CAA Client Privacy Notice (Global excluding United States)
  1. Introduction

Creative Artists Agency and its affiliates, (together "Company", “our” and “we”) are committed to the protection and promotion of individual privacy. This notice ("Notice") provides relevant information about the Company’s processing of our clients’ (“you” and “your”) personal data worldwide (excluding the United States which has a separate Client Privacy Notice). In connection with your use of our Services (see below), it is necessary for the Company to collect, store and use personal data about you for specified purposes in order to provide the Services. Personal data is information, or a combination of pieces of information that could reasonably allow you to be identified.

It is important that you read this notice carefully to understand your rights, and how we will process your personal data.

This Notice uses terminology derived from the GDPR. Where you are located in a jurisdiction outside of the UK or EEA, references to GDPR-specific terms (such as “personal data”, “data controller”, “data processor”, “special personal data”, and “lawful basis”) should be construed as references to equivalent or analogous concepts under the data protection laws applicable in your jurisdiction. 

  1. Identity of the Data Controller

A reference to “Company,” “we,” or “our” is a reference to Creative Artists Agency LLC and/or its relevant subsidiaries and affiliates involved in the collection, use, disclosure, or other processing of personal data. The entity you have entered into a contract with is responsible for handling your personal data and is the data controller (or the equivalent term under applicable laws in your jurisdiction, such as the “data user” if you are based in Hong Kong) in respect to your personal data. If you have any questions on who the data controller is in relation to your personal data, please contact us using the contact details are set out in Section 10 below.

In some cases, the Company may act as a data processor rather than a data controller (or, in each cash, the equivalent term under applicable laws in the relevant jurisdiction). This means that whilst the Company may process personal data similar to that described in this Notice, the Company does so on behalf of, and under the instructions of, another entity who is the data controller. In these circumstances, the Company is not responsible for, amongst other things, providing transparency information in respect of such processing, establishing a lawful basis for the processing, or responding to data subject rights requests. The relevant data controller in such cases will be a separate entity, and their privacy notice (or equivalent document under applicable laws in the relevant jurisdiction) will contain the relevant information regarding how your personal data is processed.

  1. Purposes for Processing Personal Data and Legal Bases for Processing
    • Acting, directing, producing, and writing;
    • Book publishing;
    • Brand consulting and marketing;
    • Consumer product licensing;
    • Endorsements;
    • Touring and live performances; 
    • Project Management; and
    • Brand Management.
    • To provide you with the information that you request from us;
    • To process payments;
    • To improve our Services;
    • For business administration and internal record management; and
    • To provide you with information about projects or Services we feel may interest you.

We process personal data that, as an entertainment talent agency, allows us to provide a wide range of services to clients in varying industries including, but not limited to television, motion picture, theatre, music, sports, comedy, speaking, gaming, podcasts, publishing and marketing. In connection with these industries, the Company works to, among other things, make available to our clients, opportunities with regard to:

(the “Services”).

We may also use the information that you provide us, together with any information that we may receive about you from other sources, in the following ways:

The Company processes personal data relating to you necessary for the performance of the agreement with the Company for the Services. The Company endeavours to safeguard personal information and will only collect personal information that is required to effectively provide these Services, pursue its legitimate business interests, and remain in compliance with all applicable laws, or with your consent to such collection. Some of the personal data we collect is required to enter into or perform a contract with you, or to comply with our legal obligations, if you do not provide this data, we may be unable to provide our services or fulfil our obligations to you. Other personal data is provided voluntarily and is not a mandatory requirement.  Further information about the legal bases for processing your personal data is included at Annex 1.

The lawful bases set out in this Notice and Annex 1 are primarily based on GDPR principles. In some jurisdictions 'legitimate interest' is not recognised as a lawful basis for processing personal data. In those jurisdictions, we will rely on an alternative lawful basis such as consent, performance of a contract, or compliance with legal obligations. Where we rely on your consent as the basis for processing. Providing consent will not be made a condition of receiving our services unless that processing is directly and necessarily linked to the delivery of those services or the performance of your contract. For more information about the lawful basis we rely on to process your personal data in your jurisdiction, please contact us using the details provided in Section 10.

Where applicable, we will let you know at the time of the data collection, if the provision of the personal data is a statutory or contractual requirement and whether you are obliged to provide personal data and the possible consequences of the failure to provide such data.

  1. Categories of Personal Data that we Process

The categories of personal data that the Company processes about you are set out in Annex 1 to this Notice, which also identifies the lawful bases for the processing, including where the processing is for the Company’s pursuit of its legitimate business interests.

  1. Recipients of Personal Data and International Transfers

 The Company may disclose your personal data to certain third parties, including:

  1. Subsidiaries, affiliates and the parent company of the Company;
  2. Service providers;
  3. Regulatory authorities;
  4. Legal and other professional advisors;
  5. Prospective purchasers of the Company or Company assets;
  6. Buyers.

The Company is part of the global CAA group of companies. As a result, we may share your personal data with other companies in our group as well as with external third parties in order to provide our Services and otherwise in connection with the running of our business, including to enable us to comply with our legal obligations.

Where we share your personal data with selected service providers who are engaged by us to assist us to provide our Services or with the running of our business, we ensure that these service providers are bound by law and/or contract to protect the confidentiality and security of personal data and to only use the personal data to provide the requested services to us and in accordance with applicable law.  

Some of the companies in our group are located in territories that do not have the same level of protection for personal data as your local jurisdiction, (such as our parent company, Creative Artists Agency LLC located in the US), and some of our external service providers may also process your personal data outside of the jurisdiction in which you are based. 

If and when transferring your personal data outside of your jurisdiction (the “Relevant Jurisdiction”), CAA will comply with applicable local law requirements in respect of such transfers, and in particular we will only do so when we have an appropriate mechanism or safeguard in place, including: 

a)      ensuring the transfer is to a country that has been the subject of an adequacy decision by the appropriate body in the Relevant Jurisdiction (such as the UK Secretary of State in the UK, and the EU Commission in the EU); or 

b)      the transfer is covered by a contractual agreement which includes appropriate standard contractual clauses approved by the appropriate body in the Relevant Jurisdiction (e.g., in the UK, ICO's International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses). 

International transfers to our affiliates, subsidiaries and our parent company located outside of the UK/EEA are governed by the EU Commission's Standard Contractual Clauses and the UK's Information Commissioner's Office (ICO) Addendum.

Where you are located in another jurisdiction, different transfer requirements may apply. CAA will comply with applicable local transfer requirements, which may include obtaining your consent, conducting data protection impact assessments, or implementing other safeguards as required by local law.

For more information on the appropriate safeguards in place and to obtain a copy of these, please contact us using the contact details provided in Section 10 below. These transfers of your personal data may be made subject to the above-mentioned safeguards, and/or where the transfer is occasional and necessary for the performance of a contract or the implementation of precontractual measures between you and the Company. Additionally, where it is in your interests, we may also transfer data relating to you that is necessary for the performance/conclusion of a contract between the Company and a third party. 

The Company may choose to sell, transfer, or merge parts of its business, or its assets. Or it may seek to acquire other businesses or merge with them. During any such process, the Company may share your data with other parties. It will only do this if the other parties agree to keep your data safe and private.

Where CAA requires your consent before sharing your personal data with third parties, we will obtain such consent in accordance with local law. 

  1. Your Rights

Depending on the local laws of the jurisdiction that you are in, you may have certain rights in relation to your personal data. These may include:

  1. to obtain access to your personal data – you may request information on how your personal data is handled by us and request a copy of such personal data;
  2. to request that we correct or update your personal data if it is inaccurate or out of date;
  3. to object to the processing of your personal data for the purposes of our legitimate interests, unless we:
    1. demonstrate compelling legitimate grounds which override your right to object; or
    2. the processing is necessary for the establishment, exercise or defence of legal claims;
  4. to ask us to erase your personal data held by us, for example data which is no longer necessary in relation to the purposes for which it was collected;
  5. to the processing of which you object to ask us to restrict the processing of your personal data, for example:
    1. where you would like us to verify the accuracy of the data; or
    2. where you object to the processing of it by us on the basis of legitimate interests (see para 6c) above) pending verification of whether we have overriding legitimate grounds to process the data; 
  6. to ask us to transmit personal data, you submitted to us back to you or to another organisation in certain circumstances;
  7. to be informed how we collect your personal data, the legal basis for collection and processing, how such data is processed, stored, destroyed, and to whom it will be disclosed; and
  8. in the jurisdictions where applicable data protection law gives such right, to claim compensation for material or moral harm suffered as a result of a violation of applicable data protection law.

The right to erasure and to restrict processing listed above may not apply or may be limited in certain circumstances, such as where the processing is necessary for compliance with our legal obligations or the establishment, exercise or defence of legal claims.

Where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time, but this will not affect the lawfulness of processing based on your consent prior to withdrawal. 

These rights are not absolute and may be subject to certain conditions under the law. Should you wish to exercise any of these rights, please contact the Company using the details in Section 10. If for some reason we cannot fulfil your request to exercise these rights, we will provide you with the reasons for our decision. 

Please note that the rights that you have in relation to your personal data may differ depending on the jurisdiction that you are in. For example, in jurisdictions such as Dubai (if you are based in the DIFC), you also have an anti-discrimination right, meaning you have the right to not be treated differently with regards to our provision of services, purely because you have exercised another right in respect of your personal data that we process.

  1. Security/Retention of Personal Data

The Company will take practicable steps to ensure that personal data we hold is protected against unauthorised or accidental access, processing, erasure, loss or use.

The Company will keep and process your personal data only for as long as is necessary for the purposes for which it was collected in connection with the Services, unless the Company has a legal right or obligation to retain the data for a longer period, or in order to establish, exercise, or defend potential legal claims. As a general framework, personal data is retained for the duration of our relationship with you and thereafter for a period reflecting relevant statutory limitation periods, unless a longer period is required by other law or regulation. Specific retention periods applicable to different categories of personal data are available on request. Once personal data is no longer required for the purpose for which it was collected, it will be securely destroyed or anonymised using methods that prevent recovery or further access, such as secure deletion, anonymisation, or physical destruction of paper records.

  1.  Automated Decision Making

We do not envisage that any decisions will be taken about you using solely automated means. We will notify you if this changes.

  1. Complaints

We strive to process your personal data in accordance with the applicable legal obligations but if you have any complaint(s) in that regard, please address your complaint(s) using the contact details set out in Section 10.

You also have the right to lodge a complaint with a supervisory authority for data protection in your jurisdiction. We ask that if you are not happy with how we handle your personal data that you reach out to us in the first instance so that we can try to provide you with a satisfactory resolution to your request. 

  1. Contact Details

If you have any questions about this Notice or information we hold about you, please contact us using via email at Privacy@caa.com.

Our Data Protection Officer can be contacted at the same details. 

We may update this Notice periodically. Where the changes made are substantive or material, we will inform you of these.