Personnel privacy notice

1. What is this notice about?

This privacy notice sets out how Grosvenor obtains, uses and shares your personal information as one of our personnel (i.e. employee, apprentice, contractor, casual worker, trustee or non-executive director).  For the purpose of this Privacy Notice, ‘we’, ‘us’ and ‘our’ refers to the Grosvenor entity which controls the processing of your personal information (as explained in the section 2 'Data controllers') and ‘you’ refers to you (as one of our personnel).

2. Data controllers 

All Grosvenor Entities including:

UK: GHH (POC) Limited; Grosvenor Estate Management Limited; Grosvenor Estates Belgravia; Grosvenor Food & AgTech Limited; Grosvenor Group Management Services Limited; Grosvenor Property Management Services Limited; Realty Insurances Ltd; The 4th Duke of Westminster's 1964 Settlement Trust

Europe: Grosvenor Continental Europe SAS

Asia: Grosvenor Property Asia Limited

Americas: Grosvenor Canada Limited; Grosvenor Food & AgTech US Inc; Grosvenor USA Limited

We will collect personal information about you while you are one of our personnel.  This may include the following categories of personal information (depending on the nature of your relationship with Grosvenor):

Recruitment:

During your onboarding we may ask for reference(s) from previous employer(s) and/or utilise external screening company to complete employment checks. When we check references ourselves, we may process the name, email and company details of your previous employer, as well as basic details about your employment there.  Details provided during the recruitment and/or engagement process may be added to your HR file after you join us.  This may include information relating to background, right to work and similar checks.  

For employees in the UK and Europe, the legal basis we rely on for this in GDPR are:

• Article 6(1)(c): Legal Obligation
• Article 6(1)(b): Contract
• Article 6(1)(f): Legitimate Interest.  

Employment or engagement with us

During your time with us, we may need to collect and use some of your personal information to manage your employment or engagement with us. This could include details about your assessments, attendance, performance, and training. The information we might collect may include but not limited to, your name, job title, type of employment, address, phone number, date of birth, personal identity number, personal email address, entry card logs and data from CCTV, vehicle cameras and Automatic Plate Recognition systems.  We may also require you to provide from time to time, certain personal information of other individuals for emergency contact purposes.

For employees in the UK and Europe, the legal basis we rely on for this in GDPR are:

• Article 6(1)(b): Contract
• Article 6(1)(f): Legitimate Interest.  

Remuneration and benefits 

To provide any remuneration, bonus or share schemes, expenses, insurance, pension and any other benefits, and we may need your name, address, date of birth, gender (for pensions), salary, role, bank account details and tax information.  We may also require you to provide from time to time, certain personal information of other individuals such as your next of kin, family members or beneficiaries.

For employees in the UK, the legal basis we rely on for this in GDPR are:

• Article 6(1)(b): Contract
• Article 6(1)(c): Legal Obligation

Health

We may need to process personal information about your health and sickness to be able to accommodate your requirements.

For employees in the UK and Europe, the legal basis we rely on for this in GDPR are:

• Article 6(1)(c): Legal Obligation
• Article 6(1)(f): Legitimate Interest. 
• Article 9(2)(a): Explicit Consent
• Article 9(2)(b): Employment, Social Security, and Social Protection Law

Inclusion

You might choose to provide us with information related to diversity, inclusion and social mobility.

For employees in the UK and Europe, the legal basis we rely on for this in GDPR are:

• Article 6(1)(f): Legitimate Interest.  
• Article 9(2)(a): Explicit Consent
• Article 9(2)(b): Employment, Social Security, and Social Protection Law

4. Who we share your personal information with?

• managing your employment or engagement
• complying with legal requirements
• where we are legally required such as to law enforcement and regulatory bodies
• supporting any benefits provided such as food vouchers, health insurance
• processing payroll-related data
• protecting our legitimate interests such as preventing fraud and ensuring workplace safety
• providing professional services, such as accountants, airlines, auditors, banks, courts, due diligence and checks providers, hotels, insurers, lawyers, social media, and tax advisors
• processing information on our behalf, such as payroll service providers, land management companies and organisations hosting or supporting our IT
• producing anonymous statistics for product improvement purposes
• in the event of a corporate sale, merger, dissolution or similar activity

Where they are required to handle your personal information, third parties will do so in accordance with their own privacy notices and subject to their own professional and legal obligations.

We may need to share your personal information with the Grosvenor trustees and/or members of the Grosvenor Family.  This is necessary to ensure that they are informed about key aspects of the business, including employee management. The types of personal information we may share include, but are not limited to, your name, contact details, employment details, and any other relevant information necessary for business operations.

5. Storing personal information

In general, we will keep personal information for the duration of your engagement and for a period afterwards.  In considering how long to keep a particular category of personal information we will have regard to the purposes for which it is processed, and any purposes which continue to apply when you left us (for example, we may need to keep records to defend Grosvenor in case of a legal claim or threatened claims).

If personal information is only needed for a short period (for example, CCTV images where there are no investigations or proceedings to which they are relevant), we may delete it prior to the end of your engagement.

However, we will retain some personal information indefinitely, particularly in relation to senior personnel and key roles, as part of the Grosvenor’s historical records. However, please note that these records are not released as part of the accessible historical archive for a period of 100 years (which is designed to ensure information relating to living individuals is not accessible by the public).   Appendix A outlines what personal information is retained for employees whose contract has been terminated and retained permanently.

6. Where do we store personal information?

All information you provide to us is stored securely, including anything that is held on paper.

We may collect personal information using cloud-based applications and may make use of cloud collaboration services or similar shared user interfaces. Where any of these cloud-based applications are headquartered outside the EEA or countries deemed ‘adequate’ by the EU or UK, for the transfer of personal information we will have appropriate agreements and safeguards in place such as International Data Transfer Agreements, Transfer Assessments and appropriate certifications.

7. Your rights

UK and EU

Your personal information is yours and you have rights in relation to it granted by the GDPR, which include:

• The right to be informed: You have the right to be informed about the collection and use of your personal information, the purposes for processing, retention periods for that personal information and who it will be shared with. We have set out this information in this privacy notice.
• The right of access: You have the right to ask us for copies of the personal information we hold about you. If you ask us, we’ll confirm whether we’re processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details).
• The right to object: You have the right to ask us to stop processing your personal information in some circumstances, such as when we are relying on our own (or someone else’s) legitimate interests to process your personal information, when we are processing your personal information for direct marketing or when we are processing your personal information for research.
• The right to rectification: You have the right to ask us to rectify the personal information you think is inaccurate or to complete information you think is incomplete. When you ask us to rectify your information, if we’ve shared your personal information with others, we’ll let them know about the rectification where possible.
• The right to erasure: You have the right to ask us to erase your personal information, in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable).
• The right to restrict processing: You have the right to ask us to restrict the processing of your personal information for a period of time in some circumstances, such as where you contest the accuracy of that personal information or object to us processing it. This right is separate from the right to object and will only stop us from using your personal information further, not from processing it. If we’ve shared your personal information with others, we’ll let them know about the restriction where possible.
• The right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to someone else, in some circumstances.

You don't have to pay anything to exercise your rights. Please contact us by sending an email to data.protection@grosvenor.com or call us on +44 (0) 20 7408 0988 if you wish to make a request under your rights. We have a calendar month to get back to you with a response.

USA

• The right to know: You have the right to ask a business to disclose what personal information they have collected, used, shared or sold about you and why it was collected, used, shared or sold. You have the right to this information for the 12-month period preceding your request. The personal information should be provided in a portable format.
• The right to opt-out of sale: You have the right to ask a business to stop selling your personal information (”opt-out”). With some exceptions, a business cannot sell your personal information if they receive an opt-out request unless you provide authorisation allowing them to again.
• The right to delete: You have the right to request that businesses delete personal information they collected about you and to tell their service providers to do the same. There are some exceptions that allow businesses to retain your personal information.
• The right to non-discrimination: Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the California Consumer Privacy Act (CCPA).
• The right to rectification: You have the right to ask us to rectify the personal information you think is inaccurate or to complete information you think is incomplete. When you ask us to rectify your information, if we’ve shared your personal information with others, we’ll let them know about the rectification where possible.
• The right to limit use of sensitive information: You have the right to ask us to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested. If we’ve shared your personal information with others, we’ll let them know about the restriction where possible.

You don't have to pay anything to exercise your rights for the first two requests within a 12-month period. Please contact us by sending an email to: data.protection@grosvenor.com or call us + 1628 244 0010 if you wish to make a request under your rights.  We have 45 days to get back to you with a response.

Canada

Your personal information is yours and you have rights in relation to it granted by the Personal Information Protection and Electronic Documents Act (PIPEDA) and other provincial privacy laws:

• Right to Access: Individuals have the right to request access to their personal information held by an organization. This includes knowing what personal information is being collected, how it is being used, and with whom it is being shared.
• Right to Correction: If personal information is inaccurate or incomplete, individuals have the right to request corrections to their personal information.
• Right to Withdraw Consent: Individuals can withdraw their consent for the collection, use, or disclosure of their personal information at any time, subject to legal or contractual restrictions.
• Right to Complain: Individuals can file a complaint with the Office of the Privacy Commissioner of Canada if they believe their privacy rights have been violated.
• Right to Data Portability: Although not explicitly stated in PIPEDA, some provincial laws provide the right to data portability, allowing individuals to obtain and reuse their personal information across different services.
• Right to be Informed: Individuals have the right to be informed about the purposes for which their personal information is being collected, used, and disclosed¹.
• Right to Restrict Processing: In certain circumstances, individuals can request that an organization restrict the processing of their personal information.

You don't have to pay anything to exercise your rights. Please contact us by sending an email to: data.protection@grosvenor.com  or call us +1 604 683 1141 if you wish to make a request under your rights.  We have 30 days to get back to you with a response.

China

Any transfer of your personal information outside of China will follow the relevant laws, including the Cybersecurity Law of the People's Republic of China and its regulations on cross-border data transfers. We will require that the recipients of your personal information in other countries protect it according to the local laws and maintain a level of protection that is at least as strong as the protection provided under Chinese law.

You acknowledge that, where permitted by Chinese law, if it is not possible or practical for us to comply with your request to exercise your data subject rights under Chinese law, we may decline your request in whole or in part by providing a reason for the refusal within a reasonable time.

Specifically, in the following circumstances, we are entitled to decline your request:

• If the information requested is directly related to our compliance with the relevant laws and regulations;
• If the information requested is directly related to national security, national defence;
• If the information requested is directly related to public security, public health and safety, and major public interests;
• If the information requested is directly related to criminal investigation, prosecution, trial and execution of judgement;
• If we have reasonable evidence to prove that you have malicious intent or intends to abuse your data subject rights;
• Response to your request will lead to the infringement of lawful right and interest of you or other individuals, entities or organizations;
• If the information requested is related to the protection of the vital interests (e.g. life, property) of you or another natural person while it is hard to obtain your consent; and
• If the information requested is related to trade secret.

8. Our contact details

If you have any questions, comments and/or concerns about our use of your personal information, please let us know by emailing us at data.protection@grosvenor.com.

If you are not satisfied with our response or are unhappy with how we have used your personal information, you can complain to a data protection authority:

For the UK, the Information Commissioner's Office contact details are Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; telephone: 0303 123 1113; website: https://www.ico.org.uk

For France, the Commission Nationale de l'Informatique et des Libertés contact details are: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France; telephone: +33 1 53 73 22 22; website: CNIL

For California, the Office of the Attorney General, California Department of Justice’s contact details are: P.O. Box 944255, Sacramento, CA 94244-2550; telephone: 1-800-952-5225 (Toll-free in California) or 916-210-6276; website: https://oag.ca.gov/privacy

For Canada, the Office of the Privacy Commissioner of Canada’s contact details are: 30 Victoria Street, Gatineau, Québec K1A 1H3; telephone: 1-800-282-1376 (Toll-free) or 819-994-5444; website: https://www.priv.gc.ca/en/

For Hong Kong, the  Office of the Privacy Commissioner for Personal Data contact details are: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong' telephone: +852 2827 2827; website: PCPD

If you have any questions, comments or requests regarding any aspect of this Privacy Notice, please contact the Grosvenor Estate entity which controls the processing of your personal information using the details in the Part 1 of the Annex (marked for the attention of: Human Resources Director) or send an email to: data.protection@grosvenor.com.

Appendix A: Personal information retained permanently

The following is the information taken from our HR system for employees whose contract has been terminated and retained permanently:

• Full Legal Name
• Preferred Name
• Business Title
• Cost Centre
• Company
• Location
• Employee ID
• Position
• Job Profile
• Worker Type
• Employee Type
• Management Level
• Time Type
• FTE
• Hire Date
• Termination Date – All
• Primary Termination Reason
• Length of Service – Worker
• Time in Position
• Work Address – Full
• Supervisory Organization
• Date of Birth
• Worker's Manager(s)

Last updated November 2024