CLIENT / THIRD PARTY PRIVACY AND CONFIDENTIALITY POLICY
Updated: January 23, 2023
Department: Legal & Compliance
Owner: Privacy Officer
1. STATEMENT OF POLICY
Cushman & Wakefield Core (C&WC) is committed to respecting and protecting all information entrusted to us in the course of our business. This includes individuals’ privacy as well as client confidentiality. The Client/Third Party Privacy & Confidentiality Policy (“Policy”) describes C&WC’s methods regarding the collection, processing, storage, and safeguarding of Confidential and Personal Information for business related purposes.
2. GENERAL SCOPE OF POLICY
This Policy is applicable to all of the Company’s directors, officers, partners, employees, temporary employees hired through agencies, brokerage professionals and independent contractors2 (collectively “Employees”) globally3.
3. EXCEPTIONS TO POLICY
None.
4. DETAILED PROCEDURE/GUIDANCE
A. DEFINITIONS
- Confidential Information – Any and all information or data (regardless of format) that is provided to Cushman & Wakefield Core by clients or third parties in confidential circumstances, which is not publicly known, and which relates to a client engagement or its affairs. This can include information or data types governed by other information laws (e.g., inside price sensitive or government protected).
- Personal Information – Any and all information or data (regardless of format) that (i) identifies or can be used to identify, contact or locate an individual, or (ii) that relates to an individual, whose identity can be either directly or indirectly inferred, including any information that is linked or linkable to that individual.
- Sensitive Personal Information – A subset of Personal Information, which due to its nature has been classified by law, contract, or by C&WC policy as requiring additional privacy protections and Enhanced Safeguarding. Sensitive Personal Information may consist of: (i) government-issued identification numbers, (ii) banking and payment information, (iii) health, biometric and medical information, (iv) consumer credit information, (v) data elements revealing race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, genetic data, biometric data (when processed for the purpose of uniquely identifying an individual), and criminal records or allegations of crimes, and (vi) any other Personal Information designated by C&WC as Sensitive Personal Information.
- Enhanced Safeguarding – The implementation of more stringent physical, technical, and administrative measures against the risk of inadvertent or unauthorized disclosure of Sensitive Personal Information than the safeguards generally required because the inadvertent or unauthorized disclosure of Sensitive Personal Information would create a risk of substantial harm to the individual, including identity theft or financial fraud.
- Data subject – The person about whom Personal Information relates.
B. GOVERNANCE
- The Chief Operating Officer is responsible for the oversight of this Policy, the enterprise strategy to address operational and information privacy management risk, and the support of compliance with all data protection, privacy and information security laws and regulations.
- Each individual business line and department is responsible for following this Policy in order to address its specific activities involving the collection, use, disclosure, destruction, international transfer, exercise of rights and safeguarding of Confidential and Personal Information.
C. COLLECTION
- C&WC collects Confidential or Personal Information for the purposes of delivering services to clients, managing the infrastructure to support those services, and complying with legal and compliance obligations.
- The volume and type of Confidential or Personal Information collected depends on what is required or relevant for delivering services to clients. C&WC aims to collect only the minimum amount of Confidential and Personal Information for delivering services.
- Unless otherwise agreed, it is the responsibility of clients to ensure the lawfulness and fairness of any disclosure of Confidential and Personal Information to C&WC (including ensuring the lawfulness and fairness of any processing of that Confidential and Personal Information by C&WC). This includes obtaining any necessary consents from the Data Subject.
- The obligation to provide any relevant notices (e.g., to a Data Subject) or information concerning C&WC’s collection or use of Confidential or Personal Information rests on the client or third party. C&WC also relies on clients and third parties to provide accurate, complete and consistent Confidential or Personal Information.
- C&WC may also collect Personal Information from publicly available sources, including, but not limited to, public internet websites and databases, public or government sources, and news or open-source reporting.
D. USE
- C&WC uses Confidential and Personal Information only for providing services to clients, managing the infrastructure to support those services, and complying with legal and compliance obligations.
- C&WC acts on the instructions of clients when using Confidential and Personal Information. These instructions can be given orally or in writing, and their form and detail depend on both the services and the requests or requirements of the client. In the context of applicable privacy law, C&WC typically acts as a Data Processor/Service Provider to our clients.
- Unless otherwise agreed, C&WC may use certain Confidential and Personal Information for statistical benchmarking, industry intelligence and research purposes. Before doing so, C&WC will take reasonable measures to anonymize or aggregate the information.
- Although not a common feature for delivering services, C&WC complies with any requirements or restrictions from clients on the use of Personal Information to profile or make automated decisions on individuals.
E. RETENTION
- Where C&WC provides the client with the facility to access and delete Confidential and Personal Information processed on the client’s behalf, the client is responsible for deleting the Confidential and Personal Information when no longer required. In other cases, C&WC will delete Confidential and Personal Information at the end of any retention period agreed with the client, or in accordance with the client’s instructions in fulfilling Data Subject rights.
- C&WC may retain copies of Confidential and Personal Information to comply with legal requirements or for compliance or record-keeping purposes, in which case C&WC will retain such Confidential and Personal Information for as long as required by those legal requirements or to fulfil those purposes.
- In relation to Confidential and Personal Information held in backups or archives, C&WC operates a programmed destruction cycle, and selective deletion is not feasible. C&WC continues to safeguard the information throughout and in accordance with this Policy. Confidential and Personal Information held in backups or archives is not subject to any further processing.
F. DISCLOSURE
- Confidential and Personal Information is shared within C&WC with those individuals and departments who need to know. Disclosure depends on the nature of the information and the services being delivered.
- C&WC only discloses Confidential or Personal Information to outside organizations in the course of, or for the purposes of, delivering services to clients. C&WC may also disclose to third parties where required to by law or for compliance purposes.
- Such recipients include other C&WC group entities and affiliates, C&WC’s insurers and professional advisers, other advisers, or other third parties as instructed by clients, or organizations that provide C&WC with various outsourced business functions and technology.
- When C&WC discloses Confidential or Personal Information to a third party, the third party is authorized to use and further disclose the related Confidential or Personal Information only as necessary to provide their services to C&WC or as required by law.
- C&WC shall take appropriate actions to ensure that a third party protects Confidential and Personal Information that C&WC discloses to it. This includes the use of appropriate contracts and information security measures providing essentially equivalent levels of protection to those agreed to with our clients.
- If permitted by law and regulation, C&WC shall inform the relevant client or third party where it proposes to disclose Confidential or Personal Information as required by law or to respond to a government request.
- C&WC does not sell or share client Personal Information.
G. EXERCISE OF RIGHTS
- In the event that a person other than a client wishes to exercise any rights (such as of access or correction) under applicable privacy laws as regards Personal Information, C&WC will promptly notify the client so that the client can respond.
- If C&WC receives a complaint about the collection, processing or sharing of Personal Information or a request from a regulatory authority responsible for compliance with privacy laws, C&WC will, to the extent permitted by law, promptly notify the client so that the client can respond.
H. SAFEGUARDS
- C&WC collects, processes, maintains, shares (internally and externally), and destroys Personal Information in a manner that appropriately limits the risk of loss, theft, misuse, or unauthorized access.
- All C&WC Employees are contractually required to safeguard Confidential and Personal Information. In addition, certain Employees may be subject to additional professional obligations on compliance with laws and confidentiality.
- Where there has been a serious loss, misuse or other breach to the integrity and confidentiality of Personal Information likely to cause serious harm, C&WC shall comply with the requirement to notify the client either as agreed with the client or under applicable laws.
- C&WC raises awareness of the matters in this Policy through communications and training, and puts measures in place to ensure the reliability of Employees who access Confidential and Personal Information.
Interpretations of this Policy should be submitted to the Chief Operating Officer. The Chief Operating Officer will be responsible for interpreting any portions of this Policy as they may apply to specific situations.
1 Independent contractors are those independent vendors who assist the Company in the development and carrying out of business on a strategic basis. Independent contractors shall abide by this policy as part of the obligations assumed under their respective agreement with the Company. Should the independent contractor be a legal entity and not an individual, then such independent contractor shall cause and direct its associates linked to the services provided to the Company, if requested by the Company, to acknowledge and abide by this policy.
2 Compliance with this policy shall not be construed or interpreted as creating an employment relationship between an Employee and a particular Company entity where none otherwise exists. Compliance with this policy by an independent contractor or an officer or associate of such independent contractor shall not be construed or interpreted as creating an employment relationship between such independent contractor, or officer or associate of such independent contractor, and the Company.