Last Updated: 19 August 2021
Under the Data Protection Legislation, we are required to provide an explanation as to why we require you to provide certain personal information (also known as “personal data”) relating to you; how we intend to use the personal data you provide to us; and whether or not we will share that personal data with anyone else.
Data Protection Legislation
Who are we?
GSA International Limited is the holding company of the real estate and investment management businesses of the Global Student Accommodation Group, together known as “GSA”. GSA develops and manages student accommodation and investments in student accommodation globally.
Any reference to GSA in this policy includes GSA International Limited and its subsidiary companies.
Should you wish to contact us, our address is: GSA International Limited, Portman House, 2 Portman Street, London W1H 6DU, should you wish to contact us in writing. Alternatively, you may contact us by visiting the “Contact us” section of this website.
GSA is registered with the Information Commissioner’s Office in the United Kingdom.
What information are we collecting?
GSA limits the personal data it collects to the personal data required to provide the services you have requested. You may provide that information to us via our website enquiry form, over the telephone, via email, in person or through an application form. The types of personal data we collect may include, for example:
- Contact details
- Employer(s) details (if applicable)
Under no circumstances will GSA collect special categories of personal data, such as information concerning your health, which are known as sensitive personal data.
Why are we collecting your information?
In order to provide you with the service you have requested, GSA requires certain personal data be shared with us. Such personal data may be provided to us via channels such as email, our website enquiry form, over the telephone, in person or when completing an application form. Without this information, it would not be possible for us to provide you with the service you have requested.
What do we do with your information?
GSA will use the personal data you provide to us in the following ways:
- To contact you in response to your initial enquiry, and any other follow-up communications between us
- To engage and make contact with you in the method you have requested
The personal data we collect from you will be securely stored by us in accordance with our internal data protection policies and procedures which have been assessed to ensure they meet the requirements set out under the Data Protection Legislation.
Do we share your personal data?
Members of the GSA group of companies
GSA has offices in jurisdictions outside the European Union which have not been deemed adequate for European Data Protection purposes (namely the United Arab Emirates and Hong Kong). GSA operates a global Data Protection Policy which complies with the Data Protection Legislation, and those offices are required to meet the same standards as other GSA Group companies globally.
For further information on which companies make up GSA, please contact the Data Controller at email@example.com.
Third-party service providers
It may be necessary for GSA to share your personal data with our service providers in order to provide you with the services you have requested. GSA will only share such personal data with such service providers to the extent required to enable us to provide the services you have requested. GSA has assessed its service providers to ensure they have appropriate data protection safeguards and frameworks in place to allow them to comply with the requirements of the Data Protection Legislation.
Within the terms and conditions of our contracts with our service providers, it is clearly stated that such service providers are not permitted to share your personal data with any other parties and are only to use the information in the course of their work on behalf of GSA.
Regulators and other legal obligations
We may, from time to time, also be required to share your information with regulators, crime prevention agencies and other organisations who are permitted access to such personal data as a matter of law.
Do we transfer your personal information abroad?
GSA may transfer the information you provide to other GSA companies outside of the EEA as previously stated. GSA operates a global Data Protection Policy which all GSA companies must comply with. This ensures the safe handling of your personal information outside of the EEA in compliance with the Data Protection Legislation.
What security measures concerning your personal information do we have in place?
GSA ensures that any personal data you provide to us is securely stored on our systems and servers and that any paper-based records of your personal data will be stored and destroyed in accordance with our data retention policies and procedures. We treat data security with the utmost seriousness and take appropriate measures to implement industry leading standards to protect your personal information.
GSA further ensures that only relevant members of staff have access to your personal data. This is achieved by our Data Access Policy which provides that your personal data will only be available to relevant members of staff who have a legitimate reason for accessing your personal information.
Can GSA use your information for any other purpose?
GSA may wish to market its products and services to you should you be eligible for such marketing. However, if you do not positively opt to receive such marketing, we will not contact you for this purpose.
GSA will not use your personal data for any purpose other than providing the services you have requested or responding to the query you have raised and, if you have explicitly consented for it to do so, for its own marketing purposes.
How does GSA store your personal data and when does GSA delete it?
GSA stores your personal data on a database that is specific to your enquiry. That database provides us with your personal data and allows us to respond to your enquiry as well as sending you marketing emails, but only if you have opted to receive such materials and only if you are eligible to receive such materials. Your personal data is stored in accordance with our Data Retention Policy which states that, following an enquiry from you, we will hold your data for no more than 12 months unless you subsequently enter into a contract with us. At the end of the 12-month retention period, if you have not entered into a contract with us, your personal data will be destroyed and/or deleted from our records.
In certain circumstances, GSA also has various regulatory obligations which dictate the length of time your personal data is held on our systems and servers.
What are your rights?
The GDPR provides individuals with the following rights:
- The right to be informed
This provides you with the right to be informed about the collection and use of your personal data, the purposes for which we process your personal data, our retention periods in relation to your personal data and those with whom we will share your personal data.
- The right of access
You have the right to access the personal data we hold on you, together with certain supplementary information. This allows you to be aware of and verify the lawfulness of the processing of your personal data by GSA and the accuracy of the personal data we hold on you.
- The right to rectification
If any of the personal data we hold on you is inaccurate or incomplete, you have the right to require that it be corrected and/or completed as appropriate. You can make a request for us to rectify your personal data verbally or in writing and GSA has one calendar month to respond to your request for rectification.
- The right to erasure
Under the Data Protection Legislation, you have the right to request that your personal data is erased from our systems and servers (this is also known as “the right to be forgotten”). Where your personal data has been shared by GSA with third parties (either other companies within the GSA group or our third-party service providers), you also have the right to request that your personal data will be deleted by these third parties. As per your right to rectification, you can request us to erase your personal data verbally or in writing and GSA has one calendar month to respond to your request for erasure. Please note that this right is not absolute and only applies in certain circumstances.
- The right to restrict processing
You have the right to request that GSA restricts or supresses your personal data. Again, you can request that we restrict our processing activities either verbally or in writing and GSA has one calendar month to respond to your request. Again, this right is not absolute and only applies in certain circumstances. For example, you may decide that you do not want us to use your personal data for marketing purposes. This would involve us deleting your personal data from our marketing databases.
- The right to data portability
Under the Data Protection Legislation, you have the right to obtain and reuse your personal data for your own purposes. That right allows you to move, copy or transfer your personal data easily from one IT environment to another in a safe and secure way, without hindering its usability. This information must be provided free of charge and be provided within one calendar month of request.
- The right to object
You have the right to object to your personal data being processed for direct marketing (including profiling). Upon request, GSA is obliged to stop processing your personal data for such purposes and do so free of charge.
- Rights in relation to automated decision making and profiling
The Data Protection Legislation contains rules which aim to protect individuals where there is solely automated decision making that has legal or similarly significant effects on them. GSA does not carry out this type of data processing. However, if you have any concerns that your personal data is being used for this type of activity then please contact the Data Controller at firstname.lastname@example.org.
In short, you have the right to
- Request access to your personal data
- Request we rectify any inaccurate or incomplete personal data
- Request that we erase the personal data we hold on you and take steps to ask others with whom we have shared your information to also erase it
- Request that we limit what we do with your personal data
- Object to our use of your personal data and ask us to stop that use
- Instruct us to provide you with the information we hold about you in a structured and commonly used format or transmit that information directly to another organisation
Our obligations to comply with the above rights are subject to certain exemptions and further information on these exemptions can be obtained by contacting the Data Controller at email@example.com.
In the event that GSA is using your personal data because you have provided consent for us to do so, you can withdraw that consent at any time. This can be done either in writing via email to firstname.lastname@example.org or by way of mail to the below address, or verbally by telephone at any time. The lawfulness of our use of your information before consent was withdrawn is not affected.
To exercise any of the rights referred to above, you should contact our Data Controller either in writing to: The Data Controller, GSA International Limited, Portman House, 2 Portman Street, London W1H 6DU or by email to email@example.com.
You also have the right to complain to the Information Commissioner’s Office (ICO) if you are not satisfied with the way in which we use your personal data. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
What is the legal basis for using your information?
GSA is required to have a legal basis for collecting, processing and storing your personal data. Under the Data Protection Legislation, there are six available lawful bases which allow for us to process personal data. These are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
GSA will respond to your original enquiry and any further follow-ups related to that original enquiry through Legitimate interests. If you have consented to us contacting you for marketing purposes, the legal basis for us contacting you for such purposes is Consent.
GSA’s Data Controller
GSA’s Data Controller has responsibility for overseeing what GSA does with your personal data and ensuring that GSA collects, retains and processes your personal data in compliance with the Data Protection Legislation.
In the event that you have any concerns or queries regarding how GSA uses your personal data, or you have any questions as to how GSA approaches its obligations under the relevant data protection laws, you can contact the GSA Data Controller by writing to: The Data Controller, GSA International Limited, Portman House, 2 Portman Street, London W1H 6DU. Alternatively, you can email the GSA Data Controller at firstname.lastname@example.org.