Studio Visitor Privacy Notice

Last updated: November 2024

Introduction

Thank you for visiting the Studios. This notice sets out how we use the personal data we collect from you when you visit our sites.

For further information, please contact dataprotection@pinewoodgroup.com.

Introduction

When we say we, our, us, or the Group in this notice, we are referring to Pinewood Group Limited (PGL) and its subsidiaries, including Pinewood Studios Limited (PSL), Pinewood PSB Limited (PSB) and Shepperton Studios Limited (SSL), all of whom are “controllers” of your personal data for the purposes of the Data Protection Act 2018 (the Act) and the retained European Union law version of the General Data Protection Regulation ((EU) 2016/679) applying in the United Kingdom from 1 January 2021 (UK GDPR) (the Act and UK GDPR together the Data Protection Legislation).

PSL (company number 0392619) is the owner of Pinewood Studios and is registered with the ICO under registration number Z5350189. PSB (company number 06300755) is registered with the ICO under registration number ZB542218. SSL (company number 02974333) is the owner of Shepperton Studios and is registered with the ICO under registration Z730567X.

The registered office of PGL, PSL, PSB and SSL is Pinewood Studios, Pinewood Road, Iver, Buckinghamshire, SL0 0NH.

Personal Data We May Collect About You

  • We collect and process the following personal data from you directly, ahead of your visit to our sites and when you visit our sites:
  • your name and contact details;
  • your organisation and job title;
  • your photograph to create your security IT pass (if applicable);
  • car details (make, model and registration);
  • where you submit personal data as part of Pinewood feedback surveys or sign up to news alerts; and
  • when you register at reception, we will ask for your photographic ID, but we will not take or store any copy of it.
    We also collect the following personal data indirectly:
  • information about where you have been on site, which is tracked when you use your temporary access pass around the sites;
  • images of you collected through CCTV and other information obtained through electronic means such as security access fobs and card records and footage from security body-worn cameras; and
  • information about you from your employer if they are a client, tenant or contractor of PGL and require you to have access to our sites.

Uses Made of the Personal Data and Legal Basis

We use this information for the following purposes for our legitimate interests in ensuring the operation and security of our premises and property, safeguarding the interests of third party businesses based at our sites and for enforcing and protecting the rights of our Group:

  • to log you in to our visitor check in system;
  • to produce security access passes;
  • to produce confidentiality agreements, which we may ask you to sign; and
    Pinewood Group Visitor Privacy Notice (September 2024) Page 2 of 3
    to make contact with you whilst you are on-site, including emergency notifications and to send you studio notices and site information via electronic means including email or SMS.
  • In addition to the normal ways we use your data as part of the operation of our sites, we may use electronic means (via email or SMS) to contact you to request that you give feedback on your experience of working at and visiting our studios. The feedback surveys are entirely voluntary and answers can be given anonymously. If you do not wish to receive invitations to complete feedback surveys you can opt out by clicking the ‘unsubscribe’ link provided, or by emailing data.protection@pinewoodgroup.com. Please note where we anonymise your data in respect of feedback surveys, it will cease to become personal data under Data Protection Legislation.
  • We also process email communication traffic data in our legitimate interests for business relationship evaluation, business development and analytics purposes (namely, the “date”, “messageID”, “to”, “from” and “cc” fields of emails sent and received by us, but not the content of any emails or email calendar invitations). The system may pick up emails sent between you and our staff in connection with your visit or other business purposes.
  • The Data Protection Legislation requires specific conditions to be met to ensure that the processing of your personal data is lawful. The legal basis that we rely on will be determined by the specific purposes and context of the processing. However, the relevant conditions are pursuant to Article 6(1)(f) GDPR – Legitimate Interests – the processing is necessary in the legitimate interests of us as data controller in terms of maintaining the workplace and managing business continuity.


Disclosure of Your Information

We may disclose your personal data to any member of our Group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006 where necessary in our legitimate interests for administrative purposes.

We will also share your personal data with sub-contractors and suppliers where necessary – for example, providers of our visitor check in and access control systems and security, cleaning and catering contractors, the operator of our mail room delivery tracking app and our data analytics provider. We have a contract with these third parties which requires them to keep your personal data secure. We may also (where applicable) share your personal data with your employer if they are a client, tenant or contractor to the Group.

For security reasons and in our legitimate interests and those of the relevant third parties, if you have attempted to go into restricted areas, then we may need to inform the third parties occupying those areas.

Rarely, we may need to disclose your personal data to third parties where necessary for the legitimate interests of business (for example, if we were selling our business or in connection with legal proceedings), in order to comply with legal obligations and/or for the purposes of preventing crime and other unlawful acts.

Overseas Transfers

We may need to transfer your information outside the UK to service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the European Economic Area (EEA), such as the United States of America (US). In particular, email communication traffic data may be processed by our data analytics provider in the US.

We will take all steps reasonably necessary to ensure that your personal data is handled securely, in accordance with this notice and applicable data protection legislation, and that adequate safeguards are in place. This could include using the UK’s model International Data Transfer Agreement (IDTA) which came into force in March 2022 applicable for transferring personal data outside of the UK, including to the EU and following guidance provided by the ICO, and complying with current law on the transfer of personal data to the United States in line with the “EU-US Data Privacy Framework” and any UK extension thereto. If you would like further information, please contact dataprotection@pinewoodgroup.com.

How we will keep your information secure

We will take all steps reasonably necessary to ensure that your personal data is handled securely and in accordance with this notice and the applicable data protection legislation. We have produced clear instructions and developed clear reporting lines in relation to the processing of personal data. Please see the Group’s Privacy Policy and Data Protection Policy for additional information.

Your Rights

In addition to the right to be informed about how we use your personal data (as set out in this notice), you have various other rights in respect of the personal data we hold about you. You have the right to object to how we use your personal data. You also have the right to see what personal data we hold about you. In addition, you can ask us to correct inaccuracies, delete or restrict personal data or to ask for some of your personal data to be provided to someone else. To make enquires for further information about exercising any of your rights in this notice, please contact dataprotection@pinewoodgroup.com. If you have complaints about how we have used your personal data, you can contact the Information Commissioner’s Office, at https://ico.org.uk/.

How Long We Store Your Personal Data

In general, we hold your information for the later of (i) one year; or (ii) 12 months after your last visit, unless we need to keep it longer in order to deal with any ongoing action or complaints.

We will hold confidentiality forms signed by you for 6 years.
Data from CCTV cameras and other footage will not be retained indefinitely but will be permanently deleted once there is no reason to retain the recorded information. Exactly how long CCTV images will be retained for will vary according to the purpose for which they are being recorded. For example, where images are being recorded for crime prevention purposes, data will be kept long enough only for incidents to come to light. In all other cases, recorded images will be kept for no longer than 30 days.

Changes to this Notice

This notice will be reviewed periodically, and we will update it if we make any material changes to the manner in which we process and use your personal data, and if so we will contact you to let you know about the change.

Next Review Date: September 2025.

For further information about how we process personal data as a business, please see our Privacy Policy available at www.pinewoodgroup.com.

Download our Studio Visitor Policy here

2024
Visitor Privacy Notice September 2024