Maximo Suite Privacy Policy

CBRE Group, Inc. , together with its subsidiaries (collectively, “ CBRE ”, “ we ”, “ us ” or “ our ”), recognizes the importance of protecting your privacy. This Maximo Suite Privacy Notice is designed to assist you in understanding how we collect, use and safeguard your personal information and your choices in making informed decisions when using Maximo Suite and associated applications.

Maximo Suite Privacy Policy

Last updated: June 9, 2020

The Types of Information Collected

We collect the following categories of information about your employees to provide our services to you:

  • Contact information (such as name, postal or e-mail address, and phone number);

  • Professional information (such as job title, department and name of organization);

  • Employee ID number, for CBRE employees only;

  • Username and password;

  • Geo-location information, for service providers using our mobile apps to manage work orders;

  • Information about your use of our websites. For more information, see our Cookies Policy. A copy of this policy may be found in Appendix A of this document.

How We Use Your Information

We may use the personal information we obtain about you for the following purposes:

  • Creating and managing any accounts you may have with us and responding to your inquiries on the basis of your consent. This includes responding to service and maintenance requests you submit to us and communicating with you about their status;

  • Extracting timesheet data for CBRE employees to be sent to HR systems;

  • Creating and assigning work orders for completion in accordance with your contract(s) with CBRE;

  • Verifying the completion of work orders through location tracking and geofencing on the basis of your consent;

  • To fulfill CBRE’s interests in operating, evaluating and improving our business (including developing new products and services; managing our communications; analyzing our products, services, websites, mobile applications and any other digital assets; facilitating the functionality of our websites, and mobile applications and any other digital assets);

  • Anonymizing personal information and preparing and furnishing aggregated data reports showing anonymized information;

  • Enforcing our Terms and Conditions or other legal rights;

  • As may be required by applicable laws and regulations or requested by any judicial process or governmental agency having or claiming jurisdiction over CBRE.

  • We also may use the information in other ways for which we provide specific notice at the time of collection.

Our Retention of Your Information

To better protect your privacy, we take steps to mask, and eventually delete, certain information about you. When you open a service request, it will be linked in our database to your name and other personal information. After one year, we will “mask” the requester so that the service request is no longer attributable to you. After two years, we will “archive” service request records by restricting access to a limited number of our support personnel. When our Master Service Agreement to provide services to your building or facility expires or is terminated, we will permanently delete all service request records.

We also perform daily backups of our database, which we retain for three months in a secure facility. These backups are accessible only by a limited number of our support personnel. Your information may be temporarily retained on these backups after it is masked or deleted from our database.

Geo-Location Information:

Our mobile apps use geo-location to verify completion of work orders we may assign to you. For example, our apps may require your geographic location to check in at a job site, and our apps may track your location throughout the workday.

To ensure your privacy when not working, it is essential that you close and log out of our apps at the end of the work day, so that the app will no longer collect your location.

Personal Information We Share

Vendors:

We may share your personal information with companies acting as our authorized agents in providing our services (e.g., customer/support services) to you, all of which agree to use your information only for such specified purposes. Each vendor must agree to implement and maintain reasonable security procedures and practices appropriate to the nature of your information in order to protect your personal information from unauthorized access, destruction, use, modification or disclosure. Because we operate globally, we may transfer your information to countries or jurisdictions that do not provide the same level of data protection as the country in which you are based . If we make such a transfer, we will, or our vendors will, as applicable, provide for the proper safeguards required by applicable law to ensure that your information is protected. More information on International Data Transfers of your personal information is below.

Legally Affiliated Entities:

In the event that CBRE is merged, or in the event of a transfer of our assets or operations, CBRE may disclose or transfer your personal information in connection with such transaction. In the event of such a transfer, CBRE will notify you via email or by posting a prominent notice on our website for 30 days of any such change in ownership of CBRE resulting in a change of control of your personal information. We may also share your personal information with CBRE affiliates in order to provide or offer services to you.

Legally Compelled Disclosure:

We will also disclose your personal information when required to do so by law, for example, in response to a court order or a subpoena or other legal obligation, in response to lawful requests by public authorities, including to meet national security or law enforcement agency's requirements, or in special cases when we have reason to believe that disclosing your personal information is necessary to identify, contact or bring legal action against someone who may be causing injury to or interference with (whether intentionally or unintentionally) our rights or property.

Bankruptcy:

You should also be aware that courts of equity, such as U.S. Bankruptcy Courts, may have the authority under certain circumstances to permit your personal information to be shared or transferred to third parties without your permission.

International Data Transfers

CBRE is a global business. We may transfer the personal information we collect about you to recipients, and your personal information may be stored and processed, in countries other than the country in which the information was originally collected, including the United States and elsewhere that may have less stringent data protection laws than the country in which you initially provided the information.

When we transfer your information to countries other than the country in which the information was originally collected, we will protect your information as described in this Notice and will comply with all applicable data protection laws in making such transfers.

If you are located outside the United States, the transfer of personal information is necessary to provide you with the requested information and/or to perform any requested service. To the extent permitted by law, such submission also constitutes your consent for the cross-border transfer.

With respect to transfers originating from the European Economic Area to the United States and other non-EEA jurisdictions:

  • CBRE US affiliates are EU-US and Swiss-US Privacy Shield certified, and

  • CBRE has executed EU Standard Contractual Clauses with respect to personal information collected in the European Economic Area and transferred to CBRE in the United States and elsewhere.

Where allowed by applicable law, you may ask for further information on the safeguards that we have put in place to safeguard the transfer of your data to outside of the EEA by contacting us as indicated below.

Privacy Shield Certification:

CBRE complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding personal information that is collected by CBRE affiliates or corporate customers located in the European Economic Area and/or United Kingdom and/or Switzerland and transferred to CBRE, Inc. and its wholly owned US-based affiliates, which include CBRE Global Investors LLC, CBRE GWS Puerto Rico Inc., CBRE Clarion Securities LLC, CBRE Security Services, Inc., CBRE Heery Inc., CBRE HMF, Inc., CBRE Multifamily Capital, Inc., CBRE Capital Markets, Inc., CBRE Technical Services, LLC, CBRE Hana Operations, LLC, Forum Analytics, LLC and Trammell Crow Company LLC in the United States (“CBRE US”). This Policy supplements the data protection notices that Clients and Client contacts may have received. CBRE has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. CBRE is subject to investigatory enforcement powers of the Federal Trade Commission as it relates to conformation with Privacy Shield requirements.

Disclosure and Liability for Onward Transfer:

CBRE is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. CBRE may, as disclosed above in Personal Information We Share, transfer personal information onward to third parties. CBRE remains liable under the Privacy Shield Principles if a third party processes such personal information in a manner inconsistent with the Principles, unless we prove we are not responsible for the event giving rise to the damage.

Independent Recourse of Privacy Shield Complaints:

In compliance with the EU-US and Swiss-US Privacy Shield Principles, CBRE commits to resolve complaints about our collection or use of your personal information. EU, United Kingdom and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact CBRE at: [email protected].

CBRE has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you. You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by JAMS. For additional information on binding arbitration, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Security

CBRE endeavors to protect the security of your personal information and your choices for its intended use. We use Secure Socket Layer or SSL technology to protect the transmission of sensitive personal information such as your credit card number. We store your personal information on a secure server, and use procedures designed to protect the personal information we collect from unauthorized access, destruction, use, modification or disclosure.

Although we will take (and require our third-party providers to take) commercially reasonable security precautions regarding your personal information collected from and stored in our CMMS services, due to the open nature of the Internet, we cannot guarantee that any of your personal information stored on our servers, or transmitted to or from a user, will be free from unauthorized access, and we disclaim any liability for any theft or loss of, unauthorized access or damage to, or interception of any data or communications. By using our CMMS services, you acknowledge that you understand and agree to assume these risks.

YOUR PRIVACY RIGHTS

The privacy laws in many countries grant you certain rights concerning your personal data. CBRE honors requests to exercise rights granted to you by applicable law.

European Economic Area

If we collect or process your data in the context of our operations within the European Economic Area, you have the following rights under Regulation 2016/679, the General Data Protection Regulation (GDPR):

  • The right to request access to your data

  • The right to request a copy of your data in a portable format

  • The right to request the correction data we hold about you

  • The right to request that we erase your data

  • The right to request restriction of the processing of your data

  • The right to object to our processing of your data

  • Where we process data based on your consent, the right to withdraw that consent at any time

To exercise any of these rights, please submit a request through our Data Subject Rights Portal or contact us at [email protected].

If you do not receive a timely response to your request or are not satisfied with the response you receive, you have the right to file a complaint with the applicable Data Protection Authority. A list of Data Protection Authorities is available from the European Data Protection Board.

California

As a consumer residing in the state of the State of California, you have the right under the California Consumer Privacy Act (“CCPA”) to request that: (i) CBRE discloses the categories of Personal Information that we collected, the categories of the sources of such Personal Information, the business or commercial purposes for collecting such Personal Information, the categories of third parties to whom we disclosed such Personal Information, and/or, if we sold or disclosed your Personal Information, the categories of Personal Information that each category of recipient purchased or obtained, and/or (ii) that we provide you with copies of such Personal Information. You may make two such (2) requests in any 12-month period.

Subject to certain exceptions, you may also request that we delete any Personal Information about you that we may hold. We may have grounds to deny your deletion request as provided for in the CCPA.

Upon receipt of your request to know, for access, or for deletion, we will need to reasonably verify that you are the person about whom we collected Personal Information. We may do so by asking for additional information (“Verifiable Information”) to compare against the information we hold about you, or if you have an account with us, by asking you to log in to that account. We will only use Verifiable Information to verify your identity or authority to make the request. We may also ask you to provide additional detail or clarify your request to allow us to properly understand, evaluate and respond to it.

Types of Verifiable Information we may ask for depend on the context of your relationship with CBRE, but may include:

  • Name of a CBRE employee with whom you interacted,

  • Date or other details of a transaction you had with CBRE,

  • Email address, phone number, or other contact information we may have on file for you.

You may exercise your rights to know, access, delete or opt out by completing the form in our Data Subject Rights Portal or by calling us at +1 (866) 428 4722. We will ask for your name, email address, and your relationship to us in order to begin processing your request.

You may authorize someone to submit a rights request on your behalf. You may do this by providing that person with power of attorney pursuant to the California Probate Code. Alternatively, you may provide that person with signed, written permission to submit requests on your behalf, but we will still require you to verify your identity with us directly by one of the methods listed above. In either case, we will also require that person to verify their personal identity via one of the above methods, or, in the case of a business entity, by response to communications directed at a well-known internet domain associated with that business or to contacts provided in that entity’s official filings with the California Secretary of State.

Elsewhere

Withdrawing your consent: If we have collected and process your personal information based on your consent, then you may have the right to withdraw your consent under applicable law at any time.

You may also have rights under applicable law to request to review, access, correct, delete, port or object to our processing your personal information processed by us, and to lodge a complaint with a supervisory authority. If so, you may do so by making a request on CBRE’s Data Subject Rights Portal or submitting your request to [email protected].

Contact Us

You are always free to contact us if you have questions or concerns regarding this Policy or have a question or problem related to your use of the Services. Our standard business practice is to retain any communications from our users to help us to serve each of you better.

You may contact us by emailing [email protected] or by writing to us at 321 North Clark Street, Suite 3400, Chicago, Illinois 60654, Attention: Global Director, Data Privacy.

Users in Europe, the Middle East or Africa:

If you are located in Europe, the Middle East or Africa, you may also e-mail us at [email protected] or write to us at St. Martins Court, 10 Paternoster Row, London EC4M 7HP, United Kingdom, Attention: EMEA Director, Data Privacy.

Users in Asia or the Pacific:

If you are located in Asia or the Pacific, you may also e-mail us at [email protected] or write to us at 40/F GT Tower International, 6813 Ayala Ave. cor H.V. Dela Costa Street, Salcedo Village, Makati City, Philippines 1227, Attention: APAC Senior Manager, Data Privacy.

Appendix A: Cookie Policy

This is our Cookie Policy as of October 21, 2018. The current version of the policy can be found at https://www.cbre.us/global/about/privacy-policy .

Cookie Policy – Automatic Data Collection

By browsing on our Site, you are agreeing to our use of cookies.

What is a Cookie:  A cookie is a small text file that a website stores on your personal computer, telephone or any other device, with information about your navigation on that website. Cookies facilitate browsing and to make it more user-friendly. A cookie contains the name of the server it came from, the expiry of the cookie, and a value – usually a randomly generated unique number. Cookies do not give access to nor damage your computer.

  1. Cookie Use By Us

    How we use Cookies:

    When you visit our Site, we use cookies to identify you as a valid user, to ensure that no one else can sign on simultaneously with your account from another computer and to help us serve you better based on your registration preferences. We may also use cookies to help us facilitate any promotions or surveys that we provide.

    Cookies Are Not Used to Store Sensitive Data:

    The cookies we use do not store sensitive personal information, such as your address, your password, or your credit card data.

    Main Cookies we use: 

    Here's a list of the main cookies we use, and what we use them for:

  2. Cookie Type

    Name

    Purpose

    Expiry

    Analytics

    _utma

    Used to record anonymous data about your visit.The information is aggregated to our Google Analytics account. We do not share this data in any form.

    2 years

    Analytics

    _utmb

    Same as above.

    30 minutes

    Analytics

    _utmb

    Same as above.

    When you close your browser

    Analytics

    _utmz

    Same as above.

    6 months

    Analytics

    MF_user

    This cookie establishes whether the user is areturning or first-time visitor for the purpose of analytics. This is donesimply by a yes/no toggle - no further information about the user is stored.

    90 days

    Analytics

    _GA

    Allows web analytics to identify unique usersacross browsing sessions, but it cannot identify unique users across different browsersor devices.

    90 days

    Analytics

    _Gid

    Allows web analytics to identify unique usersacross browsing sessions, but it cannot identify unique users across differentbrowsers or devices.

    90 days

    Analytics

    SC_ANALYTICS_GLOBAL_COOKIE

    Identifies repeat visits from an anonymoussingle user across CBRE websites.

    1 year

    Performance

    Adrum

    Performance Cookie for technical monitoring ofthe server load

    On session close

    Performance

    ASP.NET_SessionId

    Collects and reports on aggregate non-identifiable information, which can then be used to report on the performance of the website and provide insights on how the site is currently used and how it can be improved.

    1 year

    User Login State

    GRG_jwtToken

    Identifies if a user is logged in to the CBRE Global Research Gateway. The Login is able to persist up to 90 days or on log out by the user.

    90 days

    User Login Stat

    auth_id_token

    Identifies a user is authenticated by Single Sign on and able to download CBRE Research

    90 days

  3. Performance Tracking

    We sometimes use cookies, as well as tracking technology, such as web beacons, within the promotional emails that we send to our subscribers or advertisements for our Site. These performance tracking devices help us to track whether an e-mail recipient has completed an event, such as signing up for a free trial for example. Such information is non-personally identifying and collected on an aggregate level. We sometimes utilize third party service providers to help us track the activity within our Site. These third parties may use temporary cookies and/or web beaconing technology to facilitate such tracking but the data would not be tracked in a personally identifiable way. Third parties whose products or services are accessible on our Site may also use cookies, and we advise you to check their privacy policies for information about their cookies and other privacy practices.

  4. Avoiding and Disabling Cookies

    Avoiding Use of Cookies on this Site: If you prefer to prevent us from using Cookies on your devices, before navigating on this Site, you must first disable the use of Cookies in your browser and then delete the Cookies saved in your browser associated with this Site.

    Disabling and Preventing Further Use of Cookies:  You may restrict, block or delete the Cookies from this Site at any time by changing the configuration of your browser. You can find out how to do this, and find more information on cookies, at:  www.allaboutcookies.org. In addition, while each browser has different settings and configurations, cookies settings can typically be adjusted in the "Preferences" or "Tools" menu. Your browser’s "Help" menu may provide additional information.