Under the Data Protection Legislation, we are required to provide an explanation as to why we require you to provide certain personal information (also known as “personal data”) relating to you; how we intend to use the personal information you provide to us; and whether or not we will share that information with anyone else.
Data Protection Legislation
In these privacy statements, “Data Protection Legislation” means all laws, subordinate legislation, enactments and regulations relating to the processing, privacy and use of personal data, as applicable to GSA, as in force and applicable from time to time and as the same may be amended, supplemented or replaced.
Who we are?
Global Student Accommodation Group Limited is the ultimate holding company of its group companies, together known as “GSA”. GSA develops, operates and manages student accommodation and investments in student accommodation globally.
Any reference to GSA in this statement includes Global Student Accommodation Group Limited and all other companies within the GSA group of companies.
Should you wish to contact us, our address is: GSA Group, 5 Old Bailey, London, United Kingdom, EC4M 7BA should you wish to contact us in writing. Alternatively, you may contact us by visiting the “Contact Us” section of this website.
GSA is registered with the Information Commissioner’s Office in the United Kingdom.
This privacy statement applies to personal information collected by GSA. It does not apply to any personal information that is collected by third parties, individuals, other organisations or other websites which GSA may be linked from or linked to. In the case of any third parties collecting your personal information, their own privacy policies will apply.
What information are we collecting?
GSA limits the personal information it collects to the personal information required to provide the services you have requested. You may provide that information to us via our website enquiry form, over the telephone, via email, in person or through an application form. The types of personal information we collect may include, for example:
Address and contact details; and
Employer(s) details (if applicable).
Under no circumstances will GSA collect special categories of personal information, such as information concerning your health, which are known as sensitive personal data, unless specifically stated on that particular GSA group company’s website, and then only with your explicit consent.
Why are collecting your information?
In order to provide you with the service you have requested, GSA requires certain personal information be shared with us. Such personal information may be provided to us via channels such as email, our website enquiry form, over the telephone, in person or when completing an application form. Without this information, it would not be possible for us to provide you with the service you have requested.
What do we do with your information?
GSA will use the personal information you provide to us in the following ways:
To contact you in response to your initial enquiry, and any other follow up communications between us; and
To engage and make contact with you in the method you have requested.
It will be used by us in accordance with this privacy statement and also in accordance with your rights under the Data Protection Legislation.
The personal information we collect from you will be securely stored by us in accordance with our internal data protection policies and procedures which have been assessed to ensure they meet the requirements set out under the Data Protection Legislation.
Do we share your personal information?
Members of the GSA group of companies
GSA operates globally and, as such, has a number of subsidiary companies in various jurisdictions around the world. Your personal information may be shared amongst GSA group companies but only where it is appropriate to do so to provide the services you have requested. The obligations set out within these privacy statements apply to all GSA group companies, whether or not they are in the EEA.
Our offices include jurisdictions outside the European Union which have not been deemed adequate for European Data Protection purposes (namely the United Arab Emirates and Hong Kong). GSA operates a global Data Protection Policy which complies with the Data Protection Legislation, and those offices are required to meet the same standards as other GSA group companies globally.
For further information on which companies make up GSA, please contact the Data Protection Officer at firstname.lastname@example.org
Third-Party Service Providers
It may be necessary for GSA to share your personal information with our service providers in order to provide you with the services you have requested. GSA will only share such personal information with such service providers to the extent required to enable us to provide the services you have requested. GSA has assessed its service providers to ensure they have appropriate data protection safeguards and frameworks in place to allow them to comply with the requirements of the Data Protection Legislation.
Within the terms and conditions of our contracts with our service providers, it is clearly stated that such service providers are not permitted to share your personal information with any other parties and are only to use the information in the course of their work on behalf of GSA.
Regulators and other legal obligations
We may, from time to time, also be required to share your information with regulators, crime prevention agencies and other organisations who are permitted access to such personal information as a matter of law.
Do we transfer your personal information abroad?
GSA may transfer the information you provide to other GSA group companies outside of the EEA as previously stated. GSA operates a global Data Protection Policy which all GSA group companies must comply with. This ensures the safe handling of your personal information outside of the EEA in compliance with the Data Protection Legislation.
What security measures concerning your personal information do we have in place?
GSA ensures that any personal information you provide to us is securely stored on our systems and servers and that any paper-based records of your personal information will be stored and destroyed in accordance with our data retention policies and procedures. We treat data security with the utmost seriousness and take appropriate measures to implement industry leading standards to protect your personal information.
GSA further ensures that only relevant members of staff have access to your personal information. This is achieved by our Data Access Policy which provides that your personal information will only be available to relevant members of staff who have a legitimate reason for accessing your personal information.
Can GSA use your information for any other purpose?
GSA may wish to market its products and services to you. However, if you do not positively opt to receive such marketing, we will not contact you for this purpose.
GSA will not use your personal information for any purpose other than providing the services you have requested or responding to the query you have raised and, if you have explicitly consented for it to do so, for its own marketing purposes.
How does GSA store your personal information and when does GSA delete it?
GSA stores your personal information on a database that is specific to your enquiry. That database provides us with your personal information and allows us to respond to your enquiry as well as sending you marketing emails, but only if you have opted to receive such materials. Your personal information is stored in accordance with our Data Retention Policy which states that, following an enquiry from you, we will hold your data for no more than 12 months unless you subsequently enter into a contract with us. At the end of the 12-month retention period, if you have not entered into a contract with us, your personal information will be destroyed and/or deleted from our records.
In certain circumstances, GSA also has various regulatory obligations which dictate the length of time your personal information is held on our systems and servers.
What are your rights?
The GDPR provides individuals with the following rights:
The right to be informed
This provides you with the right to be informed about the collection and use of your personal data, the purposes for which we process your personal information, our retention periods in relation to your personal information and those with whom we will share your personal information.
The right of access
You have the right to access the personal information we hold on you, together with certain supplementary information. This allows you to be aware of and verify the lawfulness of the processing of your personal information by GSA and the accuracy of the personal information we hold on you.
The right to rectification
If any of the personal information we hold on you is inaccurate or incomplete, you have the right to require that it be corrected and completed as appropriate. You can make a request for us to rectify your personal data verbally or in writing and GSA has one calendar month to respond to your request for rectification.
The right to erasure
Under the Data Protection Legislation, you have the right to request that your personal information is erased from our systems and servers (this is also known as ‘the right to be forgotten’). Where your personal information has been shared by GSA with third parties (either other companies within the GSA group or our third-party service providers), you also have the right to request that your personal information will be deleted by these third parties. As per your right to rectification, you can request us to erase your personal information verbally or in writing and GSA has one calendar month to respond to your request for erasure. Please note that this right is not absolute and only applies in certain circumstances.
The right to restrict processing
You have the right to request that GSA restricts or supresses your personal information. Again, you can request that we restrict our processing activities either verbally or in writing and GSA has one calendar month to respond to your request. Again, this right is not absolute and only applies in certain circumstances. For example, you may decide that you do not want us to use your personal information for marketing purposes. This would involve us deleting your personal information from our marketing databases.
The right to data portability
Under the Data Protection Legislation, you have the right to obtain and reuse your personal information for your own purposes. That right allows you to move, copy or transfer your personal information easily from one IT environment to another in a safe and secure way, without hindering its usability. This information must be provided free of charge and be provided within one calendar month of request.
The right to object
You have the right to object to your personal information being processed for direct marketing (including profiling). Upon request, GSA is obliged to stop processing your personal information for such purposes and do so free of charge.
Rights in relation to automated decision making and profiling
The Data Protection Legislation contains rules which aim to protect individuals where there is solely automated decision-making that has legal or similarly significant effects on them. GSA does not carry out this type of personal information processing. However, if you have any concerns that your personal information is being used for this type of activity then please contact the GSA Data Protection Officer at email@example.com.
In short, you have the right to
Request access to your personal information
Request we rectify any inaccurate or incomplete personal information
Request that we erase the personal information we hold on you and take steps to ask others with whom we have shared your information to also erase it
Request that we limit what we do with your personal information
Object to our use of your personal information and ask us to stop that use
Instruct us to provide you with the information we hold about you in a structured and commonly used format or transmit that information directly to another organisation.
Our obligations to comply with the above rights are subject to certain exemptions and further information on these exemptions can be obtained by contacting the GSA Data Protection Officer at firstname.lastname@example.org.
In the event that GSA is using your personal information because you have provided consent for us to do so, you can withdraw that consent at any time. This can be done either in writing or verbally by telephone at any time. The lawfulness of our use of your information before consent was withdrawn is not affected.
To exercise any of the rights referred to above, you should contact our Data Protection Officer either in writing to: The Data Protection Officer, GSA Group, 5 Old Bailey, London, EC4M 7BA or by email to email@example.com.
You also have the right to complain to the Information Commissioner’s Office (the “ICO”) if you are not satisfied with the way in which we use your personal information. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
What is the legal basis for using your information?
GSA is required to have a “legal basis” for collecting, processing and storing your personal information. Under the Data Protection Legislation, there are six available lawful bases which allow for us to process personal information. These are:
Public task; and
GSA will respond to your original enquiry and any further follow ups related to that original enquiry through Legitimate Interests. If you have consented to us contacting you for marketing purposes, the legal basis for us contacting you for such purposes is Consent.
GSA’s Data Protection Officer
GSA’s Data Protection Officer has responsibility for overseeing what GSA does with your personal information and ensuring that GSA collects, retains and processes your personal information in compliance with the Data Protection Legislation.
In the event that you have any concerns or queries regarding how GSA uses your personal information, or you have any questions as to how GSA approaches its obligations under the relevant data protection laws, you can contact the GSA Data Protection Officer by writing to: The Data Protection Officer, GSA Group, 5 Old Bailey, London, EC4M 7BA. Alternatively, you can email the GSA Data Protection Officer at: firstname.lastname@example.org