CAA UK Limited and CAA Sports UK Limited Privacy Notice

  1. Introduction

Creative Artists Agency UK Limited and CAA Sports UK Limited, (together "Company", “our” and “we”) are committed to the protection and promotion of individual privacy. This notice ("Notice") provides relevant information about the Company’s processing of our clients’ (“you” and “your”) personal data in the UK. In connection with your use of our Services (see below), it is necessary for the Company to collect, store and use personal data about you for specified purposes in order to provide the Services. The Company will process any such personal data in accordance with the UK General Data Protection Regulation ("GDPR") and other applicable data protection laws, such as the Data Protection Act 2018.

It is important that you read this notice carefully to understand your rights, and how we will process your personal data.

  1. Identity of the Data Controller

The Company is responsible for handling your personal data and is the data controller in respect to your personal data. Our contact details are set out in Section 10 below.

  1. Purposes for Processing Personal Data

We process data that as an entertainment talent agency, allows us to provide a wide range of services to clients in varying industries including, but not limited to: television, motion picture, theatre, music, sports, comedy, speaking, gaming, podcasts, publishing and marketing. In connection with these industries, the Company works to, among other things, make available to our clients, opportunities with regard to:

  • Acting, directing, producing, and writing;
  • Book publishing;
  • Brand consulting and marketing;
  • Consumer product licensing;
  • Endorsements;
  • Touring and live performances; and
  • Project Management.

(the “Services”).

We may also use the information that you provide us, together with any information that we may receive about you from other sources, in the following ways:

  • To provide you with the information that you request from us;
  • To process payments;
  • To improve our services;
  • Business administration and internal record management; and
  • To provide you with information about projects or services we feel may interest you.

The Company processes personal data relating to you necessary for the performance of the agreement with the Company for the Services. The Company endeavors to safeguard personal information and will only collect personal information that is required in order to effectively provide these Services, pursue its legitimate business interests, and remain in compliance with all applicable laws.

Where applicable, we will let you know at the time of the data collection, if the provision of the personal data is a statutory or contractual requirement and whether you are obliged to provide personal data and the possible consequences of the failure to provide such data.

  1. Categories of Personal Data that we Process

The categories of personal data that the Company processes about its clients are set out in Annex 1 to this Notice, which also identifies the lawful basis for the processing, including where the processing is for the Company’s pursuit of its legitimate business interests.

The data that the Company processes may include special categories of data, as defined by the GDPR, and to the extent allowed therein. Such special categories of data may include data about:

  1. Health or illness, biometric data, race or ethnicity, religious beliefs, sexual orientation or political opinions (where relevant to the Services); or
  2. Trade union membership (e.g., SAG-AFTRA, DGA, etc.).

Your data may be sourced in multiple ways, including, but not limited to: from you or representatives authorized to provide such information on your behalf; information made available in the public domain (e.g., websites, social media, news articles, public statements, interviews, etc.); and through business dealings with third parties or trade unions.

  1. Recipients of Personal Data and International Transfers

The Company may disclose your personal data to certain third parties. The following is a non-exhaustive list of recipients to whom your personal data may be transferred:

  1. Subsidiaries, affiliates and the parent company of the Company;
  2. Service providers;
  3. Regulatory authorities;
  4. Legal and other professional advisors;
  5. Prospective purchasers of the Company or Company assets;
  6. Buyers.

The Company is part of the global CAA group of companies. As a result, we may share your personal data with other companies in our group as well as with external third parties in order to provide our Services and otherwise in connection with the running of our business, including to enable us to comply with our legal obligations.

Where we share your personal data with selected service providers who are engaged by us to assist us to provide our Services or with the running of our business, we ensure that these service providers are bound by law and/or contract to protect the confidentiality and security of personal data and to only use the personal data to provide the requested services to us and in accordance with applicable law.

Some of the companies in our group are located outside of the UK/ European Economic Area (“UK/EEA”) in territories that do not have the same level of protection for personal data as within the UK/EEA, (such as our parent company, Creative Artists Agency LLC located in the US) and some of our external service providers may process your personal data outside of the UK/EEA. If and when transferring your personal data outside the UK/EEA, we will only do so when we have an appropriate mechanism or safeguard in place, including:

  1. the transfer is to a non-UK/EEA country that has been the subject of an adequacy decision by the UK Secretary of State; or
  2. the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to countries outside the UK/EEA (e.g., ICO's International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses).

International transfers to our affiliates, subsidiaries and our parent company located outside of the UK/EEA are governed by the EU Commission's Standard Contractual Clauses for Controllers and the UK's Information Commissioner's Office (ICO) Addendum. A copy of this agreement can be requested using the contact details provided in Section 10 below.

These transfers of your personal data may be made subject to the above-mentioned safeguards, and/or where the transfer is occasional and necessary for the performance of a contract or the implementation of precontractual measures between you and the Company. Additionally, where it is in your interests, we may also transfer data relating to you that is necessary for the performance/conclusion of a contract between the Company and a third party.

The Company may choose to sell, transfer, or merge parts of its business, or its assets. Or it may seek to acquire other businesses or merge with them. During any such process, the Company may share your data with other parties. It will only do this if the other parties agree to keep your data safe and private.

  1. Your Rights

You have the following rights:

  1. to obtain access to your personal data – you may request information on how your personal data is handled by us and request a copy of such personal data;
  2. to request that we correct or update your personal data if it is inaccurate or out of date;
  3. to object to the processing of your personal data for the purposes of our legitimate interests, unless we:
    1. demonstrate compelling legitimate grounds which override your right to object; or
    2. the processing is necessary for the establishment, exercise or defence of legal claims;
  4. to ask us to erase your personal data held by us, for example:
    1. which is no longer necessary in relation to the purposes for which it was collected;
    2. to the processing of which you object; or
    3. which may have been unlawfully processed by us;
  5. to ask us to restrict the processing of your personal data, for example:
    1. where you would like us to verify the accuracy of the data; or
    2. where you object to the processing of it by us on the basis of legitimate interests (see para 6c) above) pending verification of whether we have overriding legitimate grounds to process the data; and
  6. to ask us to transmit personal data, you submitted to us back to you or to another organisation in certain circumstances.

The right to erasure and to restrict processing listed above may not apply or may be limited in certain circumstances, such as where the processing is necessary for compliance with our legal obligations or the establishment, exercise or defence of legal claims.

Where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time, but this will not affect the lawfulness of processing based on your consent prior to withdrawal.

These rights are not absolute and may be subject to certain conditions under the GDPR. Should you wish to exercise any of these rights, please contact the Company using the details in Section 10.

  1. Retention of Personal Data

The Company will keep and process your personal data only for as long as is necessary for the purposes for which it was collected in connection with the Services, unless the Company has a legal right or obligation to retain the data for a longer period, or in order to establish, exercise, or defend potential legal claims.

  1. Automated Decision-Making

We do not envisage that any decisions will be taken about you using solely automated means. We will notify you if this changes.

  1. Complaints

We strive to process your personal data in accordance with the applicable legal obligations but if you have any complaint(s) in that regard, please address your complaint(s) using the contact details set out in Section 10.

You also have the right to lodge a complaint with a supervisory authority for data protection in your jurisdiction. In the UK, the supervisory authority is the Information Commissioner’s Office. We ask that if you are not happy with how we handle your personal data that you reach out to us in the first instance so that we can try to provide you with a satisfactory resolution to your request.

  1. Contact Details

If you have any questions about this Notice or information we hold about you, please contact us using the following contact details:

Katerina Krumwiede
Creative Artists Agency
12 Hammersmith Grove
W6 7AP
Tel:  +44 (0) 8000 489 009

We may update this Notice periodically. Where the changes made are material, we will inform you of these.



Annex 1: Categories of Personal Data and Grounds for Processing

Company will process the following categories of personal data based on specified lawful bases for processing under the GDPR. Key examples of data and the legal bases for processing are set out below:

  1. Personal data necessary for the performance of the agreement with the Company for the Services:
  1. Contact Details
  1. Name;
  2. Personal Contact details (personal email address, phone numbers, physical address, etc.);
  3. Contact details of managers, legal and professional advisors, and public relations representatives; and
  4. Travel Information (e.g., passports, mileage accounts, etc.).
  1. Photographs (e.g., headshots), videos, audio, recordings, and other forms of digital media provided by you or sourced from the public domain.
  2. Banking Details
  1. Name of banking institution(s);
  2. Account and/or routing numbers for deposits or electronic transfers (i.e. wire transfer).
  1. Tax records and any other tax related documentation necessary for the performance of the Services (e.g., UTR, EU VAT Number).
  1. Personal Data necessary to comply with Company’s legal obligations

Some examples of legal obligations include:

  • Record-keeping and reporting obligations;
  • Conducting audits, compliance with government inspections and other requests from government or other public authorities (e.g., processing personal data in order to comply with legal obligations to HMRC); and
  • Responding to legal processes, pursuing legal rights and remedies, defending litigation, managing any internal complaints or claims, and conducting investigations (e.g., processing personal data in response to a court order).

The categories of personal data collected may include:

  • Records of payments received and/or disbursed to you;
  • Tax records;
  • Contracts, deal memos, or other agreements; and
  • Contact details.
  1. Personal Data processed where necessary for the purposes of pursuing the legitimate interests of the Company or a third party

Personal data will only be processed with regard to pursuing legitimate interests of the Company or a third party where appropriate and where such legitimate interest is not overridden by your rights and freedoms.

Some examples of the Company’s legitimate interests include:

  • Mergers and acquisitions with other companies;
  • Dealings with prospective purchasers of the Company or its assets;
  • Improvement of the services provided to our clients, invoicing for our services or dealing with complaints;
  • To pursue or defend against legal claims;
  • Business dealings with subsidiaries, affiliates, and parent companies of the Company; and
  • Social and/or charitable interests of the Company that benefit society as a whole (e.g., CAA Foundation).