Last Updated: February 3, 2022
This Privacy Notice describes how CBRE, Inc. and its subsidiaries and affiliates in the Americas (“CBRE”, “we”, “us”, our”) collects, shares, uses, and otherwise processes your personal data in connection with your visit to one of our offices in the Americas. It also explains how you can exercise your privacy rights in connection with the data we hold about you.
QUESTIONS REGARDING OUR PRIVACY PRACTICES
If you have any questions about this Privacy Notice or the processing of your personal data, please contact [email protected]. We have also appointed a Data Protection Officer in Brazil, who may be reached at [email protected].
We may update this Privacy Notice from time to time.
HOW PERSONAL DATA IS DEFINED
“Personal data” means information that identifies, relates to, describes, is capable of being associated with, could be used to contact or locate, or could reasonably be linked, directly or indirectly, with a particular individual or, in the case of California residents, with their household. “Personal data” does not include information publicly and lawfully made available in government records, deidentified or aggregate information about individuals or, in the case of California residents, their households. In Canada, “personal data” does not include business contact information, such as your name, company, job title, or company email address.
PERSONAL DATA WE COLLECT AND WHY
CBRE collects and processes the following categories of personal data for the following purposes in connection with visitors to our offices in the Americas.
- Your business contact information, being your name, your company name and your email address. We use this information for the purpose of logging your visit to our office for safety and security, and we will retain it for two years. In Brazil, we do this on the basis of our legitimate business interests.
- Moving images of you for the purpose of ensuring safety and security at our office and for process/alarm confirmation (for example, to confirm whether alarms are functioning), and will retain it for 30 days. In Brazil, we do this on the basis of our legitimate business interests.
- Your certification of COVID-19 status, including: (1) your vaccination status, (2) whether you have a fever or are experiencing any other symptoms of COVID-19; (3) (4) have not tested positive for COVID-19, (5) have not had close contact with a person who has tested positive for COVID-19 or displayed symptoms, (6) have not recently traveled, (7) are not under direction to quarantine, (8) are not restricted from working on site due to applicable government orders, and (9) are in compliance with any safety requirements established by your employer. CBRE will not collect, record or store visitors’ vaccination cards. We use this information to ensure the safety of CBRE employees and will retain it for the minimum period necessary to fulfill this purpose. In Canada and Brazil, we do this on the basis of your express consent.
HOW WE SHARE YOUR PERSONAL DATA
Where necessary to fulfill the purposes described in this Privacy Notice, CBRE may disclose your personal data to:
- Subsidiaries and Affiliated Entities
We share data with subsidiaries and affiliated entities as necessary to ensure building or office safety.
- Service providers
We store your data with a third-party service provider.
CBRE may, only as strictly required, also disclose your Personal Information to the following third parties:
- Any competent law enforcement body, regulatory or government agency, court or other third party (such as an insurer) where we believe disclosure is necessary to comply with applicable law or regulation.
- To a third party to exercise, establish or defend our legal rights or the rights of our employees or for the administration of justice, or to protect the vital interests of you or any other person.
- Legally Affiliated Entities: If CBRE is merged with another organization, or in the event of a transfer of our assets or operations, CBRE may disclose or transfer your personal data in connection with such transaction.
HOW CBRE WILL SECURE YOUR PERSONAL DATA
We use appropriate technical and organizational security measures to safeguard the personal data we collect and process about you from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. These security measures are designed to provide a level of security appropriate to the risk. We also have a process to address and remediate any suspected personal data breach and will notify you and any applicable regulator in the event of a breach where we are legally required to do so.
INTERNATIONAL DATA TRANSFERS
For the purposes stated above, your personal data is stored by our service providers in the United States and other countries which may be other than your own. Where we transfer data across borders, we put in place appropriate safeguards as required by law to protect your personal data.
If you have any questions about our international data transfers, please contact our Americas Director of Data Privacy at [email protected].
YOUR PRIVACY RIGHTS
The privacy laws in many countries grant you certain rights concerning your personal data. CBRE honors requests to exercise rights granted to you by applicable law.
Subject to applicable law, you may request (i) access to and a copy of your personal data; (ii) correction of your personal data if incomplete or inaccurate.
You may do so by making a request on CBRE’s Data Subject Rights Portal, https://dsr.cbre.com, or by submitting your request to [email protected].We will comply with your request to the extent required by applicable law.
We respect the rights that you have under the laws of your country, which may include some or all the following:
- The right to confirm that we process your data
- The right to request access to your data
- The right to request a copy of your data in a portable format
- The right to request correction of data we hold about you
- The right to request that we delete or anonymize data that is unnecessary, excessive, or unlawfully processed
- The right to revoke your consent
- The right to refuse to provide your data or to object to its processing, and information on the consequences of doing so
- The right to request information on third parties with whom we have shared your data
If so, you may do so by making a request on CBRE’s Data Subject Rights Portal, https://dsr.cbre.com, or by submitting your request to [email protected]. If we do not respond to your satisfaction, you may also have the right to lodge a complaint with a supervisory authority. Information on privacy laws and supervisory authorities around the world is available from the French Commission Nationale de l'Informatique et des Libertés at https://www.cnil.fr/en/data-protection-around-the-world.