1. Overview of Policy
GPT (as defined below) is a listed Australian real estate group. Its activities include:
- Ownership and management of direct property - Australian retail, office, industrial and logistics assets.
- Third party real estate funds management. GPT manages, operates and develops Australian office and retail assets on behalf of several unlisted wholesale managed investment schemes, including the GPT Wholesale Office Fund and the GPT Wholesale Shopping Centre Fund (collectively the “Wholesale Funds”). GPT also manages office, retail and student accommodation assets in Australia and New Zealand on behalf of third party owners.
- Space & Co which provides flexible co working space and meeting room facilities.
- Supply of electricity to occupiers within its assets.
At GPT, we believe that maintaining the privacy of the personal information we collect is critical.
This Policy explains GPT’s information handling practices in relation to personal information collected by GPT.
1.1 Companies covered by this Policy
This Policy applies to GPT Management Holdings Limited (ABN 67 113 510 188) and its subsidiaries that are incorporated in Australia or are otherwise subject to the Privacy Act 1988 (Cth) (Privacy Act).
In this Policy, we refer to these entities as "GPT", "we", "us" or "our" and the "GPT Group".
1.2 This Policy applies to personal information
This Policy applies to our handling of your personal information. Under the Privacy Act, "personal information" means information or an opinion about an identified individual or an individual who is reasonably identifiable. Common examples include a customer's or a job applicant's name, address, telephone number or date of birth, and any other information that we could use to reasonably identify an individual.
1.3 Your agreement to this Policy
By providing your personal information to GPT, using any of GPT’s services or products, or providing any services to GPT, you confirm that you have read and agree to the terms of this Policy.
If you are an organisation, by accepting this Policy, you confirm that you have obtained the express consent from your personnel to the collection, use, disclosure and handling of their personal information in accordance with this Policy.
2. Kinds of personal Information we collect and hold
This section provides examples of the kinds of personal information we may collect and hold about you and why we collect that information. The list below is not exhaustive, and we may collect other personal information from you from time to time as indicated in a collection notice.
2.1 Working at GPT
If you wish to be, are, or have been, contracted, employed, or otherwise engaged by GPT as part of its workforce, we may collect and hold personal information about you. This information may include your:
- residential and email addresses;
- telephone number;
- academic results and qualifications;
- skills, expertise and experience;
- personal interests;
- current salary and salary expectations; and
- screening checks (including background, national criminal record check, psychometric assessment reports, financial probity, identity, eligibility to work, vocational suitability, reference checking and whether you're a politically exposed or sanctioned person).
GPT requires background information as part of its assurance program on the identity, honesty and integrity of prospective and current employees. These checks may require us to:
- collect information relating to your current or former employment or engagement including information about your training, disciplining, resignation, termination (whether from a nominated reference or not);
- search government records and publicly available sources, including social media and other internet sources, for background information about you. We may also collect information about you through our employee referral program where someone you know recommends you to us; and
- disclose information about you to academic institutions, recruiters, screening check providers, professional and trade associations, law enforcement agencies, referees, your current and previous employers, regulators and other third parties.
Without access to your personal information we may not be able to progress considering you for a position with us.
For those people currently working at GPT:
- We are required or authorised to collect your personal information under various laws including the Fair Work Act 2009 (Cth), Superannuation Guarantee (Administration) Act 1992 (Cth) and Taxation Administration Act 1953 (Cth).
- We may exchange your personal information with your representatives (including unions if applicable) and our service providers including providers of payroll, superannuation, banking, staff benefits, surveillance and training services.
- We may monitor and record your communications and interactions with us (including email, telephone and online) and operate audio and video surveillance devices in our premises for various purposes including compliance auditing, maintenance, security, dispute resolution, training and where email abuse is suspected.
Where applicable, we will rely on the "employee records exemption" in the Privacy Act and any other applicable exemptions in the Privacy Act or other relevant legislation. The employee records exemption means that in many cases, we are not bound by the requirements of the Privacy Act in relation to personal information we hold about our current or former employees (relating to their employment).
2.2 Tenants and occupiers
We may collect personal information about you in relation to space in assets owned and/or managed by GPT, if:
- you are or have been a tenant or occupier of that space;
- you are employed or engaged by a tenant or occupier of that space;
- we provide products or services to you as a tenant or occupier of that space; or
- we have communicated with you about the possibility of you becoming a tenant or occupier of that space.
- information about individual tenants/occupiers and their guarantors, as well as representatives of corporate tenants or occupiers;
- contact and insurance details;
- bank account and credit card details;
- other assorted financial, credit history and trading information; and
- information regarding your behaviour at our assets or at Space & Co, through:
- our video surveillance (see section 2.6);
- our security personnel; or
- our tenants, visitors and suppliers.
We use this information to evaluate whether to enter into agreements with prospective tenants and occupiers, perform our obligations under our agreements and manage our relationships with our tenants and occupiers.
2.3 Customers and Visitors
If you are a visitor to GPT’s assets, a customer of a tenant or occupier of space in GPT’s assets, or if you are a customer of Space & Co, we may use your personal information to provide, administer, improve and personalise our services, process payments, communicate with you in relation to our services and to respond to your enquiries and complaints.
We may collect your personal information for the purpose of promoting public health, including to manage the risks of disease outbreaks and pandemics.
As visitors or customers you may use: websites, mobile applications, social media and other online services (Online Services); register, login or subscribe to join our programs, including shopper programs (Member Programs); and purchase gift cards, participate in surveys or competitions and register for or use any of our services, including our carparks, guest wi-fi services, online ordering system and the hire of mobility aids and other equipment.
We may collect information regarding your online behaviour, including:
- name, contact details, gender, payment details, and activity details relating to our Online Services and Member Programs;
- our Online Services, which may include functionality that makes use of the hosting device's geographic position on approach and entry into a participating asset. This means that if you joined a relevant Member Program, and you use one of those Online Services, which you may be located by us or our service providers and contractors by reference to the location of your device. We may use this functionality to locate and send you offers, discounts, promotions, advertising, products, services or other content on your device;
- your responses to correspondence, promotions, giveaways and competitions, or if you win a promotion or competition at one of our assets, apply for an unclaimed prize or dispute a decision we make regarding a prize;
- the time, date and URL of each request for a page from our web server and other web servers;
- "click stream" information from your use of our websites (such as information about areas of our websites you've accessed and the time and date of access);
- doubleclick ad serving information from your use of our websites (such as information about whether a marketing campaign has been effective);
- information about your interests and preferences relating to the use of our websites, our products and services and Member Programs; and
- information from your computer or device details (including device identifiers, usage and location data) allowing us to: analyse trends, administer our websites, track your web navigation, and gather broad demographic information for aggregated use.
We use social networking services such as Facebook, Twitter, Instagram and TikTok to communicate with the public about our services, promotions or that of third parties. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you if needed. The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Facebook, Twitter, Instagram and Snapchat on their websites. We may also collect information, through our video surveillance (see section 2.6), our security personnel, employees or contractors, regarding:
- your behaviour at our assets or at Space & Co;
- details of incidents involving you at our properties including; details of an injury you sustain and banning notices;
- details of an enquiry or complaint that you raise with us; and
records of your communications and interactions with us.
You can set your browser to accept or reject all cookies, or notify you when a cookie is sent. If you reject cookies or delete our cookies, you may still use our websites. Our Online Services and Member Programs may, from time to time, contain links to the websites and online services of other organisations which may be of interest to you. Those other organisations are responsible for their own privacy practices and you should check those websites and online services for their respective privacy policies.
2.4 Investors and Partners
Personal information collected from our investors includes information such as name, date of birth and contact details, as well as security holding details and balances and tax file numbers.
This information is used to carry out registry functions including facilitating distribution payments and corporate communications such as financial results and reports.
We also collect information about subscribers to ASX announcement updates from the GPT Group as they are posted on the GPT website.
GPT’s Securityholder and Unitholder registers are maintained by external service providers Link Market Services Limited (for GPT itself) and BoardRoom Pty Limited (for the Wholesale Funds).
Wholesale Fund investors can find out more about how BoardRoom Pty Limited handles their personal information - their contact details are at the end of this Policy.
GPT investors can find out more about how Link Market Services Limited handles their personal information - their contact details are at the end of this Policy.
In relation to the Wholesale Funds and third party entities on behalf of who we manage assets or portfolios, we may collect, use and disclose personal information about your officeholders and beneficial owners as required or authorised in connection with, and for the purpose of fulfilling, our obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”).
The personal information we may collect includes names, dates of birth, residential addresses, identification documentation and screening checks, and this information may be collected from you and from other sources including publicly available information and information service providers. We may exchange personal information with screening check providers located in Australia and government agencies, including, if required or authorised by law, agencies located overseas.
2.5 Suppliers of goods or services to GPT
If you are a supplier of goods or services to GPT, or are employed or engaged by such a supplier, we may collect personal information about you, including:
- contact details, including business and email addresses and telephone numbers;
- background information about you including, for example, your criminal record and whether you're a politically exposed or sanctioned person;
- insurances; and
- information as to financial standing and business experience, including credit history.
We may, for example, search government records and publicly available sources, including social media and other internet sources, for background information about you. We require this information as part of our supplier due diligence activities. Incorporated entities may provide GPT with the contact details of their employees in order for both of us to perform our obligations under our agreements.
2.6 Video Surveillance
We may collect video surveillance footage at our worksites, premises and assets for reasons including:
- prevention of theft, serious harm or other illegal/undesirable activity;
- investigating customer disputes and coordination of emergency and alarm responses; and
- identifying individuals for the purposes of investigating incidents.
Closed-circuit television ("CCTV") recordings in car parks within GPT’s portfolio may also collect licence plate details. This surveillance is carried out using visual surveillance devices on a continuous and ongoing basis by our surveillance/security/compliance teams (or third parties).
We will handle any requests to access video surveillance footage containing personal information in accordance with law, and will only release such video surveillance footage or provide access to it as required by law.
2.7 Residential Purchasers
If you purchase or express an interest to purchase a residential property, we may collect your contact details and information to verify your identify (name, date of birth, gender, address, email address, contact numbers), financial information (including bank accounts, credit card details, income and credit-worthiness), your preference in respect of products, services, facilities and lifestyle activities.
We generally collect your personal information directly from you. We may also collect information from third parties such as real estate agents, credit reporting bodies, law enforcement and government entities, marketing agencies, data collection and research organisations. We use this information to respond to inquiries from you, tailor our product and services, take steps at your request to enter into a contract with you and if you make a purchase, for the performance of our obligations under a contract with you.
2.8 Website enquiries
If you send us an enquiry through one of our websites including those maintained by our assets, we may collect your name, phone number and email address.
2.9 Dealing with sensitive information
We won't collect sensitive information, such as your:
- racial or ethnic origins;
- political opinions;
- religious or philosophical beliefs;
- sexual orientation or practices;
- criminal record; or
- health information,
unless it is:
- given with your consent and it is reasonably necessary for one of our functions or activities;
- in relation to you working with (or applying to work with) GPT, e.g. health information relating to a disability that needs to be accommodated in the workplace;
- otherwise for a purpose identified in this Policy; or
- required or authorised by law.
If we do collect sensitive information we will do so with the express consent of the individual and in accordance with the Privacy Act.
3. How we collect personal information
We generally collect your personal information directly from you via one of our websites, cameras, apps or via telephone, by mail or email or in person. We may also collect personal information about you from a third party if it isn't reasonable or practical to collect it from you or if necessary to satisfy our legal obligations. For example, we may collect your personal information from:
- third parties that can help assess your risk to our business under the AML/CTF Act;
- a referee nominated by you when you apply for a job with us;
- your employer, if you are employed by a company that provides goods or services to us;
- our related bodies corporate;
- our share registry provider;
- public sources (e.g. social media sites, Google and other websites), e.g. for the purposes of our AML/CTF Act compliance program; and
- any relevant Commonwealth, State or Territory government authority or agency.
To help us understand you better, we may combine personal information we hold about you with personal and non-personal information from different sources. For example, we may obtain demographic data from an information service provider to tell us about interests of people in your postcode and use it to help us predict which product and service might appeal to you. These sorts of activities may be conducted in connection with our Online Services and Member Programs as described above.
4. Why we collect personal information
4.1 Reasons for collecting and holding personal information
Our reasons for collecting and holding your personal information include:
- to evaluate whether a lease, licence or membership should be granted to a tenant or occupant and if granted to perform our/your obligations under those agreements;
- to provide you with goods, services or information about our and/or our tenants and occupiers goods or services, and process payment for such when applicable;
- to identify you and verify your identity;
- to develop, manage, administer, control and improve the quality of the products and services we provide;
- to enable us and selected third party partners to market products and services to you;
- to administer and manage the ownership of GPT securities or Funds’ units (including entitlements to dividends and voting);
- to identify underlying beneficial owners of our securities;
- to consider you for employment (including future employment opportunities), if you apply for a position with us;
- to do business with our suppliers of goods and services (you may be a supplier, or employed or engaged by a supplier);
- to carry out research and analysis related to our products and services;
- to maintain security at our assets;
- to investigate and deal with unlawful activity and misconduct;
- to assist our tenants and occupiers with the management of their premises;
- to protect our rights and property as well as those of our tenants and customers;
- to comply with a legal obligation or to establish, exercise or defend legal claims;
- to promote public heath, including to manage the risks of disease outbreaks and pandemics;
- to identify your behaviours, habits and preferences and to send you marketing messages and communications (see further information about our direct marketing practices below);
- to assist you with enquiries, complaints or service requests;
- to notify you if you have won a competition, promotion or prize;
- in relation to services providers, to enable us to perform our obligations under our agreements with you/the company you are employed by and to assist us to manage our relationship with you/the company you are employed by;
- any other purpose required or permitted by law. For example we may be required to collect personal information,
- under the AML/CTF Act (we may collect personal information for the purpose of implementing our AML/CTF Act compliance program for the Funds); and
- for the purpose of investigations by law enforcement agencies like the Police (State and Federal) and other State and Commonwealth agencies e.g. the Fair Work Ombudsman.
4.2 Using your personal information for direct marketing
We may use your personal information to send offers, discounts, promotions, advertising and other information about other products and services by email or other means of communication from us and our business partners. We are required to comply with the Spam Act 2003 (Cth) when we send you commercial electronic messages (including via email), and otherwise with the Privacy Act when we use your personal information to conduct direct marketing activities.
We will generally only send you marketing materials with your consent, unless otherwise permitted by law. You can opt out of being sent these types of messages at any time, using the functional 'Unsubscribe' link in the relevant communications or by contacting us using the details provided in section 11.
4.3 What happens if we don’t collect personal information
Unfortunately, if we're unable to collect your personal information, we may not be able to provide our products and services to you, or consider you for employment. We may also be unable to issue or administer any GPT securities or Fund units you have or have applied for. For example:
- if you refuse or are unable to provide further information we're required to collect under the AML/CTF Act, we may not be able to accept your investment in the Funds;
- if you don't provide sufficient information about your identity, qualifications and experience we may not be able to consider you for employment or engagement with us; and
- if you hold GPT securities and don't provide relevant personal information:
- we may not be able to pay you dividends;
- we may not be able to send you important shareholder communications, such as proxy forms or annual reports; and
- you may not be able to vote on resolutions at our annual general meetings.
5. How we use and disclose personal information
Information about how and to whom we use and disclose personal information is set out below. This list is not intended to be exhaustive and there may be other third parties to which we give your personal information where required or permitted by law (for example, professional advisors or insurers).
5.1 Our employees and contractors
We may disclose personal information to our employees and contractors, but only as needed to perform their jobs or provide their services (noting that they have obligations to treat the personal information they access as confidential).
5.2 Public relations
If you win a major prize, we may give your details to external publicity businesses for reasonable promotional activities. We will ask for your consent before we do this, and you can choose not to have your name disclosed in this way.
5.3 Service providers
We may disclose personal information to service providers that assist us to:
- provide, manage and administer our products and services, our business and our business systems (including mailing houses, our share registry provider, printers, public relations and advertising agencies, providers of customer relationship management (CRM) and affiliate management services, auditors, lawyers, providers of fraud detection services, IT technicians and software providers, IT consultants, website developers, data centre providers);
- develop and market our products and services (including market research analysts);
- assess risks under the AML/CTF Act;
- manage any loyalty programs we may operate (including updating points balances, identifying any free, bonus or promotional points owing to members, and sending members information);
- comply with industry standards, and securely manage processing of your credit card payments and storage of your credit card details;
- analyse trends, aggregated demographic information, and target your interests; and
- inspect, cleanse, transform and model such personal information for the purpose of discovering useful information, informing conclusions, and supporting decision making within GPT, whether or not you are a current supplier, customer, employee or contractor.\
We may also exchange personal information with our service providers and contractors such as organisations who provide archival, auditing, professional advisory (including legal, accounting and business consulting), debt collection, banking, online payment processing, marketing, advertising, communication, mail house, delivery, recruitment, call centre, contact management; technology, research, analytics, utility, cleaning and security services.
5.4 Owners and prospective owners
We may disclose your personal information (where relevant) to the owners or prospective owners of our properties (for example, the companies who own or are proposing to acquire our properties, who may be related bodies corporate within the GPT Group or sit outside of the GPT Group), where relevant, and only to the extent required for us, to conduct our business and provide you with goods, services or information, so that those owners or prospective owners can comply with their obligations under laws and regulations, and as otherwise required or permitted by law.
5.5 Tenants and occupiers
We may disclose your personal information to our tenants and occupiers, but only to the extent that it is necessary to provide you with and/or process payments for goods, services or information.
5.6 Regulators/industry bodies
We may disclose your personal information to:
- regulators and law enforcement agencies (including those responsible for enforcing the AML/CTF Act);
- respond to an enquiry from a government agency under State, Territory or Commonwealth laws; or
- State, Territory or Commonwealth health agencies or officers to promote public health, including to manage the risk of disease outbreaks and pandemics.
5.7 Related corporations
We may disclose personal information to our related bodies corporate:
- so they can comply with their obligations under laws and regulations;
- for legitimate employment-related purposes (as determined reasonably by us); and
- as otherwise required or permitted by law.
5.8 Replacement providers and property managers
- transfer responsibility for providing a product or service and/or managing one of our shopping centres or other assets to another business; or
- stop providing a product or service or managing an asset (or limit it), and another business continues to offer a similar product/service or takes over to manage that asset,
we may disclose personal information to the other business so the product or service can continue to be provided to you or the other business can offer you a similar product or service, or so that the asset can continue to be managed.
5.9 Protection of people and our rights and property
We may use and disclose your personal information where we reasonably believe it's necessary to protect any person or our rights or property.
5.10 Direct debit and credit card details
If you provide us with your direct debt or credit card details for the purposes of payment for a product or service, we may disclose those details to our bank.
6. Disclosure of personal information overseas
We may disclose your personal information to recipients located outside Australia who provide goods or services to us. For example, we may disclose your personal information to third parties who are located in countries like Singapore, the United States of America, Hong Kong, Germany, the Netherlands, Belgium and India, who provide cloud and data storage services, IT support services and other third party services to us. When you communicate with us through a social network service such as Facebook, Twitter, Snapchat, the social network provider and its partners may also collect and hold your personal information overseas.
However, we only disclose personal information to an overseas recipient if:
- we've taken reasonable steps to ensure that recipient does not breach the Australian Privacy Principles (other than APP 1);
- we reasonably believe that:
- a law or scheme in the country of the recipient includes requirements that are substantially similar to the requirements of the Australian Privacy Principles; and
- you can take action to enforce that law or scheme; or
- the Australian Privacy Principles otherwise allow it.
7. Storage and security of personal information
GPT regards the security of personal information as a priority and uses a number of physical and electronic means to protect it.
We hold personal information in physical files, computer systems, or in databases held by us and by service providers on our behalf.
We take reasonable precautions to protect the personal information we hold from misuse, interference and loss, and unauthorised access, modification or disclosure.
These may include, for example, the protection of passwords using industry standard encryption; measures to preserve system security and restrict unauthorised access; and back-up systems to reduce the risk of accidental or malicious loss of data. We may use third party providers to store personal information electronically and we take reasonable steps to ensure this information is held securely.
Unfortunately, there is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk.
Securityholder information for GPT and the Funds are held by the relevant Registries in accordance with registry arrangements which require such information to be held securely. Personal information is retained for as long as it is necessary for the identified purposes, to the extent necessary for purposes reasonably related to those identified purposes (for example, resolving disputes) or as required by law.
8. How long can we keep your personal information?
- no longer need to use or disclose your personal information for any purpose that's authorised under the Australian Privacy Principles, this Policy, or otherwise in writing; and
- are not legally required to retain your personal information,
then we will take reasonable steps to destroy your personal information or ensure it is de identified.
9. How long can we keep your personal information?
You have a right to request access to the personal information we hold about you.
To access your personal information, please contact the GPT Group Privacy Officer using the details provided in Section 11 below.
Your personal information will usually be made available to you within 30 days of your request. If there is a fee for accessing your personal information, we will confirm the amount and the reason for the fee before providing the information to you. In some circumstances we may decline or be unable to grant you access to your personal information, for example, if the release of your personal information would have an unreasonable impact on the privacy of others, or if we no longer hold your personal information. If we cannot provide you with access to your personal information, we will let you know the reason. We may also require evidence of your identity as part of the process of providing you with access to your personal information.
We will take reasonable steps to ensure the personal information we collect about you or that we use or disclose is accurate, up-to-date and complete. Please let us know if there is a change to any of the details you have given to us.
You have a right to ask us to correct the personal information we hold about you. Please contact the Privacy Officer (see contact details above in section 11).
It is not always possible to remove or modify information in our databases, but we will take reasonable steps to correct your personal information to ensure that it is accurate, up-to-date, complete, relevant and not misleading.
If we decline to make your requested correction, you may request us to attach to your personal information a statement that it is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will take reasonable steps to do this.
If we disclosed your personal information to a third party before correcting it, you may request us to notify the third party of the correction we have made. We will take reasonable steps to do so unless this would be impractical or unlawful.
We won't charge you to request a correction, for making a correction or for attaching a statement to a record.
Please contact the relevant registry if you are an investor and would like to find out how the registry handles your personal information or request a change to the information that the registry holds, using the details below:
GPT Investors - Link Market Services Limited
|Locked Bag A14 Sydney South NSW 1235
|Telephone (outside Australia): +61 2 8280 7176
|Freecall (within Australia): 1800 025 095
Wholesale Fund Investors – Boardroom Pty Limited
|GPT Box 3993 Sydney NSW 2001
|Telephone (within Australia): 1300 721 603
|Telephone (outside Australia): +61 2 9290 9600
10. Making a complaint
If you have a concern about how we have handled your personal information, please let us know so we can address the problem. You can contact the Privacy Officer using the contact details in section 11.
To lodge a formal complaint, please send details to the Privacy Officer in writing. We will attempt to respond within a reasonable time, usually 30 days. GPT treats all privacy complaints seriously and any complaint will be assessed by our Privacy Officer with the aim of resolving the issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need to investigate the complaint.
If your complaint is not resolved by our Privacy Officer, you can refer it to the Office of the Australian Information Commissioner. The contact details are:
Office of the Australian Information Commissioner
GPO Box 2999, Canberra ACT 2601, Australia
Phone: 1300 363 992
Fax: 02 9284 9666
11. Contacting us
If you have any concerns, queries or feedback about this Policy or our privacy practices, or would like to make a complaint about our handling of your personal information, please contact the GPT Group Privacy Officer at:
Att: GPT Group Privacy Officer
Level 51, 25 Martin Place, Sydney, NSW, 2000
Telephone: +61 2 8239 3555
12. Review of Policy
We will review this Policy periodically and may modify and update it at any time. Changes to this Policy will come into effect upon such changes being uploaded to our website. We encourage you to check this Policy and our website from time to time.
If applicable, your continued use of our products and services following our notice to you of any changes to this Policy will constitute your acceptance of these changes.
Date last reviewed and approved: 30 November 2023