Employee privacy notice


1. Like most businesses, we hold and process a wide range of information, some of which relates to individuals who work for us.  This Privacy Notice explains the type of information we process, why we are processing it and how that processing may affect you.  This Privacy Notice applies to all Grosvenor Estate staff who work in or are from the European Union.  There will be separate jurisdiction specific employee privacy notices which apply to Grosvenor Estate staff who work elsewhere in the world (and who are not from the European Union). 

This Privacy Notice should be read alongside each of the following privacy notices:

Workday Privacy Notice, 

the Recruitment Privacy Notice (where applicable); and 

the Pensions Privacy Notice (if applicable to you as a member of the Grosvenor pension scheme) 

(together with this notice, the “HR Privacy Notices”) as the HR Privacy Notices set out the basis on which employee personal data is controlled and/or processed.

The Privacy Notice focuses on individuals who work for us, whether employed by us or not.  It also covers information on those who apply to work for us and former employees.  References to ‘we’, ‘our’ and ‘us’ means your respective employing entity within the Grosvenor Estate. 

This Privacy Notice is set out in this document (the Core Notice) and the Supplementary Information in the annex to this document.

In the Supplementary Information, we explain what we mean by “personal data”, “processing”, “sensitive personal data” and other terms used in this Privacy Notice.  

Please note that our data protection obligations differ slightly for each European Union Member State (“Member State”) in which we operate pursuant to legislation implemented by each Member State in connection with the GDPR.  Where necessary, we have identified these differences by symbolising relevant information in this Privacy Notice, the key to which can be found in the Supplementary Information section at paragraph 23.

2. In brief, this Privacy Notice explains:

what personal data we hold and why we process it;

the legal grounds which allow us to process your personal data;

where the data comes from, who gets to see it and how long we keep it;

how to access your personal data and other rights;

how to contact us.


3. We process data for the purposes of our business including management, administrative, employment and legal purposes.  The Supplementary Information provides more specific information on these purposes, on the type of data that may be processed and on the grounds on which we process data.  See Legal grounds for processing personal data and Further information on the data we process and our purposes. 


4. Some of the personal data that we process about you comes from you.  For example, you tell us your contact and banking details.  

Other personal data about you is generated in the course of your work, for example, from your managers, colleagues and customers or others outside our organisation with whom you deal.  

In line with the Grosvenor Estate Information Security Management System Acceptable Use Policy and the HR Privacy Notices, your personal data will be seen internally by managers, HR and, in some circumstances, colleagues.  We may also pass your data outside the organisation, for example to third party HR service providers.  

Further information on this is provided in the Supplementary Information.  See Where the data comes from and Who gets to see your data? 


5. We keep your personal data in accordance with HR data retention guidelines, details of which are available to you upon request; we do not otherwise keep your personal data for longer than is necessary for our purposes.  In general, we will keep your personal data for the duration of your employment and for a period of six years afterwards.  Specific information about what is contained permanently is in the ‘Workday Privacy Notice’.   

See Retaining your personal data – more information in the Supplementary Information. 


6. We may transfer your personal data outside the EEA to members of our group in North America (via Grosvenor Americas or via the relevant subsidiaries of or other operating companies associated to Wheatsheaf Group Limited) and in Asia (via Grosvenor Asia). 

Further information on these transfers and the measures taken to safeguard your data are set out in the Supplementary Information under Transfers of personal data outside the EEA – more information.


7. You have a right to make a subject access request to receive information about the data that we process about you.  Further information on this and on other rights is in the Supplementary Information under Access to your personal data and other rights.  We also explain how to make a complaint about our processing of your data.


8. In processing your personal data, we act as a data controller.  Your HR Business Partner/HR team should be your first point of contact if you have any questions on this Privacy Notice.


9. This Privacy Notice does not form part of your contract of employment and does not create contractual rights or obligations.  It may be amended by us at any time.



Data “processed automatically” includes information held on, or relating to use of, a computer, laptop, mobile phone or similar device.  It covers data derived from equipment such as access passes within a building, data on use of vehicles and sound and image data such as CCTV or photographs.  

"Processing" means doing anything with the data.  For example, it includes collecting it, holding it, disclosing it and deleting it.  

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by EU privacy law to be “sensitive personal data”. 

References in the Privacy Notice to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services.  By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your employment that includes terminating a contract for services.  We use the word “you” to refer to anyone within the scope of this Privacy Notice.  



10. Under data protection law, there are various grounds on which we can rely when processing your personal data.  In some contexts more than one ground applies.  We have summarised these grounds as Contract, Legal obligation, Legitimate Interests and Consent and outline what those terms mean in the following table. 


Ground for processing



Processing necessary for performance of a contract with you or to take steps at your request to enter a contract

This covers carrying out our contractual duties and exercising our contractual rights.

Legal obligation

Processing necessary to comply with our legal obligations

Ensuring we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination or for diversity monitoring purposes.

Legitimate Interests

Processing necessary for our or a third party’s legitimate interests

We or a third party have legitimate interests (eg: such as payroll administration) in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data.

Your data will not be processed on this basis if our or a third party’s interests are overridden by your own interests, rights and freedoms.


You have given specific consent to processing your data

In general processing of your data in connection with employment is not conditional on your consent. But there may be occasions where we do specific things such as provide a reference, or obtain medical reports and rely on your consent to our doing so.


11. If we process sensitive personal data about you (for example (but without limitation), storing your occupational health records to assist us in ensuring that we provide you with a healthy and safe workplace or processing personal data relating to diversity monitoring), as well as ensuring that one of the grounds for processing mentioned above applies, we will make sure that one or more of the grounds for processing sensitive personal data applies.  In outline, these include:  

Processing being necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law; 

Processing relating to data about you that you have made public (e.g. if you tell colleagues that you are ill); 

Processing being necessary for the purpose of establishing, making or defending legal claims;

Processing being necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity‡; 

Processing relating to the conclusions derived from medical examinations in order to establish the aptitude of the worker for the performance of their work duties‡‡; and

Processing for equality and diversity purposes to the extent permitted by law.


12. The Core Notice outlines the purposes for which we process your personal data.  More specific information on these, (non-exhaustive) examples of the data and the grounds on which we process data are in the table below.  

The Grosvenor Estate also collects and uses Personal Data using the Workday HR system (‘Workday’) and there is a separate Privacy Notice in respect of Personal Data processed by Workday.  There is a separate Privacy Notice in respect of Pensions data. 


Examples of personal data that may be processed

Grounds for processing


Information concerning your application and our assessment of it, your references, any checks we may make to verify information provided or background checks (including criminal record checks†*) and any information connected with your right to work in the country of the relevant entity within the Grosvenor Estate acting as data controller. If relevant, we may also process information concerning your health, any disability and in connection with any adjustments to working arrangements.


Legal obligation

Legitimate interests




Your employment contract including entering it, performing it and changing it.

Information on your terms of employment from time to time including your pay and benefits, such as your participation in pension arrangements[1], life and medical insurance; and any bonus or share schemes.


Legal obligation

Legitimate interests

Contacting you or others on your behalf

Your address and phone number, emergency contact information and information on your next of kin, and pension beneficiaries.


Legitimate interests

Payroll administration

Information on your bank account, pension contributions and on tax and national insurance

Information on attendance, holiday and other leave and sickness absence.

Information regarding any attachment of earnings order


Legal obligation

Legitimate interests

Supporting and managing your work and performance and any health concerns?

Information connected with your work, anything you do at work and your performance including records of documents and emails created by or relating to you and information on your use of our systems including computers, laptops or other devices.

Management information regarding you including notes of meetings and appraisal records.

Information relating to your compliance with our policies.

Information concerning disciplinary allegations, investigations and processes and relating to grievances in which you are or may be directly or indirectly involved.

Information concerning your health, including self-certification forms, fit notes and medical and occupational health reports.

The conclusions derived from the medical examinations related to the aptitude of the worker for the performance of work duties‡‡. Learning and development records, including psychometrics


Legal obligation

Legitimate interests

Changing or ending your working arrangements

Information connected with anything that may affect your continuing employment or the terms on which you work including any proposal to promote you, to change your pay or benefits, to change your working arrangements or to end your employment


Legal obligation††

Legitimate interests

Grosvenor Europe does not monitor pension arrangements in respect of those of its staff based in Continental Europe

Physical and system security

CCTV images

Automatic Number Plate Recognition (ANPR)

Records of use of swipe and similar entry cards

Records of your use of our systems including computers, phones and other devices and passwords.

Legitimate interests

Providing references in connection with your finding new employment

Information on your working for us and on your performance.


Legal obligation††

Legitimate interests

Providing information to third parties in connection with transactions that we contemplate or carry out

Information on your contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer

Legitimate interests

Monitoring of diversity and equal opportunities[1]

Information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, disability and age

Legitimate interests


Legal obligation††

Monitoring and investigating suspicions of misconduct, compliance with policies and rules – both generally and specifically

We may monitor our systems to check compliance with policies and rules, to undertake a specific investigation into complaints raised, to respond to subject access requests, and to ensure the integrity and security of our IT systems (e.g. rules on accessing pornography at work). We may check those systems and other data to investigate those concerns (e.g. we may review log in records, records of usage and emails and documents, CCTV images) with or without notice to you. Any such investigation may lead to the production of further records in connection with an investigation.

Legitimate interests

Legal obligation††

Disputes and legal proceedings

Any information relevant or potentially relevant to a dispute or legal proceeding affecting us.

Legitimate interests

Legal obligation

Trade union details

If applicable, details of any trade union membership


Legal obligation††

Day to day business operations including marketing and customer/client relations

Information relating to the work you do for us, your role and contact details including relations with current or potential customers or clients. This may include a picture of you for internal or external use.

Legitimate interests


Maintaining appropriate business records during and after your employment

Information relating to your work, anything you do at work and your performance relevant to such records.


Legal obligation

Legitimate interests

Keeping and maintaining the historical records of Grosvenor Estate

The personal information maintained for the purposes of the historic records of the Grosvenor Estate will be limited to basic identifying information and will not contain any sensitive personal data.


Legitimate interests

Public Interest

[1] Grosvenor Europe does not carry out diversity monitoring


13. When you start employment with us, the initial data about you that we process is likely to come from you:  for example, contact details, bank details and information on your immigration status and whether you can lawfully work.  We may also require references and information to carry out background checks.  In the course of employment, you may be required to provide us with information for other purposes such as sick pay (and Statutory Sick Pay) and family rights (e.g. maternity and paternity leave and pay).  If you do not provide information that you are required by statute or contract to give us, you may lose benefits or we may decide not to employ you or to end your contract.  If you have concerns about this in a particular context, you should speak to HR.  

14. In the course of your work, we may receive personal data relating to you from others.   Internally, personal data may be derived from your managers and other colleagues or our IT systems; externally, it may be derived from our customers or those with whom you communicate by email or other systems. 



15. In line with the Grosvenor Estate Information Security Management System Acceptable Use Policy and the HR Privacy Notices, your personal data may be disclosed to your managers, HR and administrators for employment, administrative and management purposes as mentioned in this document.  We may also disclose this to other members of the Grosvenor Estate in accordance with the terms of Intra-Estate Data Sharing Agreement.


16. We will only disclose your personal data outside the Grosvenor Estate if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.  

We may disclose your data if it is necessary for our legitimate interests as an organisation or the interests of a third party (but we will not do this if these interests are over-ridden by your interests and rights in particular to privacy).  We may also disclose your personal data if you consent, where we are required to do so by law and in connection with criminal or regulatory investigations.  

17. Specific circumstances in which your personal data may be disclosed include:

Disclosure to organisations and service providers that process data on our behalf such as our payroll service, insurers and benefit providers, our bank, and organisations that host or provide or support our IT systems and data;

Disclosure to Galbraith CKD LLP who manage the Reay Forest Estate; 

Disclosure to external recipients of electronic communications (such as emails routed through our systems) which contain your personal data;

Disclosure on a confidential basis to a potential buyer of or investor in our business or company for the purposes of evaluation – but only if we were to contemplate selling, creating a security interest or otherwise divesting of (part or whole) of our business;

Disclosure and transfer disclosed to respond to law enforcement agency requests or where required by applicable laws, pursuant to court orders, or arbitral or tribunal orders or rules of procedure, or to government regulations departments or agencies or regulatory bodies (including disclosures to tax and employment authorities),employment and any other regulatory bodies;

Disclosure on a confidential basis to our advisers for example to our lawyers for the purposes of seeking legal advice or to further the Grosvenor Estate’s interests in legal proceedings and to our accountants for auditing purposes; and

Disclosure to our insurers.


18. We keep your personal data in accordance with HR data retention guidelines, details of which are available to you upon request; we do not otherwise, keep it for longer than is necessary for our purposes.  In general, we will keep your personal data for the duration of your employment and for a period afterwards.  In considering how long to keep a particular category of personal data we will have regard to the purposes for which it is processed, and any purposes which continue to apply even when your employment has terminated (for example because we need to keep records of you employment with us, expense claims you have made, or in the event of a legal claim or threatened claims).  Please also refer to the Workday Privacy Policy for details of retention periods in relation to information held on Workday.

If your personal data is only needed for a short period (for example, CCTV images where there are no investigations or proceedings to which they are relevant), we may delete it. 

However, we will retain certain basic identifying information indefinitely for the purpose of keeping and maintain Grosvenor’s historical records (but please note that these records remain confidential for a period of 100 years). 

Personal data relating to job applicants (other than the person who is successful) will normally be deleted after:

six months in relation to Wheatsheaf Group Limited;

12 months in relation to the Family Investment Office;

12 months in relation to Grosvenor Group Limited in accordance with our Recruitment Privacy Notice; or

24 months†† in accordance with our Recruitment Privacy Notice.


19. In connection with our business and for employment, administrative, management and legal purposes, we may transfer your personal data outside the EEA to our group in North America (via Grosvenor Americas or via the relevant subsidiaries of or other operating companies associated to Wheatsheaf Group Limited) and in Asia (via Grosvenor Asia).  We will ensure that the transfer is lawful and that there are appropriate security arrangements and we will notify you and provide details of the subject matter, destination and purpose of any such transfer of your personal data outside the EEA.

Although there is no decision by the European Commission that the US and Asia provides an adequate level of protection, we have entered into an agreement ensuring appropriate and suitable safeguards with our group members in the US and Asia.  This is in standard terms adopted by the Information Commissioner and approved by the Commission.  If you wish to see details of these safeguards, please ask your HR Business Partner/HR team. 


20. We try to be as open as we reasonably can about personal data that we process.  If you would like specific information about the rights below, please speak to your HR Business Partner/HR team.

You also have a legal right to make a “subject access request”, and obtain confirmation as to whether personal data related to you is being processed or not.  If you exercise this right and we hold personal data about you, we are required to provide you with information on it, including:

Information pertaining to processing purposes, categories of personal data processed, recipients or categories of recipients of personal data; 

Information pertaining to envisaged transfers of personal data outside the EU;

Giving you a copy of the personal data; and

Telling you why we are processing it.

If you make a subject access request and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity and to clarify the nature of your request.

As well as your subject access right, you may have a legal right to have your personal data rectified or erased, to object to its processing or to have its processing restricted. You also have the right to establish guidelines for the conservation, the deletion and the communication of your personal data after your death**.  If you have provided us with data about yourself (for example your address or bank details), you have the right to be given the data in machine readable format for transmitting to another data controller.  This only applies if the ground for processing is Consent or Contract.

If we have relied on consent as a ground for processing a particular class of data, you may withdraw consent at any time – though if you do so that will not affect the lawfulness of what we have done before you withdraw consent.


21. If you have complaints relating to our processing of your personal data, you should raise these with your respective employer entity as follows: 

Family Investment Office, Eaton Estate Office, Eccleston, Chester CH4 9ET, email: data.protectionFIO@Grosvenor.com 

Grosvenor Group/Grosvenor Estate Management Limited, 70 Grosvenor Street, London W1K 3JP, email data.protectionGGL@Grosvenor.com

Wheatsheaf Group Limited, The Quarry Hill Road, Eccleston, Chester CH4 9HQ, email: data.protectionWGL@Grosvenor.com  

If you wish to pursue a complaint further once the internal complaints process is complete you have the right to contact the organisation for the jurisdiction in which you are based.  Please see the details for each country below.  

France: Contact the Commission Nationale de l'Informatique et des Libertés (CNIL).  This is their website:  https://www.cnil.fr/.

Italy: Contact the Garante per la protezione dei dati personali.  This is their  website: http://www.garanteprivacy.it/

Luxembourg: Contact the Commission Nationale pour la Protection des Données.  This is their website: https://cnpd.public.lu/fr.html 

Spain: Contact the Agencia de Protección de Datos.  This is their website: https://www.aepd.es/

Sweden: Contact the Datainspektionen.  This is their website: https://www.datainspektionen.se/

United Kingdom: Contact the Information Commissioner’s Office (ICO).  This is their website: https://ico.org.uk/ 


22. This Privacy Notice does not form part of your contract of employment and does not create contractual rights or obligations.  It may be amended by us at any time.


23. Please note that certain aspects of this Privacy Notice will not apply to employees based in the relevant Member States in which we operate and the table below identifies the applicable data controller for the purposes of the GDPR (and the corresponding local legislation implementing the GDPR) as well as the key for those aspects of this Privacy Notice which apply (or not, as the case may be) to such employees in the relevant Member States in which we operate.

If your place of employment is located in:

The data controller responsible for processing your personal data is:

Key for applicability of information in this notice


Grosvenor Group Limited - Grosvenor Continental Europe SAS

*not applicable to jurisdiction

** only applicable to this jurisdiction


Grosvenor Group Limited - Grosvenor Fund Management Spain SL

not applicable to this jurisdiction

‡‡ only applicable to this jurisdiction


Grosvenor Group Limited - Grosvenor Fund Management (CE) S.A.



Grosvenor Group Limited -
Grosvenor FM Sweden AB
not applicable to this jurisdiction
†† only applicable to this jurisdiction

Last updated May 2018