This Privacy Notice sets out how Grosvenor obtains, uses and shares your personal information as one of our personnel (i.e. employee, contractor, casual worker, Trustee or non-executive director). For the purpose of this Privacy Notice, ‘we’, ‘us’ and ‘our’ refers to the Grosvenor entity which controls the processing of your personal information (as explained in the Annex) and ‘you’ refers to you (as one of our personnel).
This Privacy Notice explains the following:
- what personal information we may collect;
- what we may use your personal information for;
- who we may share your personal information with;
- how long we store your personal information; and
- your rights regarding your personal information.
Personal information we may process
We will collect personal information about you while you are one of our personnel. This may include the following categories of personal information (depending on the nature of your relationship with Grosvenor):
- Recruitment: Details provided during the recruitment / engagement process may be added to your HR file after you join us (see the Recruitment Privacy Notice). This may include information relating to background, right to work and similar checks.
- Employment / Service: Details relating to your employment, service or position with us, including contracts (where applicable), proposed changes, new arrangements and termination.
- Identification: Contact details and other information needed to confirm your identity (such as your passport number or date of birth). Diversity and inclusion data, where applicable and you choose to provide it.
- Payroll / benefits: Details relating to: (i) your pay, bank account, pension contributions, social security/national insurance contributions and tax payments; (ii) your benefits, such as your pension arrangements, life and medical insurance, child/social care schemes and any bonus or share schemes.
- Leave / Health: This may include details of (i) your attendance, holiday, sickness or other leave of absence and (ii) your health including self-certification forms, fit notes, vaccination history, medical and occupational health tests and reports and conclusions related to fitness for performance for work.
- Work: Information connected with your work, anything you do at work and your performance, including: (i) records of documents and emails created by or relating to you; (ii) management information relating to you (including notes of meetings and appraisal records; (iii) travel and expenses; (iv) learning and training records, including psychometrics; and (v) details of your compliance with our policies.
- IT / Equipment / Office: Information relating to use of Grosvenor IT systems, offices, vehicles and property (including device IDs, Internet history, call logs, office occupancy sensor data, multi-factor authentication logs, entry card logs and data from CCTV, vehicle cameras and Automatic Plate Recognition systems where applicable).
- Legal obligations: Details to meet legal obligations, including director records (qualifications, conflicts, voting preferences) and third party ‘know your client’ checks..
- Disciplinary and Investigations:Any disciplinary, grievance, allegations, investigation and similar which you may be directly or indirectly involved in (whether or not at fault) and interactions with law enforcement and any criminal investigations where applicable.
We may also require you to provide from time to time, certain personal information of other individuals such as your next of kin, family members, emergency contacts or beneficiaries, for the purposes explained below. You are responsible for letting these individuals know before providing their personal information to us and for getting necessary consent and you agree that, when providing the personal information of these individuals, you will be acting on their behalf.
Most of the personal information we process is mandatory for your employment. Some information, for example bank account, next of kin, beneficiary, social event details may be voluntary depending on your region. However, please understand that if you refuse or are unable to provide such voluntary personal information as reasonably requested by us or as listed in this Privacy Notice, we may not be able to proceed with the relevant personnel administrative procedures for you, including but not limited to employee management, payment of salary and bonus, provision of insurance and other benefits. We will explain any significant consequences of choosing not to provide voluntary personal information at the time of collection or refusal of the personal information or on request (as applicable).
Why we process personal information
We may process your personal information for the following purposes:
- Administering your contract, benefits, pay/fees, tax and expenses, including administering payroll, managing working arrangements, checking correct legal working / immigration status, facilitating charity collections, providing learning and development (including psychometric tests), reward and talent management and maintaining our employment/service records.
- Contacting you and your contacts/beneficiaries where appropriate during an emergency, to resolve conflicts of interest, to process any corporate insurance plans and to provide references if requested for future employment.
- Sharing information about Grosvenor (including news and updates on you and your colleagues’ successes on our Intranet and social media pages).
- Enabling, supporting and managing work, performance, leave, social activities and events (including facilitating Grosvenor’s day to day business operations, marketing and customer/client relationships).
- Providing legal, finance, reporting and other professional advice (including planning/forecasting and budgeting human resource costs and expenses) to us and other Grosvenor entities (including their executive committees and boards).
- Ensuring and administering secure, inclusive and productive/efficient physical and digital working environments (including records of site health and safety checks, workstation assessments and monitoring our IT services to: (i) ensure use is in accordance with our IT acceptable use policy and law; (ii) respond to service failures, (iii) assist misconduct investigations; and (iv) manage our networks and IT security).
- Maintaining and responding to compliance reporting (including annual declarations / disclosures) and Speak Up reports and investigating suspected misconduct (including breaches of policy or law).
- Complying with laws, rules, regulations, directives or guidance, and with any industry or professional rules, regulations, practices or codes, relating to Grosvenor’s business activities (including, where applicable, monitoring of diversity, equal opportunity and gender pay gaps).
- Complying with requests made by regulators, governments, tribunals, courts and law enforcement authorities and for any actual or potential dispute or litigation.
- Any sale, merger, acquisition, disposal or similar change of Grosvenor businesses.
- Keeping and maintaining the historical records of Grosvenor and its businesses.
How we share personal information
We may share personal information with any of the following recipients:
- Other Grosvenor entities that: (i) manage Grosvenor, Grosvenor Property, Grosvenor Family Office and Rural Estates and/or Grosvenor Food and AgTech; (ii) we work with or on their behalf; or (iii) provide services to us (for example, managing Grosvenor’s IT services).
- If you are a contractor, the third party agency which employs you so we can manage our services contract and they can manage your employment.
- Third party business partners who require your contact details and other information in order to consider and conduct business with us (including ‘know your client’ due diligence checks).
- Third party consultants, managers and service providers that process Grosvenor's employee information on our behalf, such as our payroll service providers, land management companies and organisations that host or support our IT services. Such third party service providers may process your personal information to produce anonymous statistics for product improvement purposes.
- Third party partners that require us to provide personal information for their professional services including airlines, hotels, social media, banks, insurers, auditors, lawyers, accountants and tax advisors. Where they are required to handle your personal information, they will do so in accordance with their own privacy notices and subject to their own professional and legal obligations.
- Notary, regulators, courts, tribunals, arbitrators, governments, law enforcement authorities and similar in connection with regulatory filings, legal and criminal investigations and proceedings.
- Persons connected with any sale, merger, acquisition, disposal, reorganisation or similar change to our business (including any potential or actual purchaser or that business and that purchaser’s advisors).
Storing personal information
In general, we will keep personal information for the duration of your employment / service / position and for a period afterwards. In considering how long to keep a particular category of personal information we will have regard to the purposes for which it is processed, and any purposes which continue to apply even when your employment / service / position has terminated (for example, we may need to keep records to defend Grosvenor in case of a legal claim or threatened claims).
If personal information is only needed for a short period (for example, CCTV images where there are no investigations or proceedings to which they are relevant), we may delete it prior to the end of your employment / service / position with us..However, we will retain some personal information indefinitely, particularly in relation to senior personnel and key roles, as part of the Grosvenor Estate’s historical records (such as documents relating to our COVID response and employee lists). However, please note that these records are not released as part of the accessible historical archive for a period of 100 years (which is designed to ensure information relating to living individuals is not accessible).
Your rights regarding the personal information you provide to us
Depending on the type of personal information, why it is being processed and your location, you may have rights under applicable data protection and privacy laws. These may include:
- A right to receive information about our processing of your personal information, such as what is collected, where it is obtained from, what it is used for, whether it is disclosed and to whom.
- A right to receive a copy of your personal information we hold about you.
- A right to correct inaccurate or incomplete personal information we hold about you
- A right to require us to stop or to restrict our processing (including transfer to third parties) of your personal information (particularly where unlawfully used or obtained).
- A right to require the erasure of personal information we hold about you once it is no longer necessary for the purposes the personal information was collected or is being processed.
If you wish to exercise any of these rights, or if you have a complaint about how we manage your personal information, please contact us using the details in section 7. If you are not satisfied with our response, please note that you may also be able to complain to your local government agency which regulates the protection of personal information (see the Annex).
If you have any questions, comments or requests regarding any aspect of this Privacy Notice, please contact the Grosvenor Estate entity which controls the processing of your personal information using the details in the Part 1 of the Annex (marked for the attention of: Human Resources Director) or send an email to: email@example.com.
Part 1 – Grosvenor HR Data Controllers
The Grosvenor entity which controls the processing of your personal information will be one of the entities listed below. Your contract (or your employer’s contract) with Grosvenor should identify the relevant entity. Otherwise, the relevant entity is as listed below for your country and part of Grosvenor. If you are a Trustee, the relevant entity is listed under 'Family Office'.
Grosvenor Family Office and Rural Estates
The 4th Duke of Westminster's 1964 Settlement Trust, Eaton Estate Office, Eccleston, Chester, CH4 9ET
Grosvenor Diversified Property Investments
(each of 70 Grosvenor Street, London, W1K 3JP)
Grosvenor Property UK
- Grosvenor Estates Belgravia
- Grosvenor Estate Management Limited
- Grosvenor Property Management Services Limited
- Realty Insurances Ltd.
(each of 70 Grosvenor Street, London, W1K 3JP)
Grosvenor Property Europe
- Grosvenor Estate Management Limited, 70 Grosvenor Street, London, W1K 3JP
- Grosvenor Continental Europe SAS, 69 Boulevard Haussmann, 75008 Paris, France
- Grosvenor RE Spain, S.L.U, Calle de Genova 17 Block 3ºA, 28004 Madrid, Spain
- Grosvenor Fund Management CE S.A, 46a Avenue John F Kennedy 1855, Luxembourg
- Grosvenor FM Sweden AB, Arsenalsgatan 2, Stockholm, 111 47, Sweden
Grosvenor Property Asia
Grosvenor Limited, 1910 Jardine House, 1 Connaught Place, Central, Hong Kong
Grosvenor Management Consulting (Shanghai) Ltd of Unit 4108, HKRI Centre One, HKRI Taikoo Hui, 288 Shimen Yi Road, Shanghai, 200041, China
Grosvenor Limited Japan Branch of 15F Otemachi Financial City South Tower, 1-9-7 Otemachi, Chiyoda-ku, Tokyo, Japan
Grosvenor Property Americas
- Grosvenor USA Ltd., 1 California Street, Suite 3000, San Francisco CA 94111, USA
- Grosvenor Canada Limited, 1040 W. Georgia Street, #2000, Vancouver BC V6E 4H1, Canada
Grosvenor Food and AgTech
- Wheatsheaf Group Limited (UK), The Quarry, Hill Road, Eccleston, Chester, CH4 9HQ.
- Wheatsheaf Group US Inc, 3000 El Camino Real, Building 4, Suite 200, Palo Alto, 94306, USA
Part 2 – Regional Specific Information
You may have the additional right to establish guidelines for the conservation, deletion and communication of your personal information after your death.
b) Europe (UK / EU)
Legal basis for processing personal data
As one of our personnel, where your personal information is processed by us or on our behalf, one of the following legal grounds will apply:
- Contract – In most cases we process your personal information because it is necessary for performance of your employment or services contract with us.
- Legal obligations – Occasionally we also process your personal information because it is necessary to comply with our legal obligations (for example providing a safe place of work and avoiding unlawful discrimination).
- Legitimate interests – Your personal information may also be processed where it is necessary for our or a third party’s legitimate interests (for example, we may allow our third party IT vendors to use personal information in their systems for product development). This would only occur where steps have been taken (if needed) to ensure those interests are not overridden by your own privacy interests, rights and freedoms (for example, the IT provider might commit to anonymise your personal information first before using it for product development to protect your privacy).
- Consent - In general the processing of your personal information in connection with your employment / engagement is not conditional on your consent. There may be occasions where we would like to do specific things that do not fall within one of the above grounds and we rely on your consent to do so. In these cases, we will you for your consent in advance. Your decision whether to agree is entirely up to you and you can withdraw your consent at any time.
Some personal information processed by us or on our behalf is considered special (sensitive) under UK / EU privacy law. In these cases, one of the following additional grounds will apply:
- Employment law obligations/rights: For example, we might need to process personal information the law considers to be sensitive to provide you with the right office chair or investigate allegations of misconduct;
- Legal purposes: We might need to process sensitive personal information to establish, make or defend legal claims;
- Health: For example, subject to applicable law, we may need to: (i) provide health care or treatment, medical diagnosis, and assess of your working capacity; and/or (ii) consider conclusions received from independent medical examinations to confirm you are fit for work;
- Diversity and Inclusion: Where the law permits, we may process racial or ethnicity information to assess our organisation’s equality and diversity;
- Information you make public: For example, we are proud to facilitate several employee networks across the Grosvenor Estate (such as Pride@Grosvenor) and this may necessarily involve processing sensitive personal information;
- Vital interests: It may be necessary to process sensitive personal information to protect your vital interests or those of another natural person where you are physically or legally incapable of giving consent (for example, in a medical emergency); and
- Consent: We might also process more sensitive personal information in other situations if permitted by law and we have obtained your explicit consent.
Transfers outside of the UK/EU
Where personal information is transferred outside of the UK / EU for the purposes explained in this privacy notice, we will ensure that the recipient is subject to standard contractual clauses approved by the European Commission or such other safeguards as permitted by the UK Data Protection Act 2018 or the General Data Protection Regulation. If you wish to see details of these safeguards, please contact us using the details in section 7.
c) Californian Residents
If you are a California resident, in addition to some of the rights referred to in Section 6, under the California Consumer Privacy Act (CCPA) you may also have the following rights:
- the right to “opt out” of the sale of your personal information to a third party.
- the right to receive equal service and pricing even if you exercise your rights under the CCPA.
The personal information that is collected, and its sources and uses, is more fully described in the body of this notice above. We do not sell your personal information to third parties.
1. Any cross-border transfer of personal information will be conducted in accordance with the applicable Chinese law, including but not limited to the Cybersecurity Law of the People's Republic of China and its relevant implementation regulations governing cross-border data transfers (if any). We will require the overseas data recipients to protect your personal information in accordance with the applicable local personal information protection laws and ensure the level of protection for the transferred personal information is at least comparable to the personal information protection offered under Chinese law
2. You acknowledge that where it is permitted by Chinese law, if it is not possible or practical for us to comply with your request of exercising your data subject rights under Chinese law, we are entitled to decline your request in whole or in part by providing you with a reason of refusal, within a reasonable time.
Specifically, in the following circumstances, we are entitled to decline your request:
- If the information requested is directly related to our compliance with the relevant laws and regulations;
- If the information requested is directly related to national security, national defence;
- If the information requested is directly related to public security, public health and safety, and major public interests;
- If the information requested is directly related to criminal investigation, prosecution, trial and execution of judgement;
- If we have reasonable evidence to prove that you have malicious intent or intends to abuse your data subject rights;
- Response to your request will lead to the infringement of lawful right and interest of you or other individuals, entities or organizations;
- If the information requested is related to the protection of the vital interests (e.g. life, property) of you or another natural person while it is hard to obtain your consent; and
- If the information requested is related to trade secret.
In the event that you wish to make a complaint as referred to in section 6, the following organisations may be of assistance depending on the jurisdiction:
- UK: Information Commissioner’s Office (https://ico.org.uk/)
- France: Commission Nationale de l'Informatique et des Libertés (website).
- Luxembourg: Commission Nationale pour la Protection des Données (website).
- Spain: Agencia de Protección de Datos (website).
- Sweden: Datainspektionen (website).
- Hong Kong: Privacy Commissioner for Personal Data (link).
- Mainland China: Central Cyberspace Affairs Commission (website)
- Japan: Personal Information Protection Commission (link).
- Canada: Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/en/)
- California: Office of the Attorney General, California Department of Justice (https://oag.ca.gov/privacy)
Last updated February 2022