Healthy Offices

 

Personal Information Protection Notice

 
Your privacy is very important to us. This notice explains how CBRE B.V. and its affiliated entities and Partners (together, “CBRE”) collect, use, transfer, and disclose Personal Information (as defined below) for the Healthy Offices project (“Project”) carried out by CBRE on the instructions of your employer (the “Employer”). 

1. What Personal Information We Collect, Use, Transfer, and Disclose and Why?
The collection, use, transfer and disclosure of personal information (“Processing”), will be divided in two phases: the registration phase (“Phase 1”) and the participation phase (“Phase 2”). When referring to Personal Information it shall refer to the Processing of Personal Information in both phases. For all Personal Information CBRE processes the general principle applies that CBRE will only process this Personal Information if there is a legitimate reason to do so.
In Phase 1 CBRE will collect all the Personal Information that is necessary to be able to select the participants that are representative of the specific project in focus.
 
After Phase 1, all participants’ email addresses and specific participation preferences will be shared with Castor EDC (“Castor”) to be used in the QuickScan and analyzed by Learn Adapt Build (“LAB”), an independent research team. Castor’s clouds secured portal allows all selected Participants (“Participants”) to fill out a secured Survey and Daily Ratings, both topics of the Healthy Offices QuickScan (“QuickScan”). Castor’s security policy has been set up in such a way that it is no longer possible to directly link the Participant’s to their output. All Personal Information arising from the QuickScan that CBRE and LAB receive from you within the Castor portal does not directly link to your email address or name and therefore concerns pseudonymized information. From this follows that Personal Information can securely be shared between researchers and other third parties. Personal Information will only be shared with regard to the QuickScan and if there is a legitimate reason to do so.  

Through this portal CBRE will process your Personal Information to be able to evaluate in what degree an existing workplace supports health and wellness through the physical environment, technology, policies, and culture. The Personal Information includes your first name, last name, address, email address, gender, age, specific participation preferences, and all information/answers that you provide us by participating in the QuickScan. 
Your Personal Information will not be accessible for your employer at any point, nor be seen by your employer on individual level. CBRE will not use Personal Information for any other purpose incompatible with the purposes described in this Notice, unless it is required or authorized by law, authorized by you, or is in your own vital interest (e.g., in the case of a medical emergency).

1a – Wearable Data
Only if applicable – In case, for the duration of the QuickScan, you are invited to wear a wearable device of the brand Garmin (“Wearable”). CBRE will provide you such a device for the duration of the QuickScan and will ask you to download the Garmin App and link your device to the Garmin App and your iPhone Health App for analysis. Only Personal Information necessary for analysis will be used, which implies data regarding sleep and activity patterns only. All other (possible remainders of) data will be excluded and therefore destroyed.
All Personal Information arising from the QuickScan that CBRE and LAB receive from you within the Sense portal will be generalized and pseudonymized in a way that it will no longer be possible to directly link your Personal Information to you as a person. From this follows that Personal Information can securely be shared between researchers and other third parties. Personal Information will only be shared with regard to the QuickScan and if there is a legitimate reason to do so.  

Your Personal Information will not be accessible for your employer at any point, nor be seen by your employer on individual level. CBRE will not use Personal Information for any other purpose incompatible with the purposes described in this Notice, unless it is required or authorized by law, authorized by you, or is in your own vital interest (e.g., in the case of a medical emergency).

2. Transfer and Joint Use of Personal Information within CBRE Group
Personal Information will be transferred to CBRE companies or affiliates in locations outside the country in which you work, where the data protection regime may be different than in the country where you are located; specifically, to CBRE’s affiliate entities in Poland (CBRE Corporate Outsourcing Sp. z o. o.) and the United States (CBRE, Inc.) based on a legally adequate transfer method. For a list of the data to be processed by these entities, please see the Attachment to this Notice. You should be aware that: i) CBRE, Inc. has entered into an Intercompany Data Transfer Agreement in accordance with EU Directive 95/46/EC, under the terms of which CBRE, Inc. is obligated to process and protect all Personal Information received from the Company in accordance with “Model Clauses for the Transfer of Personal Data”. These Model Clauses set out the operational and security standards for the transfer and processing of Personal Information as described by the European Commission; and ii) CBRE Corporate Outsourcing Sp. z o. o., CBRE, Inc., and the Company have entered into a data transfer agreement and service level agreement which together set out the scope of Personal Information collected and the manner in which it may be transferred, processed, and stored.

3. CBRE’s Partners
CBRE is also cooperating with three direct partners (“Partners”) to be able to carry out the Project our utmost best. Only three subcontractors of CBRE have access to the Personal Information: 

Castor EDC: 
Our Healthy Offices portal will be hosted by Castor. CBRE has entered into a Data Processing Agreement (DPA) with Castor under which Castor is only entitled to transfer Personal Information to third-party sub processors under strict security measures. To ensure you that your Personal Information provided in Phase 1 cannot be linked to the Personal Information provided in Phase 2 nor the QuickScan results, Castor has taken the following measures:

  • Your email address is encrypted in the Castor database;
  • All Castor personnel with "Edit rights" (set by the Study Admin “LAB”) can have an insight in your email addresses stored in Castor’s database by re-entering their password. In the upcoming release of Castor the viewing of email addresses is becoming a separate authorization, leading to more granular manipulation options for these rights. 
  • All the above-mentioned actions will be logged and monitored in an audit trail in the computer systems of Castor;
  • It is not possible to make an export of the email address database; these email addresses can only be viewed by authorized persons 1:1 within the system
  • Castor has guaranteed that all the developers who can access the database (including email addresses) will not do this. This is logged and monitored in the audit trail.

Learn Adapt Build (LAB):
In a unique study, CBRE and Elizabeth C. Nelson, a PhD Candidate Biomedical Engineering from the University of Twente and researcher of Learn Adapt Build (LAB), explored the relationship between health and wellness in the workplace and the effectiveness of employees. Elizabeth C. Nelson and LAB are still part of the Healthy Offices research team and has therefore access to your Personal Information. CBRE has entered into a Data Processing Agreement (DPA) with LAB.

Sense Health:
Only if applicable, The data gathered by wearables will be hosted by Sense Health. CBRE has entered into a Data Processing Agreement (DPA) with Sense Health under which Sense Health is only entitled to transfer Personal Information to third-party sub processors under strict security measures. 

4. Other Third Party Personal Data Processors
From time to time, CBRE may need to make Personal Information available to other unaffiliated third parties. For a list of the categories of unaffiliated third parties, please see the Attachment to this Notice. Some of these third parties will be located outside of your home jurisdiction. Third party service providers and professional advisors are expected to protect the confidentiality and security of Personal Information, and only use Personal Information for the provision of services to CBRE, and in compliance with applicable law.

We have selected these non-unaffiliated third-party sub processors with the utmost care for security and transfer only strictly required personal information. Other than CBRE’s Partners and unless provided by you, none of these parties have access to Phase 2 Personal Information that can directly lead to data on an individual level. Access to Personal Information will be limited to those individuals who have a need to know the information for the purposes described in the Attachment to this Notice. 

It’s our general starting point to find suppliers that host the data in the Netherlands, or otherwise in the European Economic Area (“EEA”). In case of hosting outside Europe, such as the USA, we select Privacy Shield certified parties where possible, or secure this data transfer in another adequate way, by example by entering into EU Standard Contractual Clauses or a customized Data Processing Agreements (DPA) with this specific party outside the EEU. 

5. Security 
CBRE will take appropriate measures to protect Personal Information that are consistent with applicable privacy and data security laws and regulations, including requiring service providers to use appropriate measures to protect the confidentiality and security of Personal Information. Moreover, CBRE’s Digital and Technology Department received ISO 27001/27002 certifications for its global support locations in Dallas, Texas and Brookfield, Wisconsin and its EMEA support locations.  CBRE’s D&T group works closely with the Global Data Privacy Office to ensure GDPR compliance both with respect to organizational and technical security measures, including cybersecurity, Privacy by Design and by Default protocols, and vendor security review and assessment.  

6. Data Integrity and Retention 
CBRE will take reasonable steps to ensure that the Personal Information we process is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described in this Notice. CBRE will retain Personal Information for the period necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. 

7. Provision of Personal Information 
Providing your Personal Informational is optional. However, please note that failure to provide Personal Information required by the Company at the time of the kick-off of the Project will make it difficult or impossible for CBRE to start or continue the Project in whole or in part. 

8. Consent
You shall have the right to withdraw your consent at any time. However, this right can no longer be exercised by CBRE, LAB, Castor or any other third party, after the pseudonymizing has taken place because of the reason that we will no longer be in the position to identify your Personal Data from the rest of the collected data. because your Personal Information has become one with the rest the collected data, we will not be able to withdraw your data from the dataset. 

9. Access and Correction Requests, Questions, and Complaints 
If you have any questions or concerns about how we process Personal Information, please contact your contact person within CBRE. Subject to the conditions specified under 8 of this Notice, you have the right to access, modify, object to the use, or request deletion of your Personal Information as permitted by law. Please contact your contact person within CBRE with any such requests. Please note that certain Personal Information may be exempt from such access, correction, objection, or deletion rights pursuant to local data protection laws. All privacy-related access requests will be taken seriously, dealt with promptly, including within any time period prescribed by applicable law. You may also contact your local Data Protection Authority. 

ATTACHMENT
TYPES OF DATA COLLECTED AND PROCESSED, PURPOSES FOR COLLECTION
AND PROCESSING, AND CATEGORIES OF RECIPIENTS

Types of Personal Information We May Collect, Use, Transfer, and Disclose, which will be processed by the CBRE:

  • Aggregated Information: CBRE may use aggregated Personal Information for reporting about CBRE’s website usability, performance, and effectiveness. It may be used to improve the experience, usability, and content of the site.
  • Health Data: we will collect data about your health and work-life balance such as heartbeat, steps taken, calories burned, your activity levels and sleep patterns.
  • IP Addresses: we may collect information about your computer, including where available your IP address, operating system and browser type, for system administration.
  • Personal Details: Name (last, middle and first name); initials; gender; work and/or home contact details (email address, phone numbers, physical address); date of birth; marital/civil partnership status; photo and details.
  • QuickScan data: We will collect and Process Personal Information that you provide to us by filling in the QuickScan. This Personal Information includes data about your physical and mental needs in a working environment.
  • Systems and Applications Access Data: Information required to access the systems and applications that are being used in relation to the Project, such as user ID, email accounts; system passwords; and electronic content produced by data subject using CBRE systems. 
  • Sensitive Information as Required and Permitted by Applicable Law: We may collect information about your capacity or incapacity to perform work only as permitted by local law, authorized by court/tribunal order, when volunteered by you, or when reasonably necessary for CBRE to exercise its legal rights and/or perform its legal obligations as an employer. Please be assured that, as explained in the following section, we will only use such Sensitive Information for these purposes and as provided by law.
  • Wearable Personal Information: Only if applicable, The Wearable will collect all sorts of data about your health and work-life balance such as heartbeat, steps taken, calories burned, your activity levels and sleep patterns.



The Purposes For Which We May Collect, Use, Transfer, and Disclose Personal Information:

  • Research purposes: CBRE may collect personal information to be able to carry out the Healthy Offices research and therefore provides you employer with a detailed report containing an advise prescribing which changes into your working environment can have an impact on your health, well-being and ability to perform in this environment. This processing of high sensitive Personal Information is based on your explicit consent
  • IT Support: Hosting and management of servers and networks, security of servers and network, web service monitoring problem determination and problem resolution, database administration and support, and server configuration and support.
  • Compliance: Complying with CBRE legal and other requirements, such as record-keeping and reporting obligations, conducting audits, complying with government inspections and other requests from government or other public authorities, responding to legal processes such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations, and complying with internal policies and procedures.



The Categories Of Unaffiliated Third Parties With Whom We May Share Personal Information

Subject to the under 1 described process of pseudonymizing, we may share Personal Information with the following parties:

  • Professional Advisors: Accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors in all the countries in which CBRE operates.
  • Service Providers: Companies that provide products and services to CBRE such as IT systems suppliers and support, insurance, payroll, employee expense processing, employee benefits, credit card companies, and other service providers.
  • Public and Governmental Authorities: Entities that regulate or have jurisdiction over CBRE such as regulatory authorities, law enforcement, public bodies, and judicial bodies, including any regulatory entities outside the country in which you work.