Privacy Policy
Last updated: 18/02/26
1. Introduction
Grosvenor Facilities Management Limited (trading as “GFM”), company number [COMPANY NUMBER], whose registered office is at [REGISTERED ADDRESS] (“we”, “us”, “our”) is committed to protecting and respecting your privacy.
This policy sets out how we collect, use, store and share personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all individuals whose personal data we process, including clients, prospective clients, suppliers, job applicants, employees, website visitors and members of the public.
For the purposes of data protection law, GFM is the data controller.
2. Data Protection Officer
If you have any questions about this policy or our data protection practices, please contact:
Data Protection Officer Grosvenor Facilities Management Limited [ADDRESS] Email: [EMAIL ADDRESS] Telephone: [PHONE NUMBER]
3. Personal Data We Collect
We may collect and process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity data | First name, last name, title, job title |
| Contact data | Email address, telephone number, postal address |
| Employment data | CV, employment history, qualifications, references, right-to-work documentation (for job applicants and employees) |
| Financial data | Bank details, payment information (for employees and suppliers) |
| Technical data | IP address, browser type and version, time zone setting, operating system, pages visited on our website |
| Communication data | Records of correspondence via email, telephone, website contact form, or post |
| Health and safety data | DBS check results, health and safety certifications, training records, accident and incident reports |
4. How We Collect Your Personal Data
We collect personal data through direct interactions with you (such as when you enquire about our services, apply for a role, or enter into a contract with us), through automated technologies on our website (such as cookies — see our separate Cookie Policy), and occasionally from third parties such as recruitment agencies, referees, or publicly available sources.
5. How We Use Your Personal Data
We only process personal data where we have a lawful basis to do so:
| Purpose | Lawful Basis |
|---|---|
| Responding to enquiries and providing quotes for our FM, cleaning, catering, maintenance and other services | Legitimate interest (to respond to potential business opportunities) |
| Performing and managing our contracts with clients and suppliers | Performance of a contract |
| Processing job applications and managing recruitment | Taking steps prior to entering into a contract; legitimate interest |
| Managing employee and worker records, payroll and benefits | Performance of a contract; legal obligation |
| Conducting DBS checks and verifying right-to-work status | Legal obligation; substantial public interest |
| Health and safety compliance across client sites | Legal obligation; vital interests |
| Maintaining our IT systems and website security | Legitimate interest (to keep our systems and data secure) |
| Complying with legal, regulatory and contractual obligations | Legal obligation |
| Sending service-related and, where opted in, marketing communications | Legitimate interest; consent (for electronic marketing) |
6. Who We Share Your Personal Data With
We may share your personal data with: our parent company, Grosvenor House Group PLC, and any associated group companies; our clients, where required for the performance of FM contracts (e.g. sharing operative details for site access); sub-contractors and suppliers who assist in delivering our services; professional advisers including solicitors, accountants and insurers; regulatory authorities, government bodies and law enforcement agencies where required by law; recruitment agencies; IT service providers and hosting providers; and pension and benefits providers.
We require all third parties to treat your personal data in accordance with the law and do not allow them to use it for their own purposes.
7. International Transfers
We primarily store and process personal data within the United Kingdom. If we need to transfer personal data outside the UK, we will ensure appropriate safeguards are in place, such as ICO-approved standard contractual clauses or transfers to countries with an adequacy decision.
8. Data Retention
We retain personal data only as long as necessary. As a guide: client and supplier records for 7 years after the contractual relationship ends; job applicant data for 12 months after recruitment concludes; employee records for 7 years after employment ends; and website analytics data for 26 months.
9. Your Rights
Under data protection law, you have the right to: access your personal data; request rectification of inaccurate data; request erasure in certain circumstances; restrict processing; request data portability; object to processing based on legitimate interests or for direct marketing; and not be subject to solely automated decision-making.
To exercise any right, contact our Data Protection Officer (section 2). We will respond within one month.
10. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data, including access controls, encryption where appropriate, regular security assessments, staff training and secure disposal procedures.
11. Complaints
If you are unhappy with how we have handled your personal data, you may lodge a complaint with the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline: 0303 123 1113. Website: www.ico.org.uk. We would appreciate the opportunity to address your concerns first.
12. Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated revision date.