Our Privacy Promise
Artfarm Ltd is an independent hospitality and development company, bringing together art, community, education, people and places. At the heart of why we do it, is our passion to create original, unforgettable moments for our customers and looking after the personal data they share with us is an important part of these experiences.
This Policy demonstrates our promise to protect the privacy and security of your personal data.
We are committed to being transparent about the ways in which we intend to use your data and provide you with choices about how we use it so you can be confident that your data is safe and secure with us.
We are happy to provide any additional information or explanation needed and/or answer any questions you may have (please refer to the “Contact us” section below for details on how to contact us).
This Policy describes and oversees the nature of all data that we collect, use and otherwise process about you in connection with your relationship with Artfarm as a guest, patron, visitor, potential customer or as an enquirer. The Scope of the Policy covers the following areas:
• Who we are and how to contact us?
• What is personal data?
• The personal data we collect.
• How we will use the data?
• Where we collect the data from?
• Our legal basis for processing your personal data.
• How long we store data?
• Digital & marketing services
• Disclosures of your personal data.
• Securing your data.
• Your rights and how you can see, update or delete your personal data.
• Our recruitment processes
• Visitor Firearm permits
Who we are?
Artfarm is an independent hospitality and development company owned by Manuela and Iwan Wirth. Artfarm sets new boundaries for what cultural development can achieve. It adapts and reinvents unique sites that come with great stories by bringing together art, community, education, people and place.
Artists are invited to celebrate these stories with site specific commissions. Public programs are created to engage guests with art and locality. The local community is embraced and promoted through a celebration of the culture, customs, food and drink that make each site original.
Artfarm Ltd is registered in England with company number 10950608.
If you have any questions about this Policy, including any requests to exercise your legal rights, please contact us at privacy@Artfarm.com
Artfarm Ltd is Head Quartered at 13 High Street, Bruton, Somerset, United Kingdom, BA10 0AB with a further four sites across the UK. The locations are as follows:
23 Savile Row, London
Durslade Farm (including Roth Bar& Grill, Durslade Farmhouse and Durslade Farm Shop)
The Fife Arms Hotel
The Invercauld Arms Hotel
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would however, appreciate the chance to deal with your concerns or questions before you approach the ICO, so please contact us in the first instance at privacy@Artfarm.com
What is Personal Data?
Personal data means information that relates to an identified or identifiable individual. For example, it can be as simple as a name or a number or could include other identifiers such as an IP address, cookie identifier, payment details, or other factors. For avoidance of doubt, data must ‘relate to’ the identifiable individual to be personal data. This means that it does more than simply identifying a person – it must concern the individual in some way.
Anonymised Data is the process of turning personal information into a form which does not identify individuals and where identification is not likely to take place.
What information do we collect?
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth and gender
- Contact Data includes address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of products and services you may have purchased from Artfarm.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Enquiry Data includes data you provided us with when you contact us (by any means of communication including written communications, via our website, telephone, email, or our social media channels) or when you visit us at any one of our locations.
- Profile Data includes bookings you have made with us in the past, your dietary requirements, travel details, dates of special occasions, preferences, feedback and survey responses.
- Usage Data includes information about how you use our websites, social media channels and when using our WI-FI services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
- Security Data includes CCTV footage to help maintain the safety of our guests, patrons, staff, suppliers and other visitors to our locations. We also use it to protect artefacts, buildings and for the prevention, detection and prosecution of criminal offences. We may also rely on the images to establish, exercise or defend our legal rights. See “CCTV” section for further information.
- Recruitment Data includes data you provide when you apply for a job with Artfarm. This can include your CV, work history, educational details, qualifications, skills, projects, references, proof of entitlement to work in the UK, NI number, your passport or other identity document details, your current level of remuneration (including benefits), the role you’re applying for and any other similar information that you provide to us.
For what purposes do we use your data?
We will use your data for a variety of different purposes some of which will be dependent on the location(s) that you interact with us.
- To facilitate and record your relationship with us. This includes administering your stay with us, managing restaurant reservations, providing special assistance when necessary, travel information and additional activities.
- To process and facilitate transactions and payments.
- To keep you updated on our products and services. For example, sending you any communications relevant to the services or products you’ve requested or purchased from us. This includes sending you emails to notify you of changes to your bookings or itinerary.
- For marketing communications to keep you up to date with our latest news, offers and competitions unless you have told us that you’d prefer not to hear from us. We may do this using analysis compiled from information we have collected from you or which we have generated about you or which we have lawfully received about you from our partners (on the basis of our legitimate interests to provide you with marketing communications where we may lawfully do so or where you have provided your consent). Please see the “Digital & Marketing” section below for more information.
- To personalise and improve your customer experience. We will use your information to provide you with a more personalised service.
- To provide you with customer service and support, deal with your enquiries, scheduling changes, complaints, comments or observations shared with us. This includes interactions on social media platforms such as Facebook, Twitter, Instagram, and LinkedIn in the way of posting updates, responding to comments and messages, posting, retweeting and liking posts.
- To provide you with suggestions and recommendations. To share your information with selected third parties such as suppliers and partners, to enable them to contact you with information about things that may interest you (where we have your consent to do so).
- Where we need to perform the contract, we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with legal or regulatory obligations. For example: o comply with our policies and procedures.
- To protect the rights, property and safety of staff, patrons, guests and other visitors.
- To share your information with our lawyers, technical advisors, law enforcement and other regulatory bodies where necessary.
- To process job applications. We will use your information to process any job applications you submit to us, whether directly or via an agent or recruiter (speculatively or in response to any ad).
Where do we collect your information from?
Most of the personal data we process is provided to us directly by you when you book your stay or reserve a table at any one of our locations.
We may also collect data about you if:
- You provide additional personal data to us when you visit one of our locations such as dietary, special assistance or other useful information to enhance your experience.
- You visit one of our location websites and entre data through a webform. For example, o Sign up to receive a newsletter.
- Sign up to attend an event.
- You give us a business card or meet with one of our representatives at an event.
- You complete a survey.
- You respond to a job vacancy whether directly or via an agent or recruiter (speculatively or in response to any ad).
Legal Basis for Processing
|Data protection legislation states that we must have a legal basis in order to process your personal data. Artfarm relies on 5 out of the 6 bases’ available for processing your data. They are as follows: Lawful basis||What it means|
|We have a contractual obligation||Where you are in a contractual relationship, and we need to process personal information to allow us to perform the contract, or where you intend to enter into a contractual relationship with us.|
|We have a legal obligation||Where we need to process personal information to comply with a legal obligation placed on us.|
|We have a legitimate interest||Where we process your data in a way in which you would reasonably expect us to|
|Your consent||You have given your consent to the processing of personal information for the specified purpose.|
|It is in your vital interests||Where we need to process personal information to protect your life|
Where we rely on your consent to process your data, you are free to unsubscribe at any time by clicking the unsubscribe link in any email you receive from Artfarm or you can email us at privacy@Artfarm.com. When you unsubscribe, your email address will be retained on a system suppression list to ensure you no longer receive emails from us.
How long we keep your data?
We will only retain your personal data for as long as reasonably necessary to enable us to provide you with the services that you have requested from us, fulfil any other purpose we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
We may retain your personal data for a longer period where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person, or in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
We operate a data retention policy and look to find ways to reduce the amount of information we hold and the length of time that we need to keep it. For example:
- We try to adopt a paperless approach wherever possible and securely destroy any paper correspondence we receive on a regular basis unless we are required to retain it for evidential or legal purposes.
- We have assigned Information Asset Owners throughout our locations to help with good data handling governance including retention management.
- We carry out regular audits to ensure data is up-to-date, practice data minimisation where possible and ensure purpose limitation is practiced.
Digital & Market Services
We operate CCTV inside our Braemar premises (The Fife Arms & Invercauld Arms) for the safety and security of staff, guests and patrons and for the protection of the hotel and pub premises. In addition, CCTV increases personal safety particularly at night, when staffing numbers are lower and for the protection of approximately 1600 artefacts held within the building. Further information is available in our CCTV & Monitoring Policy.
Staff working in our London offices may be filmed by CCTV which is owned and operated by the landlords or owners of the buildings in which our offices are situated. Artfarm is not the data controller for this information.
When you use a social media platform and interact with Artfarm, you do so by consenting to the terms & conditions of such platforms. This can include Facebook, Twitter, Instagram, LinkedIn, Pinterest, and YouTube. For more information, please see their individual Terms & Conditions and privacy policies.
E-NEWSLETTERS / MARKETING
We will send you marketing emails and newsletters to keep you updated on our products and services. You can at any time opt out of receiving these emails.
A) For business customers, our lawful basis is legitimate interest as it’s necessary to inform business customers and stakeholders about our products/services to grow their business offering and ours. Your information will be securely destroyed 3 years from the last recorded interaction.
B) For our guests, patrons and visitors, our lawful basis is consent and will be securely destroyed 1 month after consent is withdrawn.
Artfarm currently use CCTV in The Fife Arms & Invercauld Mews in Braemar, Scotland. These systems are in place to for the safety and security of staff, guests, visitors, for the protection of the hotel and public house premises, to increase personal safety particularly at night, when staffing numbers are lower and for the protection of artefacts held within the buildings. Artfarm does not use these systems for anything other than personal safety and the safeguarding of properties.
Artfarm retains all recorded information for 28 days only, unless there is a specific reason to hold onto the footage for longer, for example a health and safety action or for criminal evidence. An individual has a right to access their own image by submitting a Subject Access Request, however, does not have the right to the images of other guests or visitors to any of our locations.
Police Scotland or the Courts may ask for a recording to be used as evidence. The Police must request footage via the relevant release forms, and these will be approved and released by a member of the Artfarm team. Any enquires relating to CCTV footage must be directed to privacy@Artfarm.com.
Disclosures of your Personal Data
We may share your personal data with data processors for the purpose of providing our services and products on the lawful grounds described above. Our authorised data processors are subject to comprehensive due diligence and security checks and bound by contractual obligations in-line with current data protection legislation.
We know how important it is to protect and manage your personal data. We take robust security measures to help protect your personal data from accidental loss and from unauthorised access, use, alteration and disclosure. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by organisations operating outside the EEA such as our Third Party IT/Application suppliers. We put in place appropriate protections to make sure your personal data remains adequately protected and that it is treated in line with this Policy. These protections include, but are not limited to, appropriate security measures, standard contract clauses such as those approved by the European Commission.
We have also put in place policies & procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Some of the steps we use to protect your information from unauthorised access, use or alteration and unlawful destruction, include where appropriate:
- Using Secure Sockets Layer (SSL) encryption when collecting or transferring sensitive information, SSL encryption is designed to make the data unreadable by anyone but us.
- Limiting access to the data we collect about you (for instance, only those of our personnel who need your data to carry out our business activities are allowed access).
- Ensure the physical and digital security of our equipment, devices and systems by mandating appropriate password protection, encryption and access restrictions.
- Ensure appropriate access controls so that access to your data is only granted to those of our people that need to use it in the course of their work.
- Carry out regular penetration testing of our systems and Third Party reviews of our software.
- Maintain internal policies and deliver robust data protection and data handling training to ensure our people also understand their responsibilities in looking after your data and commit to taking appropriate measures to enforce these responsibilities.
Your credit card data is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted. All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
Under data protection legislation, you have certain rights as an individual which you can exercise in relation to the data, we hold about you.
In some situations, you may have the;
- Right to request access. You have the right to access the data that we hold on you. To do so, you should make a subject access request.
- Right to request correction. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it.
- Right to request erasure. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.
- Right to object to the inclusion of any data. In situations where we are relying on a legitimate interest (or those of a third party) you have the right to object to the way we use your data where we are using it.
- Right to request the restriction of processing. You have the right to ask us to stop the processing of data of your personal data. We will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
- Right to portability. You may transfer the data that we hold on you for your own purposes.
- Right to request the transfer. You have the right to request the transfer of your personal data to another party.
Individuals can find out if we hold any personal data by making a ‘right of access’ request. More information can be found at https://ico.org.uk.
If we do hold data about you, we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell how long we keep in for and the lawful basis for doing so;
- Tell you who it could be disclosed to; and
- Let you have a copy of the data in an a commonly used electronic format, unless the individual requests otherwise.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific data from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Our Recruitment Process
Artfarm Ltd is the Data Controller for the data you provide during the recruitment process unless otherwise stated. If you have any queries about the process or how we handle your data, please contact us by email: privacy@Artfarm.com
WHAT INFORMATION DO WE ASK FOR & WHY?
The personal data we may collect from you includes:
• Contact details such as name, title, addresses, telephone numbers, and personal email addresses.
• Copies of driving licence or passport.
• Evidence of how you meet the requirements of the job, including CVs and references.
• Information about your health, including any medical needs or conditions.
• Other information required for some applications.
• If you contact us regarding your application, a record of that correspondence.
• Details of your use of our recruitment tools and services, such as your candidate profile and alerts for vacancies.
• The status of your application and updates on how it moves forward.
We do not collect more information than we need to fulfil our stated purposes. Information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask, but it might affect the progression of your application to the next stage.
WHAT WILL WE DO WITH THE DATA YOU PROVIDE TO US?
All the information you provide during the process will be used solely for the purpose of progressing your application, and to fulfil legal or regulatory requirements where necessary. We will use the contact data you provide to us to contact you and progress your application. We use the additional data you provide to assess your suitability for the role you have applied for.
PERSONAL DATA PROVIDED BY RECRUITMENT AGENCIES
Occasionally, Artfarm will procure the services of recruitment agencies to attract the right persons for a particular job role. During this recruitment process, the agency remains the Data Controller and only once a job offer has been made to you and accepted, will we seek personal data from the agency to begin the onboarding process.
We have put in place measures to protect the security of your information. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we only give access to your personal information to those employees, agents, contractors and other third parties who need to work on your recruitment process. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
As per Data Protection Act 2018 and EU Directive 95/46/EC we process your information for recruitment under the following lawful bases:
• Contract – Processing your data is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks.
• Legal obligation – The law requires Artfarm to check that candidates are entitled to work in the UK.
WILL YOU SHARE MY INFORMATION OUTSIDE THE UK OR EEA?
We will not share any of the information provided to us during the recruitment process externally. We may however, share candidate information with other areas of the Artfarm business that are based outside the UK and Europe, for example the United States. Your data will only be shared when you have expressed an interest for a position in that location and provided consent.
RETENTION OF INFORMATION
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for.
If you’re unsuccessful in your application, Artfarm would still like to stay in touch with you for future opportunities that might be a good fit. We add your application to our candidate Talent Pool which retains your details on file for up to 12 months with our HR Management System. All information is securely destroyed on reaching its retention threshold.
Information relating to candidates that have been successful in their appointment will be retained in line with the Artfarm Retention Schedule.
All your personal data, including CV and all applications (live and closed) associated with you, will be retained in the Talent Pool until the date falling 12 months from the date on which your CV was submitted to the Talent Pool. In addition, if and when an application is successful, and you become an employee, all your personal data will be securely removed from the Talent Pool.
Please let us know if you do NOT wish to participate by emailing us at peopleteam@Artfarm.com
REFER A FRIEND INITIATIVE
Artfarm actively encourages team members to introduce potential candidates through our Refer a Friend Initiative. For avoidance of doubt, the introducing team member must gain the explicit verbal consent of the candidate before submitting the Recommend a Friend form and relevant CV. CVs will be retained in the before mentioned Talent Pool until the date falling 12 months from the date on which your CV was submitted. If and when an application is successful, and you become an employee, all your personal data will be securely removed from the Talent Pool.
Please let us know if you do NOT wish to participate by emailing us at peopleteam@Artfarm.com
Candidate information will be shared through our HR Management System with the appropriate hiring managers along with the People Team to shortlist applications for interview.
If we make a conditional offer of employment, we will ask you for further information so we can carry out pre-employment checks. You must successfully complete pre-employment checks in order for the offer to be deemed final. We are required by law to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
• Personal Information – including Name, DOB, Contact Details, National Insurance Number – to input onto our HR Management System.
• Bank details – to process salary payments.
• Emergency contact details – so we know who to contact in case you have an emergency at work.
• A copy of your proof of your identity and right to work documentation – to confirm your rights to work in the United Kingdom. Note: You will be asked to bring the original version of your right to work documentation and photographic identification on your first day of work to show the People Team to verify it is a true likeness of the copy previously submitted.
• We will contact your referees, using the contact data provided in your application.
• Optional Health and Wellbeing form.
You have the right to:
• Request access to your personal information (known as a ‘data subject access request’) to request access. You’ll receive a copy of the personal information we hold about you, so you can check that we are lawfully processing it.
• Request that if any data that we hold about you is incomplete or inaccurate, you can ask us to correct it.
• Request that we delete or remove your personal information – you can do this when there is no good reason for us to keep it object to the inclusion of any information. In situations where we are relying on a legitimate interest (or those of a third party) you have the right to object to the way we use your data where we are using it.
• Withdraw your consent for any data processed under the lawful basis of consent.
• Request we restrict the processing of your personal information – you can ask us to stop processing your personal information, for example if you want us to establish its accuracy or the reason for processing it.
To make any of these requests or to ask us to transfer a copy of your personal information to another party, contact the Artfarm People Team: peopleteam@Artfarm.com
Visitor Firearm Permits
Our non-UK resident stalking guests are required by law to have a Visitors Firearms Permit when they bring their firearms into the country. As Sponsor, Artfarm completes the application form on behalf of the visitor(s).
On completion, a hard copy of the form is sent to Police Scotland along with copy of the applicants’ European Firearm Pass (EFP), if the permit is requested by an EEC resident, or a copy of the visitor’s hunting permit (valid in their home country) or Certificate of Good Conduct (available from the visitor’s home police/sheriff department).
When Police Scotland are satisfied with the application(s), a Visitors Firearms Permit is issued and returned to sponsor, Artfarm and subsequently the applicant. No copy of the EFP remains with Police Scotland. Police Scotland retain the application form for up to 2 years before securely deleting. Artfarm will not retain any copies of the EFP. A copy of the application form is retained for up to 3 years before securely destroying.
All Artfarm staff who manage the visitor firearm permit process are fully trained on data handling practices and additional security measures are in place.
For further information please see: www.scotland.police.uk/about-us/firearms-and-explosives-licensing/visitor-permits-and-11-6-authorities#