SECTION 1: Document Change History, Versions and Review

Version and Review

Version

Comments

Dates

Author/Name

V1.0

Original issue date

May 2018

Michelle Guthrie

V1.2

Standard Policy Update Cycle

January 2019

Michelle Guthrie

V1.3

Standard Policy Update Cycle

January 2022

Michelle Guthrie

V1.4

Standard Policy Update Cycle

March 2023

Michelle Guthrie

SECTION 2: Purpose

Foster + Partners is committed to protecting the privacy and security of any Personal Data (defined in Section 4 below) it handles.

Foster + Partners means Foster + Partners Group Limited or any of its subsidiaries, so when we mention “Foster + Partners”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant company in the Foster + Partners group which you have had dealings with.

This Privacy Notice describes how we collect and use Personal Data about visitors to our website, clients and potential clients, third party consultants and any other individuals whom we may collect Personal Data on in accordance with the Data Protection Laws (which term includes the General Data Protection Regulations (EU 2016/679), Data Protection Act 2018, the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations (2019/419) and the Privacy and Electronic Communications (EC Directive) Regulations 2003). Past, present and prospective employees, workers, and contractors should refer to our Privacy Notice for Employees and our Pre-Hire Privacy Notice (found on our intranet and our recruitment webpage).

Foster + Partners is a “data controller”. This means that we are responsible for deciding how we hold and use Personal Data. We are required under the Data Protection Laws to notify you of the information contained in this Privacy Notice. We may update this Notice at any time.

SECTION 3: Data Protection Principles

We comply with the Data Protection Laws. This says that the Personal Data we hold must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

SECTION 4: The kind of information we hold about you

Personal Data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, country of residence, company, and job title.
  • Contact Data includes address, email address and telephone numbers.
  • Professional Data includes CVs, and documents related to your qualifications, experience, and role, current salary, eligibility to work in the UK.
  • Usage Data includes information about how you use our website.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

In limited circumstances, we may also collect, store and use documents to prove your identification such as a copy of your passport or address, and/or the following “special categories” of more sensitive Personal Data:

  • Information about your race or ethnicity, and religious beliefs.
  • Information about your health, including any medical condition.
  • Information about criminal convictions and offences.

The Personal Data we may collect varies depending upon how it is collected and for what purpose. More specific details are set out below. 

SECTION 5: How is your Personal Data collected?

Personal Data may be collected in the following ways:

  1. Through information collected by cookies when you use our website.
    When you visit www.fosterandpartners.com we may send a ‘cookie’ to your computer. This is a small data file stored by your computer to help improve functionality or tailor information to provide visitors with more relevant pages. For details of the cookies employed by us see Section 12 below.

or: 

  1. Through information automatically recorded when you use our IT systems, so that the systems can run effectively and we can ensure they are not being misused.
  2. Direct interactions – where you provide information by filling in forms or corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide when you:
    • Complete an online form to subscribe to our mailing list;
    • Make business enquiries via email or telephone; and
    • Enter into a working relationship with us.

or: 

  1. Third parties or publicly available sources. For example, consultants working with us whose CVs might be sent by their employer for bid documents or so we can assess their suitability for a project.

SECTION 6: How we will use information about you

We will only use your Personal Data when the law allows us to, such as:

  1. Where it is necessary to perform a contract with you or in order to take steps at your request prior to entering into a contract.
  2. Where we need to for compliance with a legal obligation.
  3. Where it is necessary for the purposes of our legitimate business interests to run a successful international design studio, and your interests and fundamental rights do not override those interests.

We may also use your Personal Data in the following situations, which are likely to be rare:

  1. Where we need to protect your interests (or someone else’s interests).
  2. Where it is needed in the public interest.

SECTION 7: Special Category Personal Data

Special Categories of sensitive Personal Data require higher levels of protection and we will need to have further justification for collecting, storing and using this type of Personal Data, such as:

  1. In limited circumstances, with your explicit written consent.
  2. Where it is necessary for us to meet legal obligations.
  3. Where it is necessary for reasons of public interest.
  4. Where it is needed on health grounds, subject to appropriate confidentiality safeguards. 
  5. Where it is needed for legal claims.
  6. Where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

It is unlikely that we will need to collect or process Special Categories of sensitive Personal Data. Where we do need to, we will notify you and (where required) obtain your consent to the processing.

SECTION 8: More specific details of how we may use your Personal Data

We have set out in the table below details of the type of data we may collect (by reference to the groups described in Section 3 above), the ways we may use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To deliver relevant website content to you and to use data analytics to improve our website  (a) Identity
(b) Contact
(c) Usage
(d) Marketing and Communications
(e) Technical
Necessary for our legitimate interests (to keep our website updated and relevant and to develop our business)
To send marketing newsletters to you (a) Identity
(b) Contact
(c) Marketing and Communications
Necessary for our legitimate interests (to develop our business)
To invite you to events (a) Identity
(b) Contact
(c) Marketing and Communications
(a) Necessary for our legitimate interests for business development - to strengthen business relations and to market our services
To manage access to our premises and for security purposes

(a) Identify
(b) Contact
(c) Health

(b) Necessary for our legitimate interests for running our business
To administer and protect this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity
(b) Contact
(c) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, and network security)
To respond to your new business enquiry as a potential client (a) Identity
(b) Contact
(a) Necessary for our legitimate interests (for winning and providing design services)
To administer our working relationship with you and your employer (as applicable), such as providing and administering architectural and engineering services to you, and/or collaborating with you to bid for a design project or to provide design services

(a) Identity
(b) Contact
(c) Professional Data

In limited circumstances we might require documents to prove your identification such as a copy
of your passport or Special Categories of sensitive Personal Data. In these circumstances we will notify you and where necessary obtain your consent.

(a) Performance of a contract with you
(b) Necessary for our legitimate interests for winning and administering projects and running our business)
 To carry out due diligence checks (a) Identify
(b) Professional Data
 (b) Necessary for our legitimate interests for running our business  (to fulfil our legal, regulatory and risk management obligations, including establishing, exercising or defending legal claims, complying with our legal obligations, preventing crime or fraud and protecting the rights of third parties

SECTION 9: Change of purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Occasionally we may use Personal Data to send you updates about our business or invites to events. If you prefer not to receive promotional material from Foster + Partners email us at enquiries@fosterandpartners.com and put “unsubscribe” in the subject line together with the name of the publication you wish to unsubscribe from.

Please note that we may process your Personal Data without your knowledge or consent where this is required or permitted by law.

SECTION 10: Data Sharing

We may share your Personal Data with third parties, including third-party service providers and other entities in the Foster + Partners Group where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest for the purpose of running a successful international design practice in doing so.

For example, we may share your Personal Data with:

  • professional advisors such as lawyers and accountants;
  • processors such as providers of cloud hosting solutions or translation companies;
  • to an auditor, regulator or to otherwise comply with the law.

We may share Personal Data, such as CVs of collaborating design consultants, to clients, potential clients or collaborating designers where this was the purpose of collection.

As we are an international design practice, we may share your Personal Data with other entities in our group. In particular, we share your Personal Data for the following purposes:

  • Where required to facilitate your travel to meetings in one of our international offices or in respect of a project abroad;
  • Where we are inviting you to an event held in one of our offices abroad. 

10.1 How secure is your information with third-party service providers and other entities in our group? 

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your Personal Data in line with our policies and the law. We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

10.2 Transferring information outside the UK 

We are an international design practice and as such may transfer the Personal Data we collect about you to countries outside the UK. Where we do so, we will ensure that those transfers take place in accordance with the Data Protection Laws, including by entering into data transfer agreements (containing standard contractual clauses recognised or issued in accordance with the UK Data Protection regime, a copy of which can be obtained from the DPM) with recipients or obtaining your explicit consent. If you require further information about these protective measures, you can request it from the Data Protection Manager via the contact details set out below.

SECTION 11: Security

All information you provide to us is stored on our secure servers. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.

Once we have received your information, we will use strict procedures and security features to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.

SECTION 12: Cookies

For information on use of Cookies on our website please refer to our Cookies Policy.

SECTION 13: Accuracy

We want to make sure that your Personal Data is accurate and up to date. Please contact us if any information we are using is not accurate or up to date.

SECTION 14: Retention

We will only retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it or for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

SECTION 15: Your Rights in Connection with Personal Data

Under certain circumstances, by law you have the right to:

  • Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
  • Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
  • Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your Personal Data to another party.

If you want to review, verify, correct or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, please contact the Data Protection Manager in writing.

15.1 No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

15.2 What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

15.3 Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Manager or use any unsubscribe link in any email newsletter that you receive. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

SECTION 16: Data Protection Manager

We have appointed a Data Protection Manager to oversee compliance with this Privacy Notice. This role is held by Nadeem Mir, Senior Partner, who may be contacted on dataprotection@fosterandpartners.com; 0207 738 0455.

If you have any questions about this Privacy Notice or how we handle your Personal Data, please contact the Data Protection Manager. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

SECTION 17: Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your Personal Data.
If you have any questions about this Privacy Notice, please contact the Data Protection Manager.

SECTION 18: Contact information

Requests for further information about this Privacy Notice or about how we process Personal Data can be sent by email to: dataprotection@fosterandpartners.com

Or in writing to:

Nadeem Mir
Data Protection Manager
Foster + Partners Limited
22 Hester Road
London SW11 4AN