About this privacy notice
At CREFC Europe we respect your privacy and are committed to protecting your personal data. This “privacy notice” explains what we do with your personal data, why we want to use it, how we protect it, and what rights you have to control our use of it.
It applies not just to our website, but also personal data that we process through other interactions with individuals in the course of running our organisation, such as employees of suppliers, member firms and sponsors, and other industry and wider stakeholder contacts. As a trade association, our website is not intended for children and we do not knowingly collect data relating to children.
Information about the data controller
This privacy notice is for the Commercial Real Estate Finance Council Europe (collectively referred to as "CREFC Europe", "we", "us" or "our" in this privacy notice). We collect, use and are responsible for certain personal data about you. When we do so we are regulated under the General Data Protection Regulation (“GDPR”), which applies across the European Union (including the United Kingdom) and we are responsible as “data controller” of that personal information for the purposes of the law.
We are based at 46 New Broad Street, London, EC2M 1JH. Our company number is 05191841. Our mission is to support and promote the commercial real estate lending industry in Europe, as more broadly outlined in Article 4 (Objects) of our Articles of Association.
If you want to contact us about any of the points on this notice, or just generally about how we protect your privacy, please email us at firstname.lastname@example.org.
The purpose and lawful basis for processing your personal data, how we collect it and how long we hold it for
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We use personal data from different categories of individual for several different purposes, each with its own lawful basis. This section describes these in detail and, although it’s technical, we’re required by law to explain this to you.
We maintain a website that provides information and industry updates. It also allows individuals to create online CREFC Europe accounts for use as individuals and also in relation to the work they undertake for their employers. If you ask us to we may create an account for you and send you a link to access it.
If you are a CREFC Europe account holder, we will hold your name, company, job title and contact details on the basis that it is necessary for our legitimate interests in supporting and promoting the commercial real estate lending industry in Europe through information provision and events. You will have provided these details through the account creation process. We need these details for the following purposes:
- Communication regarding events, news and updates;
- Gathering and dissemination of information relevant to our mission;
- To enable sign up for events and membership.
If you no longer require your account you can log in and delete it or email us at email@example.com. We will hold your information until you or we delete your account.
If you are an employee, worker or contractor of a CREFC Europe member or sponsor organisation, or if you work in the commercial real estate lending industry or for an organisation associated with our field of work, we may hold your name, company, job title and contact details (whether or not you have a CREFCE Europe account). We may have been provided with this data by you or your employer, a colleague of yours or a mutual contact, or in some cases from publicly available sources, such as LinkedIn and internet searches. We need this data in order to interact with you or your employer for the following purposes:
- To organize and fund industry events, membership and working groups;
- To communicate with interested people regarding events, news and updates; and
- To gather and disseminate information and share knowledge relevant to CREFC Europe’s mission.
We do this on the basis that it is necessary for our legitimate interests in supporting and promoting the commercial real estate lending industry in Europe. We will hold your details for as long as we need to interact with you for these purposes. In all cases if you would like us to delete your information and cease processing, just drop us an email at firstname.lastname@example.org.
If you are a supplier, we may hold your name and contact details because we have a legitimate interest in doing business with your company. Our purpose for processing your personal data is to interact with you or your employer to procure and pay for goods and services. We will aim to hold this information for as long as we need to interact with you.
If you visit our website
We use Google Analytics on our website to track user activity on our site, so we can improve our service. We record your computer’s IP address so we can tell how each user and repeat visitor is using our site (your IP address is also a piece of your personal data). We do this on the basis that it is necessary for our legitimate interests in tracking user journeys on the site so that we can improve our service. The IP information will be held in accordance with Google’s standard procedures.
Whether information has to be provided by you and if so why
We need to collect certain personal data from you if wish to request to attend our events or receive the benefits of our industry updates and engagement emails and working groups. If you do not provide the personal data requested, you will not be able to benefit from those events or services. In some cases where we are required to collect personal data by law or under a contract with you or your employer, if you fail to provide the personal data requested we will not be able to perform the contract we have or are trying to enter into with you or your employer.
Who we share your personal data with
We use a number of different service providers (acting as ‘data processors’) who provide IT and system administration services to enable us to operate our business and the services we provide to our users and partners. Your personal data is transferred to (and stored by) these data processors, who generally fall under the following categories:
- Website analytics service providers
- Website and data hosting service providers
- Document storage service providers
- Email, contacts and calendar service providers
- CRM service providers
- Accounting software service providers
We may from time to time give access to our systems on a basis that includes access to your data to a prospective or potential provider of services such as those listed above, in which case the relevant provider will be required to treat the data as confidential and will not be permitted to use it for any other purpose.
For security reasons we do not name all our service providers in this privacy notice. The types of personal data we hold about you (and that may be transferred to our data processors) are set out above. Please contact us (see below) if you want further information on specific data processors or the types of personal data they process for us.
If you attend one of our events
The name, position and company of attendees at our events are usually shared with other participants and may be shared on our website or an event app.
If the event is co-organised with or hosted by another organisation then the name, position and company of attendees may also be shared with that partner organisation to enable access and name badges etc.
We would not normally share your contact details in such cases.
If you participate in one of our committees, industry working groups, meetings or collective initiatives
Your name and contact details will be shared with other participants in emails and you may be identified in documents or other materials produced by or on behalf of the relevant group.
Other circumstances in which we may need to share personal data with third parties
We may also share your personal data with the following third parties in certain circumstances:
- We will share personal information with law enforcement or other authorities (such as tax authorities) if required by applicable law.
- We will share personal information with consultants and other third parties who are supporting our work in particular areas, for that purpose, and if and to the extent that we consider doing so to be appropriate to allow us to carry out our activities (with the assistance of such consultant or other third party). In such cases, the consultant or other third party will be required to respect the terms of this policy and to treat your information as confidential.
- In the unlikely event that we may seek to sell, transfer or merge all or part of our organisation or assets with a third party, we may share personal information with such a third party. If such a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- We may share personal information with professional advisors such as lawyers, accountants or auditors in order to provide legal, accounting or auditing services.
We will not sell or rent your information to third parties and we will never share your information with third parties for marketing purposes.
International transfers of personal data, and the measures in place to safeguard it
We do not directly transfer any of your personal data outside the European Economic Area (EEA). However, some of our data processors may do so and this section explains the impact of these international transfers and how your information is protected.
Many of our data processors operate “cloud-based systems”, which means the information is held in information data centres in different locations.
The cloud-based systems we use generally reserve the right to hold copies of your personal information outside the EEA. The reason companies may choose to do this is to hold back-up copies, so they can guarantee recovery.
In each case our processors and/or we employ one or more of the following means that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of abuse:
- Certain processors may only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Providers storing data in the US, may be self-certified to the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us (see below) if you want further information on the specific mechanisms used by our data processors when transferring your personal data out of the EEA.
Your personal data rights
The personal data we hold about you is your data, so you have certain rights over the data under the GDPR. This section summarises your rights and how you can exercise them (generally free of charge).
You have the right to request a copy of all personal data we hold relating to you. You also have the right to require us to correct any mistakes in the personal data we hold relating to you.
Where we are processing your data based on your consent you can withdraw that consent and we must immediately stop processing your data. Please note that up to that point, we’re acting lawfully with your consent, withdrawal of consent cannot be backdated.
Where we process your data based on a “legitimate interest” (underlined in the section on “purpose and lawful basis”, above) you still have the right to object to our processing of that data if you feel it impacts on your fundamental rights and freedoms.
You also have the right to object where we are processing your personal data for direct marketing purposes. The easiest way to do this is to use the unsubscribe links at the bottom of all marketing emails.
In certain situations, you have the right to require us to erase personal data where there is no good reason for us continuing to process it. However, note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Subject to that point, we will generally be happy to correct, update or erase your personal data if you ask us to do so.
You have the right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) where you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Finally, you have the right to request the transfer of your personal data to you or a third party in a structured, commonly used, machine-readable format. Note that this right only applies to automated processing of information about you, which we carry out based on your consent or where it is necessary to perform a contract with you.
For further information on each of these rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of these rights, the easiest way is by dropping us an email at email@example.com. Please note:
- We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
- We try to respond to all legitimate requests quickly, but in any event within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
- If you have a CREFC Europe online account, once logged in you have the option to delete it. This will delete the personal data we hold about you in the account and you should no longer receive group emails from us unless you re-subscribe.
- If you would like to unsubscribe from our newsletters or marketing emails you can also click on the ‘unsubscribe’ button at the bottom of the email. It may take several days for this to take place.
Your rights to lodge a complaint with the Regulator
At all times, you have the right to report a concern or lodge a complaint with the Information Commissioner’s Office. Please refer to the ICO at https://ico.org.uk/concerns/ or by calling them on 0303 123 1113.
Of course, we hope that we can resolve your issue quickly and fairly – you can contact us at firstname.lastname@example.org.
Automated processing of your personal data
We do not undertake any automated processing of personal data, or profiling, within the CREFC Europe online accounts. Mailchimp has capabilities to undertake some automated communications activities. You are able to manage the information you receive from us through this channel at any time by using the “unsubscribe” or “manage your preferences” links.
Note that you have a right to object to any decisions being taken through the processing of your personal data by automated means if they produce legal effects concerning you or similarly significant effects on you. We do not use your personal data in a way that makes such decisions.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. In addition, we limit access to your personal data to those employees, consultants, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Changes to this privacy notice
This privacy notice was last updated on 7 April 2022 and any historic versions can be obtained by contacting us.
We may change this privacy notice from time to time by amending this page.
How to contact us
If you have any questions, concerns or just want some more information about our privacy management, drop us a line at email@example.com.