our sub-processors, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;
- where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; or
- where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used when transferring your personal data out of the EEA.
- DATA SECURITY
The Company has put in place measures to ensure the security of the personal data it collects and stores about you. It will use its reasonable endeavours to protect your personal data from unauthorised disclosure and/or access, including through the use of network and database security measures, but it cannot guarantee the security of any data it collects and stores.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- YOUR LEGAL RIGHTS
In certain circumstances, by law you have the right to:
- request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
- request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
- object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes;
- request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
- request the transfer of your personal information to another party; and
- withdraw your consent. If we are processing your personal data on the basis of your consent, you have the right to withdraw such consent at any time. Withdrawing your consent will not affect the lawfulness of processes based on consent before its withdrawal. To withdraw your consent or to opt out of receiving marketing communication, please contact us at gregg.carswell@ediston.com or following the unsubscribe instructions included in each electronic marketing communication. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
If you wish to exercise any of the rights set out above, please contact the data privacy manager at 1 St. Andrew Square, Edinburgh, EH2 2BD in writing.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
- CHANGES TO THIS PRIVACY NOTICE
We may update this privacy notice from time to time, and will communicate such updates through our website. We may also notify you from time to time about the processing of your data.
- FURTHER INFORMATION
If you have any queries about this policy or your personal data, or you wish to submit an access request or raise a complaint about the way your personal data has been handled, please do so in writing and address this to the data privacy manager at Ediston Property Investment Company plc, 1 St. Andrew Square, Edinburgh, EH2 2BD or by email to gregg.carswell@ediston.com.
Ediston Property Investment Company plc is a public limited company registered in England and Wales (registered number 09090446) and its registered office address is Level 4 Dashwood House, 69 Old Broad Street, London, EC2M 1QS. It has its principal place of business at 1 St. Andrew Square, Edinburgh, EH2 2BD.
© 2018 Ediston Property Investment Company plc. All rights reserved.
Data Protection and Privacy Policy
Last updated 24 May 2018