Skip to main content
Luxe Security Group

Employee Privacy Policy

Version 1.0  |  Effective: 08 March 2026  |  Review: 08 March 2027

This policy applies to employees and contractors of Luxe Security Group Limited only.

1

Introduction

Luxe Security Group Limited (“we”, “us”, “our”) is committed to protecting the privacy and personal data of everyone who works for us or with us. This Employee Privacy Policy explains how we collect, use, store, share, and protect your personal data in our capacity as your employer or engager.

This policy applies to:

  • Employees (full-time and part-time)
  • Self-employed contractors and freelancers engaged by us
  • Job applicants undergoing our recruitment process

This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It does not form part of your employment contract and may be updated from time to time. We will notify you of any material changes.

2

Who We Are (Data Controller)

Luxe Security Group Limited is the data controller responsible for your personal data. This means we determine the purposes and means of processing the personal data we hold about you.

Registered Name

Luxe Security Group Limited

Registered Address

124 City Road, London, EC1V 2NX

Contact Email

data@theluxegroup.co.uk

ICO Registration

ZB879028

3

What Personal Data We Collect About You

As your employer or engager, we collect and process the following categories of personal data:

 3.1 Identity and Contact Information

  • Full name, home address, personal email address and personal telephone number
  • Date of birth and national insurance number
  • Next of kin and emergency contact details

 3.2 Employment and Engagement Records

  • CV, application form, and references
  • Employment history and qualifications
  • Right to work documentation (e.g. passport, visa, share code)
  • Employment contract, terms, and any variations
  • Working hours, rotas, shift patterns, and attendance records
  • Holiday, absence, and leave records

 3.3 SIA Licensing Information

  • SIA (Security Industry Authority) licence number
  • Licence type, issue date, and expiry date
  • Licence status and any conditions attached
  • First Aid certificate details (where required)

 3.4 Financial Information

  • Bank account details for payroll purposes
  • Tax code and PAYE reference
  • Pension enrolment details
  • Expense and payment records

 3.5 Performance and Conduct Records

  • Supervision notes, appraisal records, and performance reviews
  • Disciplinary and grievance records
  • Training records and certificates
  • Incident and accident reports

 3.6 Special Category Data

The following data is classified as special category data under UK GDPR and is afforded a higher level of protection. We only collect and process it where strictly necessary.

  • Medical and health information, including occupational health assessments, fitness-for-duty records, and any reasonable adjustments required
  • Information about disabilities, long-term health conditions, or injuries relevant to your role or workplace safety

We process special category data on the basis of carrying out employment law obligations, protecting vital interests, or where you have given explicit consent.

4

How We Collect Your Personal Data

We collect your personal data:

  • Directly from you during the recruitment and onboarding process
  • From your application form, CV, and any supporting documentation you provide
  • From third-party sources, such as reference providers, the Disclosure and Barring Service (DBS), right-to-work verification services, and the SIA licensing register
  • Through the day-to-day operation of your employment or engagement (e.g. timesheets, absence notifications, incident reports)
  • From clients or venues where you are deployed, where relevant to your conduct or performance
5

Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

Contract performance

Processing is necessary to perform your employment or contractor agreement, including paying you, managing your leave, and administering your role.

Legal obligation

Processing is necessary to comply with our legal obligations as an employer, including right to work checks, PAYE and National Insurance reporting to HMRC, pension auto-enrolment, health and safety legislation, and SIA licence verification requirements.

Legitimate interests

Processing is necessary for our legitimate business interests, including managing the performance and conduct of our workforce, maintaining the security of our operations, and protecting our clients and the public. We ensure our legitimate interests do not override your fundamental rights and freedoms.

Consent

In limited circumstances, we may ask for your explicit consent to process certain data (for example, to retain your details for future vacancy consideration after your engagement ends). You may withdraw consent at any time without detriment.

Special category data (employment law basis)

Where we process medical or health information, we do so to carry out our obligations and exercise our rights in the field of employment and social security law, including managing absences, reasonable adjustments, and fitness-for-duty assessments.

6

How We Use Your Personal Data

We use your personal data for the following purposes:

  • Recruiting, onboarding, and administering your employment or engagement
  • Verifying your identity, right to work, and SIA licence status
  • Processing your pay, expenses, pension contributions, and tax deductions
  • Managing your working hours, rotas, holidays, and absences
  • Conducting performance reviews, disciplinary processes, and grievance procedures
  • Ensuring your health, safety, and wellbeing in the workplace
  • Meeting our obligations to regulatory bodies, licensing authorities, and law enforcement
  • Maintaining deployment records for clients at whom you are stationed
  • Training, development, and certification tracking
7

Disclosure of Your Personal Data

Luxe Security Group Limited may be required or have legitimate reason to disclose your personal data to third parties. We take this obligation seriously and only share what is necessary for the specific purpose.

 7.1 Clients

We may share relevant personal data with clients at whose premises or events you are deployed. This may include:

  • Your name, SIA licence number, and licence type (to satisfy their legal obligation to confirm licensed personnel are on site)
  • Your photograph or physical description where required for site access or identification
  • Incident or conduct-related information where it directly concerns activities at their premises

Clients are provided only with the minimum data necessary and are expected to handle it in accordance with data protection law.

 7.2 Law Enforcement Agencies

We may be required to disclose your personal data to law enforcement agencies, including the police, where:

  • We receive a lawful request, court order, or legal obligation requiring disclosure
  • Disclosure is necessary to prevent or detect crime, or to protect the safety of individuals
  • An incident at a deployment site requires your involvement to be reported

We will, where lawfully permitted, notify you if a request for your personal data has been received from law enforcement.

 7.3 The Security Industry Authority (SIA)

As a business operating within the private security industry, we are required to work cooperatively with the SIA. We may share your personal data with the SIA in the following circumstances:

  • To verify the status of your SIA licence as part of our compliance obligations
  • To report concerns about unlicensed working or conduct that may affect licence fitness
  • In response to a formal SIA investigation, audit, or compliance check
  • As required under the terms of any SIA Approved Contractor Scheme (ACS) obligations

 7.4 Licensing Authorities and Local Councils

Local authorities and licensing committees have powers under the Licensing Act 2003 and associated legislation to request information. We may be required to disclose your personal data to:

  • Local councils in connection with premises licence compliance or licensing hearings
  • Licensing officers conducting inspections or investigations under the Licensing Act 2003
  • Other competent authorities exercising statutory powers in relation to licensed venues

Such disclosures will only be made where we are satisfied there is a lawful basis for the request and will be limited to the information strictly required.

 7.5 Other Regulatory and Statutory Bodies

We may also be required to share data with other regulatory or statutory bodies, including:

  • HM Revenue and Customs (HMRC) for payroll, tax, and National Insurance purposes
  • The Pensions Regulator in connection with auto-enrolment obligations
  • The Health and Safety Executive (HSE) where required by workplace health and safety legislation
  • The Disclosure and Barring Service (DBS) where relevant to criminal record checks

 7.6 Professional Advisers and Service Providers

We may share your data with trusted third parties who provide services to us, including payroll processors, HR software providers, legal advisers, and accountants. These parties act as data processors under contract and are required to process your data securely and only for specified purposes.

We do not sell, rent, or share your personal data for marketing purposes. Any disclosure is made only where there is a clear legal, contractual, or regulatory basis for doing so.

8

How Long We Retain Your Data

We retain your personal data for as long as is necessary for the purpose for which it was collected, or as required by law. Our standard retention periods are:

CategoryRetention Period
Employee and contractor records6 years from end of employment
Payroll and financial records6 years (HMRC requirement)
SIA licence recordsDuration of engagement plus 2 years
Medical / occupational health records6 years from end of employment
Disciplinary and grievance records6 years from date of outcome
Accident and incident recordsMinimum 3 years; longer if serious
Recruitment records (unsuccessful)Up to 6 months

At the end of the applicable retention period, your personal data will be securely deleted or anonymised.

9

Your Rights Under UK GDPR

You have the following rights in relation to the personal data we hold about you:

Right of access

You may request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification

You may ask us to correct inaccurate or incomplete data.

Right to erasure

In certain circumstances, you may request that we delete your personal data.

Right to restrict processing

You may ask us to limit how we use your data while a dispute is resolved.

Right to data portability

You may request your data in a structured, machine-readable format.

Right to object

You may object to processing carried out on the basis of legitimate interests.

To exercise any of your rights, please submit a written request to the contact details in Section 12. We will respond within one calendar month.

Information Commissioner's Office (ICO)

Website: www.ico.org.uk  |  Telephone: 0303 123 1113

10

Data Security

We implement appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, disclosure, or misuse. These include:

  • Secure digital storage with access controls limited to authorised personnel
  • Password protection and encryption of sensitive files and systems
  • Physical security of any paper-based records
  • Regular review of our data handling and security practices

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and will inform you directly where required by law.

11

Changes to This Policy

We may update this Employee Privacy Policy from time to time to reflect changes in law, regulation, or our internal practices. We will notify you of any significant changes, and the current version will always be made available to you on request or via the company's internal communications.

12

Contact Us

If you have any questions about this policy, wish to exercise your data rights, or have concerns about how your personal data is being handled, please contact us:

Luxe Security Group Limited

124 City Road, London, EC1V 2NX

Email: data@theluxegroup.co.uk

This policy does not form part of any contract of employment or engagement and may be amended at any time. Luxe Security Group Limited is registered as a data controller with the Information Commissioner's Office.