PRIVACY STATEMENT

This Privacy Policy sets out how Co-Work Space Limited, subsidiaries, joint ventures and associated companies (“the Company”) uses and protects your personal data.  The Company is the Controller for personal data given to the Company by lessors, licencees, prospective licencees, business contacts, staff, and other individuals.

The full details of the Company are: –

Co-Work Space Limited

Registered in England

Company number: – 08015062

Registered address:-

C P House,

Otterspool Way,

Watford,

WD25 8JJ

 

In the course of its business activities, the Company requests, obtains, and processes personal data from customers, prospective customers, business contacts, staff, and other individuals.  The Company aims to process the minimum personal data the Company needs in order to provide a good service. The Company recognises and respects the legal rights and reasonable expectations of individuals over their personal data and privacy.

This Privacy Policy explains how the Company protects personal data and privacy.  Many of the principles the Company follows are driven by the EU’s General Data Protection Regulation (GDPR).  However, the Company complies with all applicable legal requirements on personal data protection and privacy.

The Company has tried to make this Privacy Policy easy to use and to understand, within the constraints of the complexity of the information the Company has to communicate.

1)  Legal rights of individuals (“data subjects”) under GDPR

The “data subjects” covered by GDPR are living individuals anywhere in the world who deal with a “controller” in the EU, or living individuals in the EU who deal with a controller outside the EU. A “controller” is the legal entity which defines how personal data is processed. “Personal data” is any data which can be linked to a data subject.

As explained below, data subjects have the following specific rights under GDPR

  1. Right to receive transparent information
  2. Right of access to your own data
  3. Right to rectify inaccurate data
  4. Right to erasure (“Right to be forgotten”) in specific circumstances
  5. Right to withdraw consent
  6. Right to request restriction of processing
  7. Right to object to processing
  8. Right not to be subject to automated decisions
  9. Right to “Data portability”
  10. Right to complain to a “Supervisory Authority”

This Policy addresses all of these rights.  Upon your request on any of them, the Company will respond without undue delay and in any case within one month, and the Company will do its best to resolve even complex cases within three months. The Company will not charge a fee for an initial request, but the Company reserves the right to charge an administrative fee for handling repeated requests within a year, or in case of otherwise manifestly unfounded or excessive requests.

Note that the Company will need to verify your identity to be able to act on any request.

If the Company believes that it should not act on your request, the Company will write to inform you of the basis for the Company decision, and also of your options for legal remedy.

Separately from these rights, if you believe that the Company has mistreated you with regard to your personal data or your privacy, please contact the Company so that it can rectify the situation. You can send a formal complaint to the Company by email or by post to the address given in section 1.11Contacting the Company regarding GDPR”.

The Company will aim to respond without undue delay and in any case within a month, although it may take the Company longer to investigate fully. 

 

1.1        Right to receive transparent information

The Company will provide all information required by GDPR to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Company shall provide the information in writing or by electronic means. If you request, the Company will provide information orally.

The Company will facilitate your exercising your rights as described in the rest of section 1 below.

Section 1.11 “Contacting the Company regarding GDPR” below gives email and postal addresses for contacting the Company.

 

1.2        Right of access to your own data

You have the right to obtain from the Company confirmation as to whether personal data on you is being processed, and, if so, to access the data and the following information:

  1. The purpose of the processing
  2. The categories of personal data concerned
  3. The recipients to whom the Company has disclosed or will disclose the personal data, in particular recipients in countries outside the EU
  4. The period for which the personal data will be stored
  5. The existence of your right to request the Company to rectify or erase personal data or to restrict processing of personal data or to object to such processing
  6. Your right to lodge a complaint with a Supervisory Authority
  7. Where the personal data is not collected directly from you, information as to its source
  8. Whether there is any automated decision-making from the data, and, if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
  9. Where the Company transfers your personal data to a country outside the EU, the appropriate safeguards the Company has in place to protect your rights.

 

1.3        Right to rectify inaccurate data

If the Company holds inaccurate or incomplete personal data on you, the Company will rectify this without undue delay on receiving your request.

1.4        Right to erasure (“Right to be forgotten”)

You have the right to request the Company to erase your personal data and for the Company to act on the request without undue delay, where one of the following grounds applies:

 

(a) Your data is no longer necessary in relation to the purposes for which it was originally processed

(b) You withdraw consent and the Company has no other legal basis for processing your data

(c) The basis of lawfulness for processing is the Company’s legitimate interest, and you can show that the Company has no legitimate grounds for the processing which overrides your interest, rights, and freedoms

(d) The processing is for direct marketing, and you object to this

(e) The Company has been unlawfully processing your data

(f) The Company has to erase your data for compliance with a legal obligation in EU or Member State law to which the Company is subject

1.5        Right to withdraw consent

Where you have given the Company consent for any processing, you have the right to withdraw consent at any time.  Section 1.11 “Contacting the Company regarding GDPR” below gives email and postal addresses for contacting the Company.

Note that your withdrawal of consent will not affect processing which the Company has already performed.

 

1.6         Right to request restriction of processing

You can request that the Company restricts the processing of your personal data where one of the following applies:

  • You contest the accuracy of the personal data
  • The Company no longer has a basis of lawfulness for processing, but you oppose the Company erasing the data and you request that the Company restricts its use instead
  • The Company no longer needs the data for the original purpose, but you require it for the establishment, exercise, or defence of legal claims
  • You object to the Company processing on the grounds that the Company states its legal basis as “our legitimate interests” but you claim that your “interests, rights, and freedoms” override these.

Where processing is restricted under your objection, except for continuing to store the data the Company shall process it only with your consent or:

  1. For the establishment, exercise or defence of legal claims,
  2. For the protection of the rights of another person, or
  3. For reasons of important public interest of the EU or of a Member State.

Where the Company restricts processing, it shall inform you before it lifts the restriction.

Operational practicalities may prevent the Company restricting processing precisely as envisaged by GDPR, but in such a case the Company will work with you to try to find a satisfactory resolution.

 

1.7        Right to object to processing

You have the right to object to the Company processing your personal data where:

  • The basis of lawfulness for processing is “the Company’s legitimate interests” but you show that your “interests, rights, and freedoms” override these
  • The Company processes your data for direct marketing purposes, including “profiling” to the extent that it is related to such direct marketing. (Profiling is automated decision making which analyses or predicts aspects such as your economic situation, personal preferences, behaviour, or location.) Where you make such an objection the Company shall no longer process your data for such purposes.

 

1.8        Right not to be subject to automated decisions

You have the right not to be subject to a decision based solely on automated processing, if this produces legal effects on you or similarly significantly affects you.

However, this does not apply:

(a) If the decision is necessary for the Company to perform a contract with you or if the Company has your explicit consent, or

(b) If the automated process is authorised by an EU or Member State law which also defines measures the Company has to follow which safeguard your rights, freedoms, and legitimate interests.

In case (a), the Company has to implement suitable measures to safeguard your rights, freedoms, and legitimate interests.  This includes at least your right to make the Company ensure human intervention, and your right to express your point of view and to contest the decision.

 

1.9        Data portability

GDPR gives a data subject the right in certain circumstances to receive the personal data concerning him or her “in a structured, commonly used and machine-readable format”. The right includes having the personal data transmitted directly from one controller to another, where technically feasible.

Where you apply under 1.2 above for access to your own personal data, the Company will normally supply this in a commonly-used electronic format, unless you specifically ask us to send you a written copy.

 

1.10    Right to complain to a “Supervisory Authority”

If you believe that the Company has treated you unfairly or unlawfully under GDPR, you can complain to a Supervisory Authority for data protection.  As the Company has its establishment in Great Britain, you can complain to the United Kingdom Authority regardless of your residence, even if you are resident outside the EU:

The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 745
e-mail: international.team@ico.org.uk
Website: https://ico.org.uk

If you are normally resident in an EU country other than the United Kingdom, you also have the right to raise a complaint with the Supervisory Authority of that country.  This link will give you the name and contact details:

http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

1.11    Contacting the Company regarding GDPR

 

To exercise one of the rights described above, or to make a complaint directly to the Company or to contact the Company with a general enquiry regarding GDPR or privacy, the email and postal addresses are:

Privacy Officer

C P House,

Otterspool Way,

Watford,

WD25 8JJ

 

Privacyofficer@lentaspace.co.uk

2)  How the Company uses your information

Except where stated below your data will not be transferred by the Company to any third parties unless required by government authorities.

2.1      Initial enquiry about office space

  • Registration with the Company – by phone, email or registered interest through the website.
    • What is collected: – Name, email address, phone number, Company name (this could be through a third-party broker).
    • Purpose: – To register your interest in our products and services and to provide consent for communication.
    • Data retention: – In alignment with all the Company customer data – 7 years.
    • Lawful basis: – In order to contact you about arranging a suitable date and time for viewings and to facilitate taking a new office with the Company. Plus to be able to assist in the provision of a new office in the future.

2.2   Occupation of office space

  • Leasing space in an office building
    • What is collected: – Name, email address, Company name, phone number, home address (if a sole trader), emergency contact details and either a passport or driving license.
    • Purpose: – For a possible lease agreement and to provide identification for security purposes due to the nature of the shared office set-up.
    • Data retention: – 7 years after the end of the lease. This is due to legal requirements.
    • Lawful basis: – To enable the signing of a lease agreement.
    • Third party data transfer: – Information is passed to the Company’s business rates advisor.
  • Licence to occupy space in an office building
    • What is collected: – Name, email address, Company name, phone number, home address (if a sole trader), emergency contact details and either a passport or driving licence.
    • Purpose: – For a possible licence agreement and to provide identification for security purposes due to the nature of the shared office set-up.
    • Data retention: – 7 years after the end of the licence. This is due to legal requirements.
    • Lawful basis: – To enable the signing of a licence agreement.
    • Third party data transfer: – Information is passed to the Company’s business rates advisor.
  • Virtual office space
    • What is collected: – Name, home address, email address, phone number and some combination of passport, utility bill and driving licence.
    • Purpose: – To comply with a legal or regulatory obligation to provide the business service.
    • Data retention: – 7 years after the end of the licence. This is due to legal requirements.
    • Lawful basis: – In order to set up a contract and for compliance with legal obligations.
    • Third party data transfer: – Information is passed to the Company’s anti-money laundering verification platform.

2.3 Potential services provided to occupants of a property

  • Provision of phone services
    • What is collected: – Phone numbers of calls placed outside of the telephone platform.
    • Purpose: – To provide services as per the occupancy agreement.
    • Data retention: – 7 years as part of the billing process.
    • Lawful basis: – In order to execute the contract for provision of services
    • Third party data transfer: – Data is collected and retained by the Company’s IT service provider and their sub processors.
  • Gym usage
    • What is collected: – Name, emergency contacts, medical history.
    • Purpose: – To ensure compliance with health and safety regulations.
    • Data retention: – In alignment with all the Company customer data – 7 years.
    • Lawful basis: – Legal obligation under health and safety.
  • Provision of car parking
    • What is collected: – Name, email address, car make, model and number plate.
    • Purpose: – To allow access to car parking facilities.
    • Data retention: – 7 years after the end of the agreement, visitor parking – 1 year following visit.
    • Lawful basis: – Legitimate interest to provide car parking
    • Third party data transfer: – Information is passed to the Company’s car park management company.
  • Provision of CCTV
    • What is collected: – Video footage of property, both inside and outside the building.
    • Purpose: – To protect persons and property.
    • Data retention: – Up to 31 days unless requested for legal purposes, after which video footage is automatically written over.
    • Lawful basis: – Legitimate interest in keeping the property secure and to protect persons.
    • Third party data transfer: – Transfer of data to an approved security monitoring company.
  • Holding names of business contacts
    • What is collected: – Name, email address, Company name, phone number.
    • Purpose: – Enable communication with a view to working together.
    • Data retention: – In alignment with all the Company customer data – 7 years.
    • Lawful basis: – Legitimate interest in being able to do business.
  • Visitors to the buildings
    • What is collected – Name, vehicle licence number.
    • Purpose – To allow access to the office.
    • Data retention –Deletion of the visitor sign in sheets 1 year after visit.
    • Lawful basis – Legitimate interest in being able to do businesss.

 

  • Entry to the buildings
    • What is collected – Name, time of entry.
    • Purpose – To allow access to the office.
    • Data retention –1 year after termination of agreement.
    • Lawful basis – Being able to provide safe and secure access to the buildings.
  • Emergency response
    • What is collected – Name, mobile phone number.
    • Purpose – To allow access to the office.
    • Data retention – 1 year after termination of agreement.
    • Lawful basis – Legitimate interest in being able to do businesss.

 

  • Insurance claims
    • What is collected – Name, address, car registration, medical records.
    • Purpose – To process any claims filed.
    • Data retention – For as long as there is the potential for a claim or while the claim is active.
    • Lawful basis – Legal obligation in order to be able to process claims.

Note that data may be held for longer than the stated retention period because:

  1. We review and delete information periodically.
  2. After deletion on the database, data will continue to exist temporarily on backup files which are maintained to ensure operational resilience. The Company uses IT security techniques to ensure that these are accessible only for the purpose of restoring the database in the event of a loss of data and that they cannot be copied to reveal data.  Backup files are destroyed on a rotating basis within 4 weeks.

 

The Company retains core information for 7 years after the end of an agreement.

3) Cookies

 

Our website, along with many others, uses cookies. Cookies let users navigate around sites and (where appropriate) let us tailor the content to fit the needs of our site’s visitors. Without cookies enabled we can’t guarantee that the website and your experience of it are as we intended it to be. None of the cookies we use collect your personal information and they can’t be used to identify you.

 

4) Job applications

 

If you apply to work with the Company, the Company will use the data the Individual gives the Company only to process the Individual’s application and to monitor recruitment statistics. If the Company wants to disclose information to an Individual outside the Company – for example, if the Company needs a reference – the Company will make sure the Company tells the Individual beforehand, unless the Company are required to disclose this information by law.

If the Individual is unsuccessful in the job application, the Company will hold the Individual’s personal data for 6 years after the Company has finished recruiting the position the Individual applied for. After this date the Company will destroy or delete the Individual’s information.

5)Terms and abbreviations used in this Disclosure

Most of the definitions refer to the EU’s General Data Protection Regulation (GDPR).  This is a legal document, and it is not possible to give a short definition in simple language which is fully exact.  The aim here is to give a clear explanation which will facilitate the reader’s understanding; this may sometimes exclude detail of the full legal definition. The Company policy is to comply with the full requirements of GDPR, and your rights are not affected by any simplification in the explanations here.

Term or Abbreviation Explanation
Controller The legal entity which determines the purposes and means of the processing of personal data;
Data subject A live individual inside or outside the EU dealing with an organisation in the EU.  Such an individual is a “data subject” and under GDPR has rights over the processing of his or her personal data.

 

(A live individual resident in the EU is also a data subject with equivalent rights when dealing with a non-EU organisation which specifically markets into the EU. This is not relevant in the case of the Co-Work companies.)
EU The European Union
GDPR The General Data Protection Regulation of the EU, which came into force 25 May 2018.
Personal data Any information relating to an individual who is or can be identified through a wide variety of methods, including but not limited to:

·       The individual’s name, identification number, location data, or an online identifier, or

·       One or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Processing Any operation or set of operations which is performed on personal data, whether or not by automatic means, including but not limited to:

 

Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.
Processor A legal entity which processes personal data on behalf of a controller.
Profiling Automated processing which uses personal data in order to analyse or predict aspects of performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements of an individual
Supervisory Authority An independent public body set up by an EU state to monitor the application of GDPR and, as necessary, to intervene to protect the rights of individuals under GDPR
Transfer Sending of personal data from the controller or processor to a legal entity outside the EU.

 

COMPLETE THE FORM BELOW

or call us on 020 7183 1389

    £££

    REFER A FRIEND AND
    GET REWARDED!