Privacy Policy

Our Privacy Promise 

Artfarm Ltd is an independent hospitality and development company, bringing together art, community, education, people and places. At the heart of why we do it, is our passion to create original, unforgettable moments for our customers and looking after the personal data they share with us is an important part of these experiences. 

This Policy demonstrates our promise to protect the privacy and security of your personal data. 

We are committed to being transparent about the ways in which we intend to use your data and provide you with choices about how we use it so you can be confident that your data is safe and secure with us. 

We are happy to provide any additional information or explanation needed and/or answer any questions you may have (please refer to the “Contact us” section below for details on how to contact us). 

Policy Updates 

We keep our Privacy Policy under regular review and will place updated versions on our websites when changes are made. If there are substantive changes, we will also notify you when appropriate. This Privacy Policy was last updated on 13th October 2020. 

What this Privacy Policy explains? 

This Policy describes and oversees the nature of all data that we collect, use and otherwise process about you in connection with your relationship with Artfarm as a guest, patron, visitor, potential customer or as an enquirer. The Scope of the Policy covers the following areas: 

• Who we are and how to contact us? 

• What is personal data? 

• The personal data we collect. 

• How we will use the data? 

• Where we collect the data from? 

• Our legal basis for processing your personal data. 

• How long we store data? 

• Digital & marketing services 


• Disclosures of your personal data. 

• Securing your data. 

• Your rights and how you can see, update or delete your personal data. 

• Our recruitment processes 

• Visitor Firearm permits 

Who we are? 

Artfarm is an independent hospitality and development company owned by Manuela and Iwan Wirth. Artfarm sets new boundaries for what cultural development can achieve. It adapts and reinvents unique sites that come with great stories by bringing together art, community, education, people and place. 

Artists are invited to celebrate these stories with site specific commissions. Public programs are created to engage guests with art and locality. The local community is embraced and promoted through a celebration of the culture, customs, food and drink that make each site original. 

Artfarm Ltd is registered in England with company number 10950608. 

Contact Us 

Artfarm Ltd is responsible for your personal data. For the purposes of data protection legislation, we are the “Data Controller” of all personal data that we collect, use and/or otherwise process about you under this Privacy Policy. 

If you have any questions about this Policy, including any requests to exercise your legal rights, please contact us at 

Artfarm Ltd is Head Quartered at 13 High Street, Bruton, Somerset, United Kingdom, BA10 0AB with a further four sites across the UK. The locations are as follows: 

Artfarm Ltd
23 Savile Row, London
United Kingdom
W1S 2ET 

Durslade Farm (including Roth Bar& Grill, Durslade Farmhouse and Durslade Farm Shop)
Dropping Lane
BA10 0NL
01749 814700 

The Fife Arms Hotel
Mar Road
AB35 5YN
01339 720200 

The Invercauld Arms Hotel
Glenshee Road
AB35 5YR 

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( We would however, appreciate the chance to deal with your concerns or questions before you approach the ICO, so please contact us in the first instance at 

What is Personal Data? 

Personal data means information that relates to an identified or identifiable individual. For example, it can be as simple as a name or a number or could include other identifiers such as an IP address, cookie identifier, payment details, or other factors. For avoidance of doubt, data must ‘relate to’ the identifiable individual to be personal data. This means that it does more than simply identifying a person – it must concern the individual in some way. 

Anonymised Data is the process of turning personal information into a form which does not identify individuals and where identification is not likely to take place. 

What information do we collect? 

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows: 

For what purposes do we use your data? 

We will use your data for a variety of different purposes some of which will be dependent on the location(s) that you interact with us.

Where do we collect your information from? 

Most of the personal data we process is provided to us directly by you when you book your stay or reserve a table at any one of our locations. 

We may also collect data about you if:

Legal Basis for Processing 

Data protection legislation states that we must have a legal basis in order to process your personal data. Artfarm relies on 5 out of the 6 bases’ available for processing your data. They are as follows: Lawful basis  What it means 
We have a contractual obligation  Where you are in a contractual relationship, and we need to process personal information to allow us to perform the contract, or where you intend to enter into a contractual relationship with us. 
We have a legal obligation  Where we need to process personal information to comply with a legal obligation placed on us. 
We have a legitimate interest  Where we process your data in a way in which you would reasonably expect us to 
Your consent  You have given your consent to the processing of personal information for the specified purpose. 
It is in your vital interests  Where we need to process personal information to protect your life 

Where we rely on your consent to process your data, you are free to unsubscribe at any time by clicking the unsubscribe link in any email you receive from Artfarm or you can email us at When you unsubscribe, your email address will be retained on a system suppression list to ensure you no longer receive emails from us. 

How long we keep your data? 

We will only retain your personal data for as long as reasonably necessary to enable us to provide you with the services that you have requested from us, fulfil any other purpose we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. 

We may retain your personal data for a longer period where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person, or in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. 

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. 

We operate a data retention policy and look to find ways to reduce the amount of information we hold and the length of time that we need to keep it. For example:  

Digital & Market Services 


We operate CCTV inside our Braemar premises (The Fife Arms & Invercauld Arms) for the safety and security of staff, guests and patrons and for the protection of the hotel and pub premises. In addition, CCTV increases personal safety particularly at night, when staffing numbers are lower and for the protection of approximately 1600 artefacts held within the building. Further information is available in our CCTV & Monitoring Policy. 

Staff working in our London offices may be filmed by CCTV which is owned and operated by the landlords or owners of the buildings in which our offices are situated. Artfarm is not the data controller for this information. 


Please see our Cookie Policy for further information. 


When you use a social media platform and interact with Artfarm, you do so by consenting to the terms & conditions of such platforms. This can include Facebook, Twitter, Instagram, LinkedIn, Pinterest, and YouTube. For more information, please see their individual Terms & Conditions and privacy policies. 


We will send you marketing emails and newsletters to keep you updated on our products and services. You can at any time opt out of receiving these emails. 

A) For business customers, our lawful basis is legitimate interest as it’s necessary to inform business customers and stakeholders about our products/services to grow their business offering and ours. Your information will be securely destroyed 3 years from the last recorded interaction. 

B) For our guests, patrons and visitors, our lawful basis is consent and will be securely destroyed 1 month after consent is withdrawn. 


Artfarm currently use CCTV in The Fife Arms & Invercauld Mews in Braemar, Scotland. These systems are in place to for the safety and security of staff, guests, visitors, for the protection of the hotel and public house premises, to increase personal safety particularly at night, when staffing numbers are lower and for the protection of artefacts held within the buildings. Artfarm does not use these systems for anything other than personal safety and the safeguarding of properties.

Artfarm retains all recorded information for 28 days only, unless there is a specific reason to hold onto the footage for longer, for example a health and safety action or for criminal evidence. An individual has a right to access their own image by submitting a Subject Access Request, however, does not have the right to the images of other guests or visitors to any of our locations. 

Police Scotland or the Courts may ask for a recording to be used as evidence. The Police must request footage via the relevant release forms, and these will be approved and released by a member of the Artfarm team. Any enquires relating to CCTV footage must be directed to 

Disclosures of your Personal Data 

We may share your personal data with data processors for the purpose of providing our services and products on the lawful grounds described above. Our authorised data processors are subject to comprehensive due diligence and security checks and bound by contractual obligations in-line with current data protection legislation. 


We know how important it is to protect and manage your personal data. We take robust security measures to help protect your personal data from accidental loss and from unauthorised access, use, alteration and disclosure. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality. 

The personal data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by organisations operating outside the EEA such as our Third Party IT/Application suppliers. We put in place appropriate protections to make sure your personal data remains adequately protected and that it is treated in line with this Policy. These protections include, but are not limited to, appropriate security measures, standard contract clauses such as those approved by the European Commission. 

We have also put in place policies & procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

Some of the steps we use to protect your information from unauthorised access, use or alteration and unlawful destruction, include where appropriate: 


Your credit card data is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted. All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers. 

Your Rights 

Under data protection legislation, you have certain rights as an individual which you can exercise in relation to the data, we hold about you. 

In some situations, you may have the; 

Individuals can find out if we hold any personal data by making a ‘right of access’ request. More information can be found at 

If we do hold data about you, we will: 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. 

We may need to request specific data from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. 

Our Recruitment Process 

Artfarm Ltd is the Data Controller for the data you provide during the recruitment process unless otherwise stated. If you have any queries about the process or how we handle your data, please contact us by email: 


The personal data we may collect from you includes: 

• Contact details such as name, title, addresses, telephone numbers, and personal email addresses. 

• Copies of driving licence or passport. 

• Evidence of how you meet the requirements of the job, including CVs and references. 

• Information about your health, including any medical needs or conditions. 

• Other information required for some applications. 

• If you contact us regarding your application, a record of that correspondence. 

• Details of your use of our recruitment tools and services, such as your candidate profile and alerts for vacancies. 

• The status of your application and updates on how it moves forward. 

We do not collect more information than we need to fulfil our stated purposes. Information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask, but it might affect the progression of your application to the next stage. 


All the information you provide during the process will be used solely for the purpose of progressing your application, and to fulfil legal or regulatory requirements where necessary. We will use the contact data you provide to us to contact you and progress your application. We use the additional data you provide to assess your suitability for the role you have applied for. 


Occasionally, Artfarm will procure the services of recruitment agencies to attract the right persons for a particular job role. During this recruitment process, the agency remains the Data Controller and only once a job offer has been made to you and accepted, will we seek personal data from the agency to begin the onboarding process.


We have put in place measures to protect the security of your information. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure. 

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we only give access to your personal information to those employees, agents, contractors and other third parties who need to work on your recruitment process. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 


As per Data Protection Act 2018 and EU Directive 95/46/EC we process your information for recruitment under the following lawful bases: 

• Contract – Processing your data is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks. 

• Legal obligation – The law requires Artfarm to check that candidates are entitled to work in the UK. 


We will not share any of the information provided to us during the recruitment process externally. We may however, share candidate information with other areas of the Artfarm business that are based outside the UK and Europe, for example the United States. Your data will only be shared when you have expressed an interest for a position in that location and provided consent. 


We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for. 

If you’re unsuccessful in your application, Artfarm would still like to stay in touch with you for future opportunities that might be a good fit. We add your application to our candidate Talent Pool which retains your details on file for up to 12 months with our HR Management System. All information is securely destroyed on reaching its retention threshold. 

Information relating to candidates that have been successful in their appointment will be retained in line with the Artfarm Retention Schedule. 


All your personal data, including CV and all applications (live and closed) associated with you, will be retained in the Talent Pool until the date falling 12 months from the date on which your CV was submitted to the Talent Pool. In addition, if and when an application is successful, and you become an employee, all your personal data will be securely removed from the Talent Pool. 

Please let us know if you do NOT wish to participate by emailing us at 


Artfarm actively encourages team members to introduce potential candidates through our Refer a Friend Initiative. For avoidance of doubt, the introducing team member must gain the explicit verbal consent of the candidate before submitting the Recommend a Friend form and relevant CV. CVs will be retained in the before mentioned Talent Pool until the date falling 12 months from the date on which your CV was submitted. If and when an application is successful, and you become an employee, all your personal data will be securely removed from the Talent Pool. 

Please let us know if you do NOT wish to participate by emailing us at 


Candidate information will be shared through our HR Management System with the appropriate hiring managers along with the People Team to shortlist applications for interview. 


If we make a conditional offer of employment, we will ask you for further information so we can carry out pre-employment checks. You must successfully complete pre-employment checks in order for the offer to be deemed final. We are required by law to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability. 

You will therefore be required to provide: 

• Personal Information – including Name, DOB, Contact Details, National Insurance Number – to input onto our HR Management System. 

• Bank details – to process salary payments. 

• Emergency contact details – so we know who to contact in case you have an emergency at work. 

• A copy of your proof of your identity and right to work documentation – to confirm your rights to work in the United Kingdom. Note: You will be asked to bring the original version of your right to work documentation and photographic identification on your first day of work to show the People Team to verify it is a true likeness of the copy previously submitted. 

• We will contact your referees, using the contact data provided in your application. 

• Optional Health and Wellbeing form. 


You have the right to: 

• Request access to your personal information (known as a ‘data subject access request’) to request access. You’ll receive a copy of the personal information we hold about you, so you can check that we are lawfully processing it. 

• Request that if any data that we hold about you is incomplete or inaccurate, you can ask us to correct it. 

• Request that we delete or remove your personal information – you can do this when there is no good reason for us to keep it object to the inclusion of any information. In situations where we are relying on a legitimate interest (or those of a third party) you have the right to object to the way we use your data where we are using it. 

• Withdraw your consent for any data processed under the lawful basis of consent. 

• Request we restrict the processing of your personal information – you can ask us to stop processing your personal information, for example if you want us to establish its accuracy or the reason for processing it. 

To make any of these requests or to ask us to transfer a copy of your personal information to another party, contact the Artfarm People Team: 

Visitor Firearm Permits 

Our non-UK resident stalking guests are required by law to have a Visitors Firearms Permit when they bring their firearms into the country. As Sponsor, Artfarm completes the application form on behalf of the visitor(s). 

On completion, a hard copy of the form is sent to Police Scotland along with copy of the applicants’ European Firearm Pass (EFP), if the permit is requested by an EEC resident, or a copy of the visitor’s hunting permit (valid in their home country) or Certificate of Good Conduct (available from the visitor’s home police/sheriff department). 

When Police Scotland are satisfied with the application(s), a Visitors Firearms Permit is issued and returned to sponsor, Artfarm and subsequently the applicant. No copy of the EFP remains with Police Scotland. Police Scotland retain the application form for up to 2 years before securely deleting. Artfarm will not retain any copies of the EFP. A copy of the application form is retained for up to 3 years before securely destroying. 

All Artfarm staff who manage the visitor firearm permit process are fully trained on data handling practices and additional security measures are in place. 

For further information please see: 

01 01