Global CBRE Social Share Platform Privacy Privacy Notice
Last Updated: 14 April 2023
Last Reviewed:14 April 2023
This Global CBRE Social Share Platform Privacy Notice (“Notice”) is issued by CBRE, Inc. and its wholly-owned subsidiaries (“CBRE Group”) to assist you in understanding our data collection and handling practices when you use the CBRE Social Share Platform (the “Platform”) to post CBRE-curated content to any social media account(s) you link to the Platform.
This Notice is also intended to assist you in making informed decisions and exercising your data privacy rights under applicable law.
Whenever this Notice refers to “CBRE”, “we”, “us” or “our”, it refers to the applicable responsible CBRE Group entity/ies defined in Appendix 1 below. Our data collection and handling practices relating to personal data of employees, contractors, and similarly employed individuals of CBRE are further described in our Employee Privacy Notices, which are available (as applicable) on CBRE’s employee Intranet.
TABLE OF CONTENTS
SUMMARY of key information
| SCOPE | This Notice applies to the personal information relating to your use of the Platform to post CBRE content to your social media account(s). |
| responsible ENTITY / DATA CONTROLLER | CBRE Inc. is the Data Controller/Responsible Entity with respect to Personal Information processed in accordance with this Notice. Please find information on how to identify your applicable responsible CBRE entity (or entities) in Appendix 1. See details below in Information about the Responsible CBRE Entity / Data Controller. |
| PERSONAL INFORMATion we collect / SourceS | We collect information about the content you post to your connected social media account(s), including information about engagement with your posts (the number of views, comments, likes and re-shares). We collect this data from the Platform. See details below in Personal Information We Collect and Sources. |
| use of your personal INFORMATion and Legal Bases | We use your Personal Information to assess the effectiveness and impact of CBRE marketing and promotional materials as part of CBRE’s ongoing efforts to improve the efficacy of our marketing activities and drive engagement with CBRE as a business. See details below in Use of Personal Data. |
| data SHARING | We may share Personal Information processed in accordance with this Notice with other CBRE Group Entities as may be appropriate or necessary in relation to the stated purposes for processing your Personal Information in this Notice, and with third-parties, including vendors who license the Platform for CBRE’s use, and as may be required by applicable law or regulation. See details below in Sharing of Personal Data. |
| DATA RETENTION | We retain the personal information we collect about you for as long as necessary for the purpose for which that information was collected or as otherwise legally required. See details below in Retention of Personal Data. |
| DATA SECURITY | We implement appropriate technical and organizational security measures to safeguard the personal information we collect and process about you against loss and unauthorized alteration or disclosure. See details below in How We Secure Your Personal Information. |
| INTERNATIONAL DATA TRANSFERS | We may share your personal information with other CBRE entities and service providers located outside of your home country. When doing so, we provide appropriate safeguards for international data transfers as required by applicable law. See details below in International Data Transfers. |
| PRIVACY RIGHTS | Depending on the laws in your country, you may have certain rights to request access, rectification, deletion, objection, or other actions regarding your personal information. See details below, including how to exercise any privacy rights you may have under applicable law, in Your Data Privacy Rights. |
| CALIFORNIA PRIVACY POLICY | Additional disclosures required under California law to be made to individuals who are residents of California, including relating to applicable privacy rights, are provided in CBRE’s California Privacy Policy. |
| contact cbre | You are always free to contact us if you have questions or concerns about this Notice or our personal information collection and processing activities. See details below in Contact CBRE. |
| Data Protection Officer | Where required by law, we have appointed a data protection officer whose contact details are disclosed in this Notice. Click here to learn more. |
| EU/UK Representative | We have appointed a representative for any responsible CBRE entity located outside of the EEA and the UK that process personal information subject to the EU General Data Protection Regulation and UK data protection law. Click here to learn more. |
| Changes to this Notice | If we make any material changes to this Notice, we will make changes here and, if the changes are significant, we will provide a more prominent notice. Where required, we will obtain your consent. See details below in Changes to this Notice. |
Full Notice
Information About the Responsible CBRE Entity / Data Controller
Depending on the legal regulations in your country and the applicable laws to which you are subject (such as in the EU/EEA and UK), you may have the right to information on the CBRE entity (or entities) responsible for collecting and processing your personal information (also known as the data controller in some jurisdictions). CBRE Inc. is the Data Controller/Responsible Entity with respect to Personal Information processed in accordance with this Notice. Information on how to identify your applicable responsible CBRE entity (or entities) is in Appendix 1.
Personal Information We Collect and Sources
Categories of Personal Information We Collect
Where we may lawfully do so under applicable law, we collect the following categories of personal information directly from you or from the Platform (for more information on data sources, see Sources from Whom We Collect Personal Information, below).
Basic Data: such as your name, title, organization, the line of business and region in which you work, job responsibilities, and work contact details.
Social Media Account Information: such as the username for the social media account(s) you connect to the Platform, the number of connections you have on your connected social media account(s), and the types and topics of CBRE-curated content you may wish to share to your social media account(s) using the Platform. PLEASE NOTE: CBRE does not collect any other information about any social media account(s) or profile you connect to via the Platform (e.g. password, names, screennames or identities of your connections, or content published on your profile other than using the Platform).
Channel Engagement Information: such as the content you publish to your social media account(s) via the Platform, and the number of likes, comments and re-shares received by posts of CBRE content you publish to your social media account(s) using the Platform.
Sources From Whom We Collect Personal Information
We collect and process personal information from the Platform, which aggregates information about engagement with content you share to your connected social media account(s) using the Platform.
Use of Personal Information and Legal Bases
The purposes for which we use your personal information and the legal bases for such processing are as follows:
To monitor and assess the effectiveness of CBRE marketing and promotional materials and marketing channels in order that CBRE may improve the effectiveness of our marketing programs and drive engagement with CBRE as a business overall, where necessary we process your Basic Data, Social Media Account Information, and Channel Engagement Information, based on CBRE’s Overriding Legitimate Interests, or based on your consent (if required by law).
To facilitate your access to the Platform, where necessary we process your Basic Data and Social Media Account Information, based on CBRE’s Overriding Legitimate Interests, or based on your consent (if required by law).
To establish, exercise or defend our legal rights, to comply with lawful government requests for disclosure of personal information or otherwise to comply with legal obligations, we use any of the personal information we collect about you where legally permissible to do so. We process this personal information where necessary to comply with CBRE’s legal obligations or for other overriding legitimate business interests.
Legitimate Business Interests
To the extent, CBRE relies on its overriding legitimate business interests for the processing of your personal information, such business interests are in particular:
monitoring and assessing the effectiveness of employee-driven publication of CBRE marketing and promotional materials on social media;
continuously improving the effectiveness of CBRE marketing and promotional materials in order to drive engagement with CBRE as a business; and
establishing, exercising or defending our legal rights and claims.
To the extent any of the processing purposes listed above require the processing of Special Categories of Information, such processing may in particular be permitted under applicable law as the processing is necessary to carry out certain obligations or exercise certain rights in the field of employment, social security and social protection, to establish, exercise or defend a legal claim, for reasons of substantial public interest or of public interest in the area of public health, and other necessary objectives or based on your consent (if required by law).
Automated Decision-Making
CBRE does not process any personal data it collects and processes from the Platform to make automated decisions.
Sharing of Personal Information
Where we can do so lawfully under applicable law, the personal information we collect may be shared and processed with the following categories of recipients, some of whom may be located in a country that does not provide an adequate level of data privacy and protection rights as your home country, as necessary for the purposes identified in Section 3 – Use of Personal Information and Legal Bases, above. CBRE has in place appropriate safeguards regarding internal personal information sharing. See International Data Transfers below for more information.
Internally with Other CBRE Entities
CBRE is a global firm and the personal information we collect, or you provide may be shared and processed with CBRE entities as necessary for the purposes identified in Section 3 – Use of Personal Information and Legal Bases, above. The potentially relevant CBRE entities are identified in Appendix 1. In particular:
When you log into or use the Platform, CBRE, Inc. and other CBRE entities employing site administrators (referred to as data processors in some jurisdictions) will process certain of your personal information in order to manage your access to, maintain, and improve the functionality of the site. CBRE, Inc. and these CBRE entities employing site administrators may be located outside your home country.
As part of CBRE’s global marketing department’s functions, CBRE's global matrix structure may require that your personal information) is transferred to other CBRE entities outside your home country where other CBRE employees who are responsible and accountable for marketing initiatives are located (e.g., members of CBRE’s Global Digital Marketing Department).
With Third-Parties
The potentially relevant third-parties include:
Service Providers who assist us with IT, cyber security and data hosting providers.
Business partners in case of a merger or sale, such as if CBRE is merged with another organization, or in the event of a transfer of our assets or operations.
Legally Compelled Disclosure
We may be required to disclose your personal information to governmental and regulatory authorities, law enforcement agencies, courts and/or litigants when legally compelled to do so, for example, in response to a court order, subpoena or other lawful, legally-binding request, including to meet national security or law enforcement agencies requirements, or in connection with legal proceedings or similar processes as necessary to exercise or defend our legal rights.
CBRE is committed to not disclose your personal information in response to an international court order or a subpoena or other legal obligation, unless we are legally compelled to do so under applicable law. In particular, CBRE, Inc. has assessed and is of the view that neither it nor its US subsidiaries qualify as a provider of electronic communication service, as defined in 18 U.S.C. § 2510, nor a provider of a remote computing service, as defined in 18 U.S.C. § 2711, and thus US public authorities cannot issue a legally binding demand for disclosure of data under Section 702 of the US Foreign Intelligence Surveillance Act ("FISA 702") upon CBRE, Inc. or its US subsidiaries. In case CBRE nevertheless receives at some point a disclosure demand for personal information under FISA 702, we will publish a Transparency Report on cbre.com and our EEA websites (see our Schrems II statement). All personal data transferred by CBRE to the US is encrypted in transit.
Retention of Personal Information
We will retain your personal information only for as long as required to satisfy the purpose for which such information was collected, unless otherwise required by law or regulation to be retained for a longer period. Personal Information collected or generated as a result of use of the Platform will be retained for a period of twenty-four (24) months. Should you require further information as to the retention period, please do not hesitate to contact us.
How We Secure Personal Information
We implement appropriate technical and organizational security measures to safeguard the personal information we collect and process about you against loss and unauthorized alteration or disclosure. The information you provide is encrypted in transit and at rest. We utilize role-based access controls to limit access to your personal information on a strict need-to-know basis consistent with the purposes for which we have collected such information. We utilize anti-malware and intrusion detection systems to guard against unauthorized access to our network, and we have an incident response plan in place to quickly respond to any suspected leak or breach of personal information.
Where we share your personal information with our service providers, we have assessed that their technical and organizational measures provide an appropriate level of security.
International Data Transfers
Depending on the CBRE entity that is the responsible CBRE entity (see Appendix 1 below) and the recipients (see Sharing of Personal Information above), your personal information may be processed and hosted in countries other than your home country, such as the United States. Those other countries may have less stringent data protection laws than the country in which you reside, in which you initially provided the information and/or in which your information was originally collected.
In case of international data transfers, we will protect your personal information as required by all applicable data protection laws.
EEA and UK to Non-EEA Data Transfers
With respect to international data transfers initiated by CBRE from the European Economic Area ("EEA") or UK to recipients in any non-EEA jurisdictions,
some recipients are located in countries which are considered as providing for an adequate level of data protection under EU law (or UK law, as applicable). These transfers do not, therefore, require any additional safeguards under EU (or UK, as applicable) data protection law.
other recipients are located in countries not providing an adequate level of data protection under EU or UK law, such as the United States, and, where required by law, we have implemented appropriate safeguards, such as EU Standard Contractual Clauses, and/or are relying on binding corporate rules of the recipient or an appropriate derogation. Where applicable, we implement supplementary technical and contractual safeguards. Under applicable law you may have the right to ask for further information on such appropriate safeguards (see Section 9 - Contact CBRE below).
As stated above (see Legally Compelled Disclosures), CBRE, Inc. has assessed and is of the view that US public authorities cannot issue a lawful disclosure demand for personal data under FISA 702 upon CBRE, Inc. or its US subsidiaries. All personal data transferred by CBRE to the US is encrypted in transit.
Your Data Privacy Rights
Depending on the legal regulations in your country and the applicable laws to which you are subject, you may have all or some of the following rights set out below and may submit a request(s) to exercise any such rights through our Data Subject Rights Portal or by contacting us at [email protected]. Irrespective of the CBRE entity that is responsible for the processing of your personal information, you may use such centralized contact details and CBRE will ensure that the responsible CBRE entity receives your request and addresses it promptly as required by applicable law. CBRE will respond to your request comprehensively, even if you do not identify the particular CBRE entity against whom you make the request.
Right of access: You may have the right to obtain from CBRE confirmation as to whether your personal information is being processed, and, where that is the case, to request access to your personal information. You may have the right to obtain a copy of your personal information undergoing processing. For additional copies requested by you, CBRE may charge a reasonable fee based on administrative costs.
Right to rectification: You may have the right to obtain from CBRE the rectification of inaccurate personal information concerning you.
Right to erasure (right to be forgotten) or anonymization: You may have the right to ask us to erase (or in some jurisdictions, anonymize) your personal information. In some jurisdictions, this right may be limited to deletion or anonymization of data that is unnecessary, excessive, or unlawfully processed, or deletion of data that is processed based on your consent.
Right to restriction of processing: You may have the right to request the restriction of processing your personal information.
Right to data portability: You may have the right to receive your personal information which you have provided to CBRE in a structured, commonly used and machine-readable format and you may have the right to transmit those personal information to another entity without hindrance.
Right to withdraw consent: If we rely on your consent for any personal information processing activities, you have the right to withdraw or revoke this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. This right to withdraw consent applies in particular to consents given for marketing and profiling purposes, if any.
Right to object: Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal information by CBRE, and CBRE can be required to no longer process your personal information unless CBRE demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. The right to object may, in particular, not exist if the processing of your personal information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
Right to request an explanation of our processing activity of your personal information
Right to information on the possibility to withhold consent and information on the consequences of doing so.
Right to information on third parties with whom we have shared your data.
Right to lodge a complaint with the competent data protection authority in your home country or in the country in which the responsible CBRE entity is located, in particular with respect to the result of automated decision-making. A list of European Union Data Protection Authorities is available from the European Data Protection Board. In Brazil, the competent data protection authority is the Autoridade Nacional de Proteção de Dados (ANPD).
Brazil
In addition to other rights provided under applicable law, with respect to personal information collected and processed within Brazil, you may have the right to request review of decisions taken solely based on the automated processing of personal data which affects your interests, including decisions aimed at defining their personal, professional, consumption and credit profiles or aspects of their personality.
China
In addition to other rights provided under applicable law, with respect to personal information collected and processed within China, you may have a right to deregister as a user of an application and cancel online accounts.
California Privacy Policy
If you are a resident of the State of California (“Consumer”), CBRE’s California Privacy Policy (“California Policy”) supplements the information provided in this Notice and includes information about your privacy rights and how to exercise them. The California Policy applies solely to personal information we have collected from individuals who are residents of the State of California in the twelve (12) months preceding date on which the California Policy was last updated.
CBRE does not sell nor share Personal Information as defined under applicable California law.
Contact CBRE
You are always free to contact us if you have questions or concerns regarding this Notice or our data handling practices. We may contact you by email in relation to any Observations, Incidents, and Self-Certifications you report or make. If you prefer us to contact you in an alternative manner, please let us know and we will accommodate your request if possible and appropriate.
General Enquiries
You may contact CBRE’s Global Data Privacy Office (“GDPO”) at [email protected] or by writing to us at 321 North Clark Street, Suite 3400, Chicago, Illinois 60654, Attention: Global Director, Data Privacy. You may also raise questions or concerns about the GDPO to CBRE’s Ethics & Compliance department via the CBRE Ethics Helpline.
Individuals in Europe, the Middle East or Africa:
If you are located in Europe, the Middle East or Africa, you may also e-mail us via the GDPO at [email protected] or write to us at Henrietta House, Henrietta Place, London, United Kingdom W1G 0 NB, Attention: EMEA Director, Data Privacy.
Individuals in Asia or the Pacific:
If you are located in Asia or the Pacific, you may also e-mail us via the GDPO at [email protected] or write to us at 15/F M1 Tower, 141 H.V. Dela Costa Street, Salcedo Village, Makati City, Philippines 1227, Attention: APAC Senior Manager, Data Privacy.
Data Protection Officers
In some countries, CBRE has appointed a Data Protection Officer (“DPO”), whom you may contact with questions or concerns about how CBRE processes your personal information. Contact information for our DPOs is as follows:
| Brazil | [email protected] |
| Canada | [email protected] |
| France | [email protected] |
| Germany: CBRE GmbH, CBRE PREUSS VALTEQ GmbH, and CBRE Capital Advisors GmbH | [email protected] |
| Germany: CBRE Global Investors Germany GmbH | [email protected] |
| Germany: CBRE GWS Industrial Services GmbH and CBRE GWS IFM Industrie GmbH | [email protected] |
| Philippines: CBRE GWS IFM Phils. Corp. | [email protected] |
| Philippines: CBRE GWS Business Support Services Philippines, Inc. | [email protected] |
| Singapore | [email protected] |
| South Korea | [email protected] |
| Pacific (Australia/New Zealand) | [email protected] |
| UK | [email protected] |
| UAE | [email protected] |
| Romania | [email protected] |
| EU (other than Romania, France and Germany) | [email protected] |
EU and UK Representative
We have appointed a representative for the responsible CBRE entities located outside of the EEA and UK that process your Personal Information subject to the EU General Data Protection Regulation and UK data protection law. The representatives contact details are as follows:
Representative in the EU (Art. 27 GDPR) |
CBRE GmbH, Isartorpl. 1, 80331 Munich, Germany In case of questions, please contact [email protected] |
Representative in the UK (Art. 27 of the UK GDPR) |
CBRE Limited, Henrietta House; Henrietta Place; London; W1G
0NB In case of questions, please contact [email protected] |
Changes to this Notice
We are a rapidly evolving, global business. We will continue to assess and make changes to this Notice from time to time as required. If we make any material changes to this Notice, we will make changes here and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Notice changes). Where required, we will obtain your consent.
Appendix 1
In the table below, the responsible CBRE entity (also referred to as data controller in some jurisdictions) for your personal information have been identified, depending on various factors of the processing activity.
If it is unclear to you which CBRE entity is the responsible CBRE entity for the processing of your personal information, please contact [email protected] and we will help you identify the responsible CBRE entity.
| Processing Activity | Responsible CBRE Entity / Data Controller | |
| A. | Administering the CBRE Social Share Platform; reviewing and analyzing data collected and generated by the CBRE Social Share Platform | CBRE, Inc. 2100 McKinney Avenue, Suite 1250 Dallas, TX 75201 Tel +1 214 979 6100 |
| VERSION | DATE | CHANGES | AUTHOR/APPROVER |
| 1.0 | 2023.02.15 | Added document history/version control addendum for tracking changes to document | Harrison Schafer |
| 1.1 | 2023.02.16 | Addition of required CPRA disclosure content; revised language on subsidiaries when acting as controller [Identify the Controller – e.g., CBRE, Inc. and its wholly-owned subsidiaries (“CBRE Group”)] Revision of CBRE UK office to Henrietta House. |
Harrison Schafer |