Privacy statement

Under the definitions in the GDPR, The Crown Estate is the Data Controller for the personal data we collect and process about you. This means that we decide the purpose for which we require your personal data and are responsible for communicating to you why we have collected your personal data.  

We will not collect any personal data about you except where it is specifically and knowingly provided by you, for example: 

• if you request information from us 

• fill in an online or paper form  

• when you visit or provide feedback via our website or social media channels 

• When you provide it to one of our managing partners or suppliers 

• When you have given Third Parties consent to share it with us 

We may collect and process the following data about you: 

• Information that you provide by filling in a form/s or providing information online to register an interest or to request further information or offers. 

• Information you provide when you contact us by telephone, email, web form or letter, including your contact details. 

• If you visit one of our sites, CCTV images and ANPR information we collect for health and safety and security purposes and to help us understand how our customers use our facility. We will also collect information to provide you with wi-fi services and for customer analysis at our sites. 

• Information you provide by responding to questionnaires, surveys and competitions and attending events. 

• Information you provide as part of your employment with us. 

• Information you may provide as part of a tenancy with us. 

• Photography of audio/video recordings of you, for example at one of our events. 

In some circumstances we may also collect special category or “sensitive” data about you and may include:  

• Your racial or ethnic origin 

• Your religious beliefs 

• Your medical data  

 Where we collect special category data about you, we will be clear as to why we need it and will only process under a specific lawful basis.  If you visit one of our dedicated consumer websites or The Crown Estate websites, further information may be collected – please refer to the section below where we explain the information, we may collect via each website. When personal data is collected, it may be used by us to process and fulfil requests for information or to help us to develop or personalise the website to make it more useful to you. If you complete a form on any of The Crown Estate websites, you will be told why and how we will process the personal data you submit before you submit it. 

We use information about you in the following ways: 

• To provide you with information on products, services offers and events provided by us or our retail tenants that you request or which we feel may interest you where you have consented to be contacted for such purposes. 

• To notify you about changes to our service. 

• To carry out obligations arising from contracts, leases or agreements entered between you and The Crown Estate. 

• To perform surveys and analysis with the aim of improving the services we provide. 

• To ensure that your visit to our site is safe and secure. 

• To manage your tenancy or employment. 

• To process freedom of information requests and individual rights requests under the data protection legislation 

We may give your personal data to third parties where: 

• It is necessary for them to provide you with services on our behalf. 

• They provide profiling of our customer base so we can understand our customers better. 

• We sell or buy any business or assets; in which case we may disclose your personal data to the prospective buyer or seller of such business or assets as far as they relate to them. 

• We are under a duty to disclose or share your personal data to comply with any legal obligation or to enforce agreements or contracts or to protect our rights, our property, or the safety of our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud prevention and credit risk reduction. 

The Crown Estate may process your personal data via internet applications such as Facebook, X (formerly Twitter), Instagram, LinkedIn, and YouTube. 

You may provide personal data to us in the following way:  

• By liking our social media pages 

• By following our social media pages 

• By sharing personal data when posting comments on our social media pages 

• By contacting us through our social media pages 

• By emailing us at one of our email addresses listed on our social media pages 

We may collect the following personal data about you when you interact with any of our social media pages:  

• Name 

• Email address 

• Mailing address 

• Profile photo 

• Username or Login ID’s 

• Company, job title, organisation, gender 

• IP address 

• Geographic location 

We use a social media management platform Orlo to help us to review and respond to social media interactions and they will process associated social media posts on our behalf.  This is done under agreement with the third-party provider which includes all appropriate safeguards to protect your personal data. 

We will process your personal data under one of more of the following lawful bases:  

• Where you have given us clear, informed consent 

We will ask for your informed consent using clear plain language at the point of collection via privacy statements, so you fully understand what you are consenting to. We will also explain your right to withdraw your consent at any time and how you can do that.  

• The processing is necessary for the performance of a task carried out in the public interest 

We may also process your personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller  

• The processing is required for the performance of a contract 

We may process your personal data as part of an agreement we have with a supplier or contractor. The Crown Estate will ensure that such suppliers or contractors process your personal data in line with data protection laws. This will also apply to the processing of personal data in relation to a tenancy agreement.  

• We have a legal obligation to process the data 

We may need to share your personal data in exceptional circumstances to comply with the law. For example, we may be obliged to share personal data with law enforcement agencies or courts where it may assist them with an investigation. 

• The processing is necessary for your vital interest or the vital interests of other 

We have a responsibility to ensure that individuals are safe therefore we may not always be able to keep information you provide confidential. If we consider that you have given us information about yourself or another person which puts yourself or anybody else at risk from harm, we may need to tell someone who can help.   Another example may be where someone has become ill or injured at any of our sites and we may need to provide personal data to paramedics, health care staff or next of kin.   

• We have a genuine and legitimate reason, and we are not harming any of your rights and interests 

There may be activities that we carry out that are in the legitimate interests of The Crown Estate, or which are in your legitimate interests for example for fraud prevention and ensuring network and information security as well as business to business contact.   Whenever we use this lawful basis to process your personal data, we will carry out a balancing exercise to ensure that we consider the impact on your rights and freedoms and do not override these. 

If you send us an email (e.g. to request information or provide feedback on website content), the information you provide will be used to help us gather the information requested and to respond to your message. 

The Crown Estate monitors and scans emails, using automated monitoring techniques, for malicious software and unsuitable material. The Crown Estate monitors all its digital systems in accordance with relevant laws and for applicable regulatory and business purposes. 

We may refer to, or establish relations with, other companies, organisations and public bodies that will enable you to access their websites directly from ours. Each company, organisation or public body will operate its own policy regarding the use of cookies and collection and use of information. If you have any concerns regarding the way in which your data will be used, you are advised to read the privacy statement on the relevant website. 

We will try to provide you with links to high quality, reputable websites which we think will be of interest and relevance to you. However, please note that such third-party websites are not under our control, and we do not contribute to the content of such websites. We cannot accept responsibility for any issues arising in connection with the third party's use of your data, the website content or the services offered to you by these websites. 

The Crown Estate conducts research to monitor performance and inform decision making. This includes, but is not limited to, surveys, focus groups, interviews, observation, and ethnography which may be conducted in person, online, via telephone or by post. The Crown Estate considers it in our public interests (or legitimate interests) to carry out research of this nature. 

Participation in research is voluntary and you can request to be withdrawn at any time without giving a reason. We will always tell you at the beginning of the research how your personal data will be used. Some of our research findings may be published. It will not be possible to identify research participants from the research findings we produce, unless consent has been expressly given by those participants in advance.  

The Crown Estate may also publish case studies. These case studies are used to get across an individual's story or experience and may be used in printed marketing materials, on our online channels and social media platforms, as well as with other third-party media channels. Participation in case studies is voluntary, and consent is actively sought at the start of any of these conversations and before publication.  The Crown Estate may also use your personal data to optimise and improve its services, by performing analysis and extracting insight from that analysis. The Crown Estate takes great care in ensuring that any analysis is in the public interest and particularly in the interest of advancing The Crown Estates function and its obligations. 

You have the following rights under the GDPR: 

Right to be informed – told in a clear and transparent way how we process your personal data. 

Right of access – you can request a copy of the personal data we hold about you. This includes a description of the data being processed, the purposes of processing and any recipients to whom the data is disclosed.  

Right to object - You can ask us not to process your personal data for direct marketing purposes. You will be given an opportunity to opt in to processing for direct marketing purposes when you first engage with us. However, you can withdraw your consent to receive marketing material at any time  

Right of rectification – you can update or amend the personal data we hold about you if it is incorrect.  

Right to erasure – you can ask us to delete your personal data from our records. This right is subject to exemptions under the GDPR and is not a blanket request as we may have a legal obligation to retain some personal data.  

Right to restrict processing – in some circumstances you can ask us to stop using your personal data  

Right related to automated decision making and profiling - you can request to not be subject to a decision when it is based on making a decision solely by automated means without any human involvement and/or automated processing of personal data to evaluate certain things about an individual 

To exercise any of the above rights please submit your request to dataprotection@thecrownestate.co.uk. 

We will only transfer your personal data out of the UK where appropriate safeguards have been put in place to ensure that your personal data and your privacy rights are protected.

We would like to tell you about what we do and send you information about our news, offers, events, invitations, surveys and insights and any other updates you subscribe to. If you agree to receive marketing information from us, you can always change your mind later.  

We will not use your personal data to send you marketing communications if you have told us that you do not want to be contacted for this purpose. 

You can change your marketing preferences, such as the method by which we contact you or what you would like to hear from us about or opt out of receiving marketing communications from us at any time by clicking in the link of your communication to select your preferences. For information on objecting to processing or withdrawing your consent, please see the information on Your Rights above.  

Where you choose to opt out or unsubscribe from our communications, we will stop sending you marketing communications.  

To help protect your privacy, we maintain physical, technical, and administrative safeguards. These safeguards are designed to prevent unauthorised access, disclosure, use and modification of data. We regularly review our security procedures and consider appropriate innovative technologies and methods. 

We train our employees about the importance of confidentiality and maintaining the privacy and security of your information, and your personal data is only accessed by appropriately trained staff. 

We carry out comprehensive checks on all our partners and other suppliers we use who process your personal data on our behalf. All sharing of personal data is done under contract which sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to on our behalf.

We will ensure that your personal data is only kept for as long as is necessary for the purpose we collected it from you, and that it is securely destroyed in accordance with our retention schedule. Where possible we will inform you of how long we will retain the personal data you are providing to us. 

In some cases, we may be legally required to hold on to some personal data for longer to fulfil statutory obligations e.g. where we are required to keep it under the law. 

To keep up to data with changes in the law or any changes in the way in which The Crown Estate processes your personal data we may update this Privacy Policy. Any changes to the privacy policy will be posted here and will take effect immediately. We recommend that you periodically check this policy to ensure that you are aware of any changes to it. Where we make any significant changes in the way in which we process your personal data we may contact you so that you are aware.  

This section of our Privacy Policy covers how we may process your personal data when you visit one of our retail destinations including our regional retail parks and shopping centres, Regent Street and St James’s. It also covers our visitor destinations at Windsor. 

Wi-fi in our retail parks and shopping centres 

Wi-fi at The Savill Garden and Adventure Play Visitor Centre is owned and operated by The Crown Estate. We only collect the information we require to log you onto our free wi-fi, and we do not use that information to send you direct marketing, nor do we share that information with anyone else. 

Wi-fi at our regional retail parks and shopping centres is provided by a range of providers and further details are available at the dedicated websites for each regional site. 

How do we collect personal data about you?  

Entering a competition or promotion hosted by ourselves or our third parties:   You may provide us with personal data when you subscribe to these services either online or through a physical form. You will be provided with the terms and conditions for each competition or promotion you enter which will tell you how we process the information you give us. 

Feedback:   Providing feedback to us through our email, online and face-to-face surveys where you may be given the opportunity to provide your contact details and opt in to receive direct marketing. You can also provide us feedback through writing to us or one of our retail centres with your incidents, complaints, comments, and suggestions at the address provided on each of the websites dedicated to a particular site. 

Website usage:   We may also collect personal data from you automatically when you access and use our websites, including the time and duration of your visit, the referring URL, your Internet Protocol (IP) or MAC address, the type of device you use and its operating system. As with most websites, we also operate cookies on our sites and further details can be found in the section on cookies below. Each of our websites carries a privacy notice and cookies notice detailing the cookies in use on that site. 

Enrolling for an event:   We may collect your name and contact details if you wish to participate in an event. This data may be captured on a third-party booking system.  

Promotional photography:   We may take photographs of you when you attend one of our events. Signs will be on display during the even to advise you when photographs are being taken, and if you have concerns or do not wish to be photographed, please raise these with a member of our staff at the event.  

Interaction with social media:   Depending on the privacy setting you have applied in your social media accounts, and based on the content that you choose to share, when you interact with our social media presence we will have access to your user generated content, such as posts, comments, pages, profiles, and images. Also depending on the privacy setting you have applied in your social media accounts, and based on the content that you choose to share, we may have access to contact details, personal data (such as age, gender, employer, education, location, habits, and preferences).  

Car parking:   We may collect your vehicle registration number using automatic number plate recognition (ANPR) to administer our car parking fees and manage our car parks.  How we use personal data for marketing.  In all cases, we will only provide you with email marketing where you have consented, and you can withdraw this consent at any time by clicking the unsubscribe link within the emails you have been sent. Where we send you information electronically, we review whether the communication has been opened and whether you have clicked on any links in the communication. This is because we want to make sure that our communications are useful for you.   We also use third party marketing agencies who may have access to your personal details to manage email marketing campaigns, to provide customer insight through the analysis of data and to collect personal data on our behalf. We store your personal data in a secure marketing database hosted by a third party which we use to also generate our email marketing campaigns.   The personal data gathered through wi-fi, and marketing opt-in is required to:   

• Tailor our online services to you so the content you see is relevant to you. We may use third parties to carry out profiling on our behalf so we can better understand our customers.  

• Collect data obtained through our interaction with customers for research, analysis, testing, monitoring, risk management and administrative purposes including the optimisation of service delivery at our properties and to improve the customer experience.   

• Promote our destinations externally.  

We frequently ask for post code during our customer interactions to help us better understand our customers. We share this data with third parties without any personal identifiers to assist with our insight and analysis. 

What personal data do we collect about you 

As part of security operations at our sites, The Crown Estate or our managing agents will also be collecting personal images relating to visitors and customers to its properties from CCTV, body mounted video (BMV) and ANPR (Automatic Number Plate Recognition) systems. Our managing agents appoint third party service providers to provide security services, and The Crown Estate wardens manage security within the Windsor Great Park. 

The Crown Estate also captures personal data within access control systems which provide access to the premises we occupy. Personal data is also collected from visitors to our properties with the access control data and visitor management data held by our managing agents on third party systems.  

In relation to access control and visitor data at the sites we occupy and where the data relates to The Crown Estate’s employees, contractors or visitors, The Crown Estate considers itself to be the data controller. However, for access control and visitor data within our tenanted premises relating to our tenants’ staff, contractors, and employees, we consider our tenants to be the data controller.  

The purpose for which we collect your personal data? 

CCTV, BMV, visitor and access control data are collated to pursue our legitimate interests to protect the property in question, to protect the vital interests of our visitors, tenants, and customers and to assist with the prevention and detection of crime.  

ANPR is collected to fulfil a contract between us and our users of our parking facilities, including enforcement action. For CCTV, BMV and ANPR, this data will not be held for longer than 30 days unless an incident or suspected incident has occurred.  

Accident and incident reporting 

When an incident occurs at one of our properties, The Crown Estate is required to document the particulars of an incident which may include witness statements, CCTV footage, photographs, and written reports. This information may include special categories of data depending on the nature of the incident. A third-party system is used to log details relating to these incidents, physical paperwork may also be stored on site. In the Windsor Great Park, our wardens manage the park in accordance with The Windsor Great Park Regulations 1972 – Statutory Instrument 1973: No.1113 (the ‘bylaws’). 

The data may be shared with third parties such as insurance providers and legal advisors to defend a claim, government organisations to which we are required to report on incidents by law or the police to investigate a crime.  

 This information is collected to ensure that The Crown Estate complies with its legal responsibilities in relation to Health and Safety investigation and reporting, and for defending future legal claims. The information can also be used to prevent and detect crime, or to protect the vital interests of individuals. Where health data is collected, we may also need this for our substantial public interest for insurance processing.  All personal data (CCTV, witness statements, photographs, and incident reports) relating to the incident to be recorded for six years, unless there are reasons to retain it for longer, such as ongoing Health and Safety investigation, a suspected pattern of fraud, or because an injury has been sustained by a child.   Retail data analytics  We also undertake analysis of how our retail venues are being used. This may include:  

• movement and footfall detection and analysis to understand customer numbers and how our customers move around our sites. 

• analysis to understand how far customers travel to our sites or how often they visit us. 

• analysis of shopping trends and customer preferences. 

We conduct this analysis using interviews, questionnaires, and electronic detection techniques. Whenever we are undertaking such studies, we will always avoid processing personal data where we can and perform the analysis anonymously.   Furthermore, we will always inform our customers and visitors of the surveys taking place at any time.  We may also pass on or allow access to your personal data:  

• to our suppliers, contractors, and professional advisors where this is necessary for them to provide services and facilities to us or on our behalf.  

• to any purchaser of all or part of our business or any of our properties to which the relevant service relates. 

• to sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers. 

• where we are required to do so by law, court order or other legal process. 

• where, acting in good faith, we believe disclosure is necessary to assist in the investigation or reporting of suspected illegal or other wrongful activity. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. 

• to protect and defend our rights or property. 

• to deal with any misuse of any of our services; or 

• to enforce or apply our terms and conditions and other agreements with third parties. 

We may disclose your personal data to our joint venture partners and affiliates or third-party data processers who may process data on our behalf to enable us to carry out our usual business practices. 

The Crown Estate undertakes property management services at the property in which your organisation is occupying either directly or through the use of a managing agent. It is committed to operating in accordance with data protection laws.  The personal data that The Crown Estate processes relating to our customers, in this case those occupying one of our properties, typically consists of the following:  

• Details held on our corporate systems relating to the identity of occupiers for the purposes of fulfilling obligations and ongoing billing and management arrangements under a lease; 

• Personal details from occupiers, their employees, and contractors on site, including names, addresses, emails, phone numbers and contact details are processed for the following purposes: 

• providing property and facility management services – we may take personal details of occupiers or their employees to register facility issues and report back resolutions in connection with services under the lease; 

• providing secure access to the premises as a service under the lease; 

• reporting any injuries or potential insurance claims – these may include special categories of personal data – to discharge our legal obligations or defend a claim; 

• provide business continuity services to allow us to alert occupiers and their employees of an incident that may impact their business operations, which may include collecting ‘home’ contact information. 

Security systems 

As part of security services within communal areas The Crown Estate’s managing agents may collect personal images including those of occupiers, their employees and contractors entering such areas. Signs will be displayed notifying you of these arrangements, which may include CCTV, body mounted video and ANPR (Automatic Number Plate Recognition). The Crown Estate’s managing agent is the data controller for providing surveillance services at our properties with the primary purpose for the prevention and detection of crime. However, this does not extend to any surveillance systems that you may have within your demise. 

Retention policies are in place to govern how long this information should be kept, which is for no longer than 30 days unless an incident has been logged. 

In the event The Crown Estate’s managing agent receives a request to access surveillance data from an occupier in relation to a member of their staff, they cannot provide it without sufficient cause to preserve the privacy rights of the individual. 

Access control and visitor management 

The Crown Estate’s managing agents may provide an access control system that allows secure entry to the building, and/or details of visitors to your premises. They deliver these services at the property pursuant to leasing agreements, as well as to prevent and identify crime. These systems hold personal data – typically an individual’s name, the organisation with which they are associated and entrance and exit data as they access various parts of the building. 

The Crown Estate is the data controller for these systems and their managing agents act as their data controller. If you wish to access data held within these systems, you can submit a request for access to the data providing your justification for disclosure of this information which will be considered in line with our purpose for having the system in place.  

To ensure compliance with data protection laws, The Crown Estate’s managing agents will review personal data within any access control and visitor systems, and any personal data relating to expired access cards will be permanently deleted. 

As a tenant The Crown Estate will record your name and contact details on its property management database as a record of the lease of the property, which is the basis of our contractual agreement, and on its finance database for the purposes of managing payments. This information will be held for as long as we both are parties to the lease. We may use your data to bill you for any charges relating to your property in accordance with the terms of the lease. 

The Crown Estate uses managing agents/management services to provide a range of services on our behalf which may include security, front of house/concierge/guest services, billing as well as facilities management at our properties. These third parties/management services may have access to your personal data, and use it for the following purposes: 

• providing property and facility management services – we may take personal details to register facility issues and report back resolutions in connection with services under the lease; 

• billing – to invoice you in accordance with the terms of the lease; 

• providing any secure access in accordance with terms of the lease; 

• reporting any injuries or potential insurance claims – these may include special categories of personal data – to discharge our legal obligations or defend a claim; 

• provide emergency broadcasts to alert occupiers to risks protecting your vital interests;  

• (where locating new occupiers) undertaking credit checks and right to reside checks – to minimize our exposure to default, and to comply with our legal obligations; and 

• consultancy and legal firms for the purposes of providing business advice. 

The data above is held is long as required to perform these functions.  

Security systems  

As part of our security services within communal areas of some of our properties, our managing agents may collect personal images through CCTV, body mounted video or through ANPR technology (Automatic Number Plate Recognition), and signs will be displayed notifying you of these arrangements.  

The Crown Estate has retention policies which govern how long this information should be kept, for no longer than 30 days unless an incident has been logged.  

Access control and visitor management  

The Crown Estate’s managing agents may provide an access control system that allows secure entry to the building, and/or details of visitors to your premises. We deliver these services pursuant to leasing agreements, as well as to prevent and identify crime. These systems hold personal data – typically an individual’s name and access data as they enter various parts of the building.  

To ensure compliance with data protection laws, The Crown Estate will review personal data within any access control and visitor systems, and any personal data relating to expired access cards will be permanently deleted. If you require any accounts to be subject to alternate treatment, please provide written instructions to the managing agent at the property.    Tenants (seabed) 

In some circumstances we may need to share the contact details of our tenants with third parties, such as where we have a seabed survey applicant who is looking to carry out activities which involve contact with, or extraction of, the seabed. This is to enable effective liaison between parties and is in line with our wider obligations as a public body under The Crown Estate Act 1961, which includes good management of assets. 

This privacy notice tells you what to expect when the Windsor Farm Shop collects personal information. It applies to information we collect about: 

• People who purchase our goods 

• People who supply goods and services to us 

• People who provide feedback 

• People who contact us about lost property 

• People who visit our store 

Your privacy is extremely important to us. Any personal information we gather from you will be used in accordance with the Data Protection Act 2018. The Data Controller for the Windsor Farm Shop is The Crown Estate.  

People who purchase our goods 

When people purchase our goods, they may use a credit or debit card to make payment. We use a third-party provider to process credit or debit card purchases. Our provider adheres to the international security standards within the credit card industry. 

If people make a purchase over the telephone, we ask them to provide their name, email address, telephone number, billing address and delivery address. We do this to process their orders and maintain a record of correspondence until payment has been made through a till point by a manager or supervisor. Once the payment has been received, the receipt for the goods is posted to the customer and all personal information is destroyed using a secure method. 

People who supply goods and services to us 

Purchase orders, deliveries, and invoices from suppliers are entered onto the Windsor Farm Shop's computer system. These are then processed by The Crown Estate’s Finance Team and the data is returned to us. The data is retained in line with financial regulations. 

People who provide feedback 

We are grateful to people who provide feedback on the service they have received. To respond to this, we process your name and contact details. We destroy these details using a secure method within 12 months. 

People who contact us about lost property 

If you contact us about lost property, we will keep your personal contact details in our Lost Property Book and notify you if it is found. When an item is collected, we will ask to see identification documentation and we will record who collected the item. 

People who visit our store 

There are CCTV cameras within the Windsor Farm Shop and car parking area. These have been installed for the purpose of the prevention and detection of crime and may collect images of members of the general public. The footage may be shared with the police when they are investigating an incident. The footage is kept securely, and access to the images is limited. The footage is normally retained for 30 days and then recorded over. 

Who do we share your personal information with? 

We work with a Technology Partner to process your credit or debit cards. When we dispatch your goods, we use a courier company. Aside from these third parties and, when required, government regulators and police investigating an incident, your Personal Information will not be disclosed to other businesses or third parties outside The Crown Estate.  

How do we protect your personal data? 

We keep the personal information we process on a secure server, and we fully comply with all applicable UK data protection and consumer legislation. 

When we engage our Technology Partners to process personal information on our behalf, they do so based on written instructions which require them to process your personal data and keep it secure in line with relevant legislation. 

This section of the privacy policy describes how The Crown Estate might collect personal data about individuals who apply for a job with us.   The Crown Estate may collect and process the following personal data about you:  

• your name, email address, postal address, phone number,  

• qualifications,  

• employment history,  

• credit history,  

• driving licence,  

• your right to work in the UK,  

• information obtained from public records,  

• other application details and your CV.  

• For equal opportunities we also collect information relating to your ethnicity; age; gender; disabilities and sexual orientation – however, this information is not mandatory, and you do not need to provide this to us. 

• information about you (such as details of your suitability to work with us, your past performance at work, your character, verification of the information that you provide to us, and if legally permitted, any history concerning criminal convictions) from third-party references that you provide to us, from your previous and/or current employers, and from third-party background checking services. 

• basic criminal reference checks for all candidates who are offered employment, and we have policies in place to ensure that any information collected will be protected. For some roles we may also perform national security vetting. 

Your personal data may be stored and processed by us for the following purposes:  

• to consider your job application (including, in some cases, verifying your qualifications and references with third parties); 

• to notify you of relevant job vacancies with The Crown Estate in which you may be interested; 

• to comply with legal/regulatory requirements and to ensure diversity and equal opportunities within our recruitment practices. 

As part of its normal business operations, The Crown Estate needs to contact key business contacts and stakeholders and for these purposes for processing The Crown Estate is the data controller. These contacts include:  

• Contacts of employees who work for businesses with which The Crown Estate has a business relationship; 

• Contacts with employees of businesses that are involved in the wider industries in which we operate; 

• Contacts with stakeholders, including MPs, councillors etc. 

This information is normally restricted to name, job title, email address, telephone number and the name of the business or organisation they represent.  

We obtain this personal data from a variety of sources including:  

• The course of normal business operations; 

• The exchange of business cards and other collateral in the normal business environment; 

• Information published by the data subject so that they can be contacted for business purposes. 

Whilst we process this information as part of our legitimate business interests, we assume that the sharing of this contact information in the normal business environment for the purposes for which it was shared constitutes consent to be contacted for the business circumstances under which the information was shared.   Consequently, we will only contact these data subjects in the context in which the information was provided, and we will never use these contact data for any other purposes. Where we have a contract with the individual, that will be our purpose and lawful basis for using their data.  The personal data that The Crown Estate processes relating to business contacts typically consists of the following:  

1. Details held on our corporate systems relating to ongoing business relationships; 

2. Normal business correspondence with the individual; 

3. Collaborative working on industries issues; 

4. Inviting contacts to events specific to the context in which the information was provided. 

 The data above is held is long as required to perform these functions. 

Personal data we collect and use 

The information we collect will be the minimum we need to deliver our service and will include the following personal data: 

• Name 

• Address 

• Work Contact details 

• Job/profession and other information about employment history and current employment and details of professional qualifications 

• Information about suppliers’ financial capacity and solvency 

• Information about payments made to and received from suppliers 

• Information suppliers have provided about breach of the grounds for exclusion set out in regulation 57 of the Public Contracts Regulations 2015 

• Information about complaints and allegations of misconduct made during a procurement exercise or subsequent delivery of a contract 

• Salary, age, pension, length of service and other workforce information needed to enable tenderers to price their bids for replacement contracts when the Transfer of Undertakings (Protection of Employment) Regulations apply 

• Details of individuals and other persons of significant control who may be involved with or working on a project if the tender is successful 

How we use your personal data 

We use this personal data to procure and purchase goods and services and works for The Crown Estate and its service users. This includes: 

• Administering procurement exercises 

• Evaluating bidder submissions and tenders 

• Permitting audit and legal review of tender processes and contracts 

• Reviewing, managing, and enforcing contracts 

• Making and receiving supplier payments 

• Dealing with concerns and complaints 

How long your personal data will be kept 

We will hold your personal data in line with The Crown Estate’s retention schedule. At its expiry date the information will be reviewed, and only retained where there is an ongoing requirement to retain for a statutory or legal purpose. Following this your personal data will be securely destroyed. Reasons we can collect and use your personal data The lawful basis on which we collect and use your personal data is that 

• Processing is necessary for the performance of a contract 

• Processing is necessary for compliance with a legal obligation 

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 

Who we share your personal data with 

We may sometimes share the information that we have collected about you where it is necessary, lawful, and fair to do so. We may share information with the following for these purposes: 

• Suppliers (if the information is required to deliver a contract) other customers, and central purchasing bodies, for supplier stability monitoring and performance management purposes 

• Other departments within The Crown Estate 

• Other organisations that are jointly procuring or managing a contract with us 

• People and organisations that suppliers have nominated as referees 

• The new contract holder if there is a transfer of employment information regarding affected employees (TUPE) 

• External auditors 

Keeping your personal data secure 

We have appropriate security measures in place to prevent personal data from being accidentally lost, used, or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. 

Transfers of data outside the UK 

We do not send any information we collect about you as a part of this process outside the United Kingdom.