1.    Introduction
Creative Artists Agency UK Limited (“Company”) is committed to the protection and promotion of individual privacy. In connection with your use of our Services (see below), it is necessary for the Company to collect, store and use personal data about you for specified purposes in order to provide the Services. The Company will process any such personal data in accordance with the data protection principles set out in the European Union’s General Data Protection Regulation 2016 (“GDPR”). 
This notice (“Notice”) provides relevant information about the personal data that is processed by the Company in the UK.
2.    Identity of the Data Controller
The Company is responsible for handling your personal data and is the data controller in respect to your personal data.
3.    Purposes for Processing Personal Data
We process data that as an entertainment talent agency, allows us to provide a wide range of services to clients in varying industries including, but not limited to: television, motion picture, theatre, music, sports, comedy, speaking, gaming, and marketing. In connection with these industries, the Company works to, among other things, make available to our clients, opportunities with regard to:
•    Acting, directing, producing, and writing;
•     Touring and live performances;
•    Brand consulting and marketing; and
•    Endorsements,
(the Services).
The Company processes personal data relating to you necessary for the performance of the agreement with the Company for the Services. The Company endeavors to safeguard confidential personal information and will only collect personal information that is required in order to effectively provide these Services, pursue its legitimate business interests, and remain in compliance with all applicable laws.

4.    Categories of Personal Data that we Process
The categories of personal data that the Company processes for these purposes are set out in Annex 1, which also identifies the lawful basis for the processing, including where the processing is for the Company’s pursuit of its legitimate business interests.  
The data Company processes may include special categories of data as defined by the GDPR and to the extent allowed therein. Such special categories of data may include data about:
(a)    Race or ethnicity, religious beliefs, sexual orientation or political options (collected for equal opportunities monitoring);
(b)    Health or illness; or
(c)    Trade union membership (e.g., SAG-AFTRA, DGA, etc.).
THIS DATA MAY BE SOURCED IN MULTIPLE WAYS, INCLUDING, BUT NOT LIMITED TO: CONVERSATIONS WITH YOU OR REPRESENTATIVES AUTHORIZED TO PROVIDE SUCH INFORMATION ON YOUR BEHALF; INFORMATION MADE AVAILABLE IN THE PUBLIC DOMAIN (E.G., WEBSITES, SOCIAL MEDIA, NEWS ARTICLES, PUBLIC STATEMENTS, INTERVIEWS, ETC.); AND THROUGH BUSINESS DEALINGS WITH THIRD PARTIES OR TRADE UNIONS.
5.    Recipients of Personal Data and International Transfers
The Company may transfer data belonging to you. The following is a non-exhaustive list of recipients to whom data may be transferred:
1.    Subsidiaries, affiliates and parent companies of the Company;
2.    Regulatory authorities;
3.    Legal and other professional advisors; 
4.    Prospective purchasers of the Company;
5.    Buyers.
If and when transferring your personal data outside the EU or European Economic Area (“EEA”), we will only do so using one of the following safeguards:
a)    the transfer is to a non-EEA country that has been the subject of an adequacy decision by the EU Commission;
b)    the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to countries outside the EEA (e.g., Standard Contractual clauses); or
c)    the transfer is to an organisation in the US that is EU-US Privacy Shield certified.
International transfers to our affiliates, subsidiaries and parent companies are governed by EU Commission-approved Standard Contractual Clauses for Controllers. 
These transfers may be made on the basis of standard contractual clauses, and/or where the transfer is necessary for the performance of a contract or the implementation of pre contractual measures between you and the Company.  Additionally, where it is in your interests, we may also transfer data belonging to you that is necessary for the performance/negotiation of a contract between the you and a third party.
Company may choose to sell, transfer, or merge parts of its business, or its assets. Or Company may seek to acquire other businesses or merge with them. During any such process, Company may share your data with other parties. Company will only do this if they agree to keep your data safe and private.
6.    Your Rights
You have the following rights:
a)    to obtain access to your personal data - you may request information on how your personal data is handled by us and request a copy of such personal data; 
b)    to request us to correct or update your personal data if it is inaccurate or out of date; 
c)    to object to the processing of your personal data for the purposes of our legitimate interests, unless we: 
i.    demonstrate compelling legitimate grounds which override your right to object; or
ii.    the processing is necessary for the establishment, exercise or defense of legal claims;
d)    to erase your personal data held by us:
i.    which are no longer necessary in relation to the purposes for which they were collected;
ii.    to the processing of which you object; or
iii.    which may have been unlawfully processed by us; 
e)    to restrict processing by us, i.e. the processing will be limited to storage only:
i.    where you oppose to deletion of your personal data and prefer restriction of processing instead; or
ii.    where you object to the processing by us on the basis of its legitimate interests (see para 6 (c) above); and 
f)    to transmit personal data, you submitted to us back to you or to another organisation in certain circumstances.
The right to erasure, to restrict processing and to transmit personal data listed above may not apply in cases where the processing is necessary for compliance with our legal obligations or the establishment, exercise or defence of legal claims.
Where processing of your personal data is based on your consent, you have the right to withdraw your consent at any time, this will not affect the lawfulness of processing based on your consent prior to withdrawal. 
These rights are not absolute and may be subject to certain conditions under the GDPR. Should you wish to exercise any of these rights, please contact Company using the details in Section 9.
7.    Retention of Personal Data
Company will keep and process your personal data only for as long as is necessary for the purposes for which it was collected in connection with the Services, unless the Company has a legal right or obligation to retain the data for a longer period, or in order to establish, exercise, or defend potential legal claims. 
8.    Complaints
We strive to process your personal data in accordance with the applicable legal obligations but if you have any complaint(s) in that regard, please address your complaint(s) using the contact details set out in Section 9. 

You also have the right to lodge a complaint with a supervisory body for data protection in your jurisdiction, if you are not happy with how we handle your personal data and we could not provide you with a satisfactory resolution to your request.  If you wish to pursue any of these rights, please contact us using the details set out at the end of this Notice below.

9.    Contact Details
If you have any questions about this Notice or information we hold about you, please contact us using the following contact details:
Katerina Krumwiede
Creative Artists Agency
2000 Avenue of the Stars
Los Angeles, CA 90067
USA
Tel: 1-424-288-2000
privacy@caa.com

Company may update this Notice periodically. Where Company does this, Company will inform you of the changes. 
Annex 1: Categories of Personal Data and Grounds for Processing
Company will process the following categories of data based on legitimate grounds for processing. Some examples of data and the legal bases for processing are set out below:
1.    Personal data necessary for the performance of the agreement with the Company for the Services:  

a)    Contact Details
a.    Name;
b.    Personal Contact details (personal email address, phone numbers, physical address, etc.);
c.    Contact details of managers, legal and professional advisors, and public relations representatives and
d.    Travel Information (e.g., passports, mileage accounts, etc.).

b)    Photographs (e.g., headshots), videos, audio, recordings, and other forms of digital media provided by you or sourced from the public domain.

c)    Banking Details 
a.    Name of banking institution(s);
b.    Account and/or routing numbers for deposits or electronic transfers (i.e. wire transfer).

Tax records and any other tax related documentation necessary for the performance of the Services (e.g., UTR, EU VAT Number).

2.    Personal Data necessary to comply with Company’s legal obligations
Some examples legal obligations include:
•    Record-keeping and reporting obligations; 
•    Conducting audits, compliance with government inspections and other requests from government or other public authorities (e.g., processing personal data in order to comply with legal obligations to HMRC); and
•    Responding to legal processes, pursuing legal rights and remedies, defending litigation, managing any internal complaints or claims, and conducting investigations (e.g., processing personal data in response to a court order).
The categories of personal data collected include:
•    Records of payments received and/or disbursed to you;
•    Tax records;
•    Contracts, deal memos, or other agreements; and
•    Contact details.

Personal Data processed where necessary for the purposes of pursuing the legitimate interests of the Company.
Personal data will only be processed with regard to pursuing legitimate interests of the Company where necessary. 
Some examples of the Company’s legitimate interests include:
•    Mergers and acquisitions with new companies;
•    Dealings with prospective purchasers of the Company;
•    Business dealings with subsidiaries, affiliates, and parent companies of the Company; and
•    Social and/or charitable interests of the Company that benefit society as a whole (e.g., CAA Foundation).