Introduction

This Employee Privacy Policy (the “Policy”) explains how The Arts Club (“we”, “us”, or “our”) collects, uses, stores, and protects the personal data of our employees, workers, contractors, and job applicants (collectively referred to as “you” or “employees”). We are committed to protecting your privacy and ensuring compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant UK data protection laws.

The Arts Club is a distinguished private members’ club based in Mayfair, London, serving as a home to a community of discerning thinkers and thought leaders with a shared appreciation for the arts and culture. As a UK-based organisation, we act as the data controller for your personal data, meaning we determine the purposes and means of processing it. Our registered address is 40 Dover Street, London W1S 4NP.

This Policy applies to all personal data we process in the context of your employment or application with us. It does not cover data processed for member services, which is addressed in our separate Privacy Policy (available on our website). We may update this Policy from time to time and will notify you of any significant changes.

If you have any questions about this Policy, please contact our Data Protection Officer (DPO) at privacy@theartsclub.co.uk or via post at the address above.

Personal Data We Collect

We collect and process various types of personal data necessary for managing our employment relationship with you. This may include:

• Identification and Contact Information: Name, date of birth, gender, marital status, nationality, contact details (e.g., address, email, telephone numbers), emergency contact details, and next of kin.
• Employment-Related Information: CV, application forms, references, qualifications, employment history, job title, salary, benefits, performance reviews, disciplinary records, and absence records (including sickness and holiday).
• Financial Information: Bank account details, tax codes, National Insurance number, payroll records, and pension details.
• Health and Sensitive Data: Medical history, health assessments, occupational health records, disability information, and sickness absence details (where necessary for health and safety or to comply with legal obligations). We may also process data related to criminal convictions if required for certain roles (e.g., DBS checks for roles involving vulnerable individuals or security).
• Diversity and Equality Data: Information on ethnicity, religion, sexual orientation, or other protected characteristics (collected anonymously where possible for monitoring purposes).
• Technical Data: IP addresses, login data, and usage information from our IT systems, including email and internet monitoring (in accordance with our Acceptable Use policy).
• Other Data: Photographs for ID badges, CCTV footage from our premises for security purposes, and biometric data if used for access control.

We only collect sensitive personal data (special categories under UK GDPR) with your explicit consent or where it is necessary for employment law purposes, such as ensuring health and safety or fulfilling equality obligations.

How We Collect Your Personal Data

We collect personal data from various sources, including:

• Directly from you during the recruitment process, onboarding, or throughout your employment (e.g., via application forms, interviews, or employee self-service portals).
• From third parties, such as recruitment agencies, previous employers (for references), occupational health providers, or government bodies (e.g., HMRC for tax purposes).
• Automatically through our systems, such as time-tracking software, email monitoring, or CCTV.
• From public sources where relevant, such as professional networking sites during recruitment.

Purposes and Legal Bases for Processing

We process your personal data for legitimate employment-related purposes. The legal bases under UK GDPR include:

• Performance of Contract: To fulfil our employment contract with you, such as paying salaries, providing benefits, and managing performance (Article 6(1)(b)).
• Legal Obligations: To comply with employment, tax, health and safety, and immigration laws (Article 6(1)(c)), e.g., reporting to HMRC or conducting right-to-work checks.
• Legitimate Interests: For business operations, such as workforce planning, security monitoring, and internal audits (Article 6(1)(f)). We conduct balancing tests to ensure our interests do not override your rights.
• Consent: For optional activities, such as sharing your details in company directories or processing health data beyond what is legally required (Article 6(1)(a)). You can withdraw consent at any time.
• Vital Interests: In emergencies, to protect your health or safety (Article 6(1)(d)).
• For Special Category Data: Explicit consent (Article 9(2)(a)), employment law necessities (Article 9(2)(b)), or medical diagnosis by professionals (Article 9(2)(h)).

Specific purposes include:

• Recruitment and selection.
• Administering payroll, pensions, and benefits.
• Performance management and training.
• Health and safety compliance.
• Diversity monitoring.
• Dispute resolution and legal claims.
• Business continuity and IT security.
• Managing club operations, including event staffing and member interactions.

Sharing Your Personal Data

We may share your personal data with trusted third parties where necessary, including:

• Service providers: HR software providers, payroll processors, pension administrators, and occupational health services.
• Professional advisors: Lawyers, auditors, and insurers.
• Government authorities: HMRC, the Home Office, or regulatory bodies as required by law.
• Affiliates: Limited sharing with partners such as Lanserhof for operational purposes, subject to data protection agreements.
• In the event of a business transfer: To potential buyers or successors.

All third parties are required to respect the security of your data and process it only in accordance with our instructions and UK data protection laws. We do not sell your personal data.

International Data Transfers

As a UK-based organisation, most processing occurs within the UK. If we transfer data outside the UK (e.g., to international affiliates or service providers), we ensure adequate safeguards, such as UK International Data Transfer Agreements (IDTAs) or reliance on adequacy decisions.

Data Retention

We retain your personal data only as long as necessary for the purposes outlined above or to meet legal requirements. For example:

• Recruitment data: 6 months after the process ends (or longer if successful).
• Employment records: 6 years after employment ends (for tax and legal claims).
• Health records: Up to 40 years for occupational health purposes.

Data is securely deleted or anonymised when no longer needed.

Your Rights

Under UK GDPR, you have rights regarding your personal data, including:

• Access: Request a copy of your data.
• Rectification: Correct inaccurate data.
• Erasure: Request deletion in certain circumstances.
• Restriction: Limit processing.
• Objection: Object to processing based on legitimate interests.
• Portability: Receive data in a transferable format.
• Withdraw Consent: Where processing relies on consent.

To exercise these rights, contact our DPO. We will respond within one month. There is no fee unless requests are excessive. You also have the right to complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk.

Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption, access controls, regular security audits, and staff training. In the event of a data breach, we will notify you and the ICO where required.

Changes to This Policy

We may update this Policy to reflect changes in our practices or legal requirements. Updates will be communicated via email or our intranet, with the effective date noted below.

This Policy was last updated on 24 October 2025.

If you have concerns, please contact privacy@theartsclub.co.uk.