EMPLOYEE PRIVACY POLICY

Lanserhof at The Arts Club is committed to protecting your privacy and meeting the requirements of data protection legislation.

This Employee Privacy Policy (the “Policy”) explains how Lanserhof at The Arts Club (“LHTAC”, “we”, “us”, or “our”) collects, uses, stores, and protects the personal data of our employees, workers, contractors, and job applicants (collectively referred to as “you” or “employees”). We are committed to protecting your privacy and ensuring compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant UK data protection laws.

LHTAC is a leading private wellness clinic based in Mayfair, London, providing holistic health, fitness, and wellbeing services. As a UK-based organisation, we act as the data controller for your personal data, meaning we determine the purposes and means of processing it. Our registered address is 17-18 Dover Street, London W1S 4LT.

This Policy applies to all personal data we process in the context of your employment or application with us. It does not cover data processed for client services, which is addressed in our separate Client Privacy Policy. We may update this Policy from time to time and will notify you of any significant changes.

If you have any questions about this Policy, please contact our Data Protection Officer (DPO) at privacy@lhtac.com or via post at the address above.

We collect and process various types of personal data necessary for managing our employment relationship with you. This may include:

Identification and Contact Information: Name, date of birth, gender, marital status, nationality, contact details (e.g., address, email, telephone numbers), emergency contact details, and next of kin.

Employment-Related Information: CV, application forms, references, qualifications, employment history, job title, salary, benefits, performance reviews, disciplinary records, and absence records (including sickness and holiday).

Financial Information: Bank account details, tax codes, National Insurance number, payroll records, and pension details.

Health and Sensitive Data: Medical history, health assessments, occupational health records, disability information, and sickness absence details (where necessary for health and safety or to comply with legal obligations). We may also process data related to criminal convictions if required for certain roles (e.g., DBS checks for roles involving vulnerable individuals).

Diversity and Equality Data: Information on ethnicity, religion, sexual orientation, or other protected characteristics (collected anonymously where possible for monitoring purposes).

Technical Data: IP addresses, login data, and usage information from our IT systems, including email and internet monitoring (in accordance with our IT policy).

Other Data: Photographs for ID badges, CCTV footage from our premises for security purposes, and biometric data if used for access control.

We only collect sensitive personal data (special categories under UK GDPR) with your explicit consent or where it is necessary for employment law purposes, such as ensuring health and safety or fulfilling equality obligations.

We collect personal data from various sources, including:

Directly from you during the recruitment process, onboarding, or throughout your employment (e.g., via application forms, interviews, or employee self-service portals).

From third parties, such as recruitment agencies, previous employers (for references), occupational health providers, or government bodies (e.g., HMRC for tax purposes).

Automatically through our systems, such as time-tracking software, email monitoring, or CCTV.

From public sources where relevant, such as professional networking sites during recruitment.

We process your personal data for legitimate employment-related purposes. The legal bases under UK GDPR include:

Performance of Contract: To fulfil our employment contract with you, such as paying salaries, providing benefits, and managing performance (Article 6(1)(b)).

Legal Obligations: To comply with employment, tax, health and safety, and immigration laws (Article 6(1)(c)), e.g., reporting to HMRC or conducting right-to-work checks.

Legitimate Interests: For business operations, such as workforce planning, security monitoring, and internal audits (Article 6(1)(f)). We conduct balancing tests to ensure our interests do not override your rights.

Consent: For optional activities, such as sharing your details in company directories or processing health data beyond what is legally required (Article 6(1)(a)). You can withdraw consent at any time.

Vital Interests: In emergencies, to protect your health or safety (Article 6(1)(d)).

For special category data: Explicit consent (Article 9(2)(a)), employment law necessities (Article 9(2)(b)), or medical diagnosis by professionals (Article 9(2)(h)).

Specific purposes include:

Recruitment and selection.

Administering payroll, pensions, and benefits.

Performance management and training.

Health and safety compliance.

Diversity monitoring.

Dispute resolution and legal claims.

Business continuity and IT security.

We may share your personal data with trusted third parties where necessary, including:

Service providers: HR software providers, payroll processors, pension administrators, and occupational health services.

Professional advisors: Lawyers, auditors, and insurers.

Government authorities: HMRC, the Home Office, or regulatory bodies as required by law.

Joint venture partners: Limited sharing with The Arts Club or Lanserhof for operational purposes, subject to data protection agreements.

In the event of a business transfer: To potential buyers or successors.

All third parties are required to respect the security of your data and process it only in accordance with our instructions and UK data protection laws. We do not sell your personal data.

As a UK-based organisation, most processing occurs within the UK. If we transfer data outside the UK (e.g., to Lanserhof’s international affiliates), we ensure adequate safeguards, such as UK International Data Transfer Agreements (IDTAs) or reliance on adequacy decisions.

We retain your personal data only as long as necessary for the purposes outlined above or to meet legal requirements. For example:

Recruitment data: 6 months after the process ends (or longer if successful).

Employment records: 6 years after employment ends (for tax and legal claims).

Health records: Up to 40 years for occupational health purposes.

Data is securely deleted or anonymised when no longer needed.

Under UK GDPR, you have rights regarding your personal data, including:

Access: Request a copy of your data.

Rectification: Correct inaccurate data.

Erasure: Request deletion in certain circumstances.

Restriction: Limit processing.

Objection: Object to processing based on legitimate interests.

Portability: Receive data in a transferable format.

Withdraw Consent: Where processing relies on consent.

To exercise these rights, contact our DPO. We will respond within one month. There is no fee unless requests are excessive. You also have the right to complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk.

We implement appropriate technical and organisational measures to protect your data, including encryption, access controls, regular security audits, and staff training. In the event of a data breach, we will notify you and the ICO where required.

We may update this Policy to reflect changes in our practices or legal requirements. Updates will be communicated via email or our intranet, with the effective date noted below.

This Policy was last updated on 24 October 2025.

If you have concerns, please contact privacy@lhtac.com.