This privacy notice covers data processing relating the site at Reynard Park, Brackley, NN13 7BD. It applies to anyone who passes the Gatehouse on entry to the site, for example, employees, visitors and contractors (“Visitors”). However, the personal data we will process about you will vary depending on your specific reasons for using the site. When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.
Mercedes-Benz Motorsport (“MBM”) and Mercedes-Benz Grand Prix (“MGP”) are controllers in respect of your personal data. MBM and MGP are committed to ensuring that the personal data of those entering the site is handled in accordance with the law, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. If you have any questions about this notice or wish to exercise any of your rights in relation to your personal data, you may do so by emailing MGP’s Data Protection Officer (email@example.com) who will respond to your request on behalf of the other controllers.
How do we obtain your personal data?
We obtain your personal data from:
CCTV images taken using our CCTV systems;
our Automatic Number Plate Recognition system; and
your Personnel Access card.
What personal data do we process and why?
We process the following personal data:
contact details such as your personal address, contact telephone numbers (landline and mobile) and personal email addresses;
employee ID number;
next of kin, emergency contacts and their contact information;
ethnicity information (if you choose to provide it);
location of employment;
details required for using catering facilities;
relevant health and medical data if using our on-site performance centre facilities;
photos and CCTV images; and
the number plate of any vehicles you drive onto MBM and MGP premises.
Special category personal data
In addition to the list above, we also process the following information (which constitutes ‘special category data’ under the UK GDPR), to comply with our legal obligations and ensure the health, safety and wellbeing of our Visitors when attending the site.
health and wellbeing information either declared by you (for example when you join the on-site gym); and
allergy information when prepared during an on site food order,
What is the basis we use to process your personal data?
We rely on the following lawful basis for processing your personal data under the UK GDPR – the basis that applies will depend on the processing activity taking place:
the processing takes place with your consent (Article 6(1)(a));
the processing necessary for the performance of a contract (Article 6(1)(b));
the processing necessary to comply with our legal obligations as your employer (in respect of Visitors who are employees) (Article 6(1)(c));
the processing is necessary in order to protect your vital interests or those of another person (Article 6(1)(d)); and
the processing is for the purposes of our legitimate interests (Article 6(1)(f)).
On what basis do we process your special category personal data?
When it is necessary to process special category data, we only do so when we fulfil one or more of the bases set out below:
explicit consent (Article 9(2)(a) UK GDPR);
to carry out our obligations and exercise our rights in the field of employment, social security and social protection, where authorised by UK law; (Article 9(2)(b) UK GDPR); and
for the establishment, exercise or defence of legal claims (Article 9(2)(f) GDPR).
In addition, we rely on processing conditions in Schedule 1 of the DPA 2018:
employment, social security and social protection (Paragraph 1, Part 1, Schedule 1).
How long do we keep your personal data for?
MBM and MGP will not keep your personal data for longer than MBM and MGP need to retain it. The Retention Schedule below sets out the duration of processing for the main processing purposes:
Maximum 28 days
Employee access Cards
During employment only
Internal records of number plates for employees and long-term contractors 12 months+): for the duration that they are employed/contracted.
Deleted immediately after the event
Information related to Catering on-site
Maximum 31 days
Retained only for so long as you are a member plus 3 years (for legal purposes)
Electric Charging Point
Maximum 28 days after deletion of the account
Who do we share your personal data with?
We may share your personal data within the company and with the following third parties:
our on-site third-party security provider;
the provider of our CCTV security system;
on-site catering provider;
on-site catering payment provider;
external catering providers;
electric vehicle charging provider; and
law enforcement agencies and bodies that we are regulated by.
Do we transfer your personal data outside of the EEA?
We don’t routinely transfer your personal data outside of the EEA but if and when this is necessary, we ensure that there are appropriate safeguards in place, in accordance with the law.
Additional information about how we process Visitor personal data
Automatic Number Place Recognition system
Our facilities department hold vehicle licence plate details linked to you if you enter the site in a vehicle.
Every employee has access to the on-site performance centre and each site visitor is able to use the gym if pre-agreed to do so. Before anyone is provided with access to the performance centre, the performance centre will ask certain questions of you relating to your health and experience of using gyms. The data collected will be inline with UK GDPR and retained in accordance with the above Retention Schedule.
Employee and Visitor passes
All Visitors are issued with a security pass. Employee pass details are held on a standalone machine controlled by the Facilities department and can only be accessed by a restricted number of people. Any staff photographs used for the staff passes are uploaded to our HR software provider called Workday by HR staff or directly by you. Your employee security pass can also be used to purchase food and beverages from the Hub, if you have created an account on Systopia.
We operate CCTV on the site for security and safety reasons. This includes external CCTV cameras and CCTV cameras inside our premises, to monitor access to certain areas of the office. You will find signage informing you of the presence of CCTV cameras in the areas that they are installed.
All Visitors are able to access the on-site catering facility. If you let the staff at the catering facility know that you have an allergy, this information will be used to serve you but will not be recorded anywhere. On some occasions we may obtain your personal data relating to allergies in advance of you eating on site, this may be in relation to third party providers. In such scenario, the data obtained is retained in accordance with UK GDPR and has illustrated in the Retention Schedule above. The third party catering payment provider will use your payment details to take payment for any food ordered. The payment details are retained in accordance with UK GDPR and will be retained as per the Retention Schedule above.
What are my rights in relation to the personal data you process?
You have the right to:
The right to be provided with a copy of your personal data
The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten)
The right to require us to delete your personal data—in certain situations
Restriction of processing
The right to require us to restrict processing of your personal data in certain circumstances, eg if you contest the accuracy of the data
The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
The right to object:
—at any time to your personal data being processed for direct marketing (including profiling);
—in certain other situations to our continued processing of your personal data, eg processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
Not to be subject to automated individual decision making
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
The right to withdraw consents
If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time
You may withdraw consents by emailing DPO@mercedesamgf1.com. Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn
For more information on each of your rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below) or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.
If you would like to exercise any of the above rights, please contact DPO@mercedesamgf1.com. Note that these rights are not absolute, and, in some circumstances, MBM and MGP may be entitled to refuse some or all of your request. You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website: https://ico.org.uk.
Who should I contact if I have a query?
For questions or concerns about how your personal data is being used, please contact DPO@mercedesamgf1.com.
Changes to this privacy notice
We will periodically update our privacy notice to ensure the information we give you about how we process your personal data is up-to-date. This privacy notice was last updated on 30 June 2023.