Karla Otto is made up of different legal entities which trade as “Karla Otto”, all of which are subsidiary undertakings of The Independents Holding Limited in the UK – CRN: 10186775 (together, “Karla Otto Group”).

This Privacy Notice is issued on behalf of Karla Otto Group, so when we mention “Karla Otto”, “Company”, “we”, “us” or “our” in this Privacy Notice, we are referring to the relevant company in Karla Otto Group responsible for processing your data.Karla Otto is part of the group of agencies comprising The Independents Group (together, “The Independents Group”).

This Privacy Notice supplements our General Privacy Notice and should be read together with it, including the Local Law Addendum and any applicable local privacy schedules made available on our website. The General Privacy Notice contains further information about our group structure, the relevant controllers, international transfers, data subject rights, local law requirements and how to contact us.

If there is any inconsistency between this Privacy Notice and the General Privacy Notice, this Privacy Notice will apply in relation to the specific processing described below, unless applicable local law requires otherwise.

The relevant Karla Otto entity responsible for the Event, the relevant client relationship or the relevant Event activity will act as controller of your personal data. Further details of the Karla Otto entities acting as controllers are set out in our General Privacy Notice.

The Independents Group and Karla Otto are committed to protecting your privacy. When you attend or participate in events we produce, support or provide services for, we may capture photos or video for event documentation, publicity, reporting and marketing purposes, and may collect contact data if you register, sign up or otherwise provide information at the Event. We use this information for event management, operational communications, compliance, reporting and, where permitted by applicable law, marketing and future updates. Your privacy rights are respected and you can object to certain processing or withdraw consent where processing is based on consent.

Find out more below, or contact our Group Data Protection Officer with any concerns at DPO@the-independents.com.

This Privacy Notice has been issued to identify and explain the ways in which Karla Otto and other members of The Independents Group may collect, use, store, share and process your personal data in respect of our production and creation services relating to client events, fashion shows and shoots, film shoots and sets, exhibitions, stores or other location-specific brand communication or marketing events (each, an “Event”).

We do not ordinarily collect extensive personal data in connection with our Event production and creation services. However, depending on the nature of the Event and our role, we may process limited personal data, including in the following ways:

• Recording or capturing images of the Event, which may include images of guests, hosts, clients and vendors.
• Guest list information either provided to us by clients or third party vendors engaged for such services, or by us to the extent we are engaged for such services.
• Personal data collected via sign-ups available at Events, including QR Codes at Events.

We may capture photographs, video or other recordings of the Event, which may include images of guests, hosts, clients, talent, vendors and other attendees. We use this material for Event documentation, reporting, publicity, social media, internal records and marketing, where permitted by applicable law.

Where photography, filming or recording takes place at an Event, we or our clients will normally provide signage or other notices. For crowd, atmosphere or incidental imagery, we generally rely on legitimate interests, unless consent is required by applicable law. Where an individual is featured prominently, interviewed, contracted as talent or otherwise engaged to participate in content, we may use consent, release forms, contractual terms or another appropriate lawful basis. If you do not wish to be photographed or recorded, please speak to an Event staff member or contact us in advance, and we will do our best to accommodate your request where reasonably practicable.

We do not use Event images or recordings for biometric identification or facial recognition unless we notify you separately and do so in accordance with applicable law.

We may be provided with guest, attendee or vendor list details, which are ordinarily limited to basic contact and attendance information, such as name, organisation, role, email address, telephone number, attendance status and any information required for Event access, security, seating, accreditation or logistics. Where another member of The Independents Group, a client, venue, front-of-house provider, event partner or other third party is separately responsible for collecting or processing your personal data, their own privacy notice may also apply.

We may also collect personal data you provide voluntarily via sign-ups available at an Event, whether via a QR Code or otherwise, including:

• Contact Information: name, email, phone number (if provided).
• Device and Usage Data: IP address, device type, operating system, QR Code scan timestamp.
• Optional Information: any additional data you provide during sign-up.

We do not intentionally collect special category data, sensitive personal data or sensitive personal information unless it is necessary for the Event or you choose to provide it, for example dietary requirements, accessibility requirements, health and safety information, identification details or security/access information. Where applicable law requires consent or separate consent for this processing, we will obtain it.

Where children or minors attend or participate in an Event, shoot, production or campaign, we will process their personal data only where necessary and with appropriate safeguards. Where required, we will obtain consent from a parent, guardian, agent or authorised representative and will limit collection to what is necessary for attendance, safeguarding, production, travel, payment, compliance or contractual purposes.

The majority of our personal data processing activities are ancillary to the services we provide to our clients in relation to the production and creation of their Events. In most circumstances, we do not actively collect or process personal data. Where personal data is processed, and in the absence of any specific consent, such processing is carried out on the basis of contractual necessity and/or our legitimate interests, in compliance with the GDPR.

Where we operate Event registration, sign-ups, QR codes or similar forms, we will identify the purposes of collection at the point of collection. We rely on different lawful bases depending on the purpose. We generally rely on legitimate interests, contractual necessity and/or legal obligations for Event registration, attendance management, operational communications, access control, security, logistics, reporting and client service delivery. We rely on consent, explicit consent or separate consent where required by applicable law, including for optional marketing communications, certain cookies or tracking technologies, certain sharing with clients for their own marketing purposes, and processing of sensitive information where consent is required.

Purpose 1
Event registration, RSVP and attendance management

Personal Data: Name, contact details, organisation, role, attendance status, QR/sign-up data

Lawful Bias: Legitimate interests; performance of contract; consent where required

Purpose 2
Event access, security, accreditation and logistics

Personal Data: Identity, contact, attendance, accreditation, access, guest list and security information

Lawful Bias: Legitimate interests; legal obligation; performance of contract

Purpose 3
Event photography, filming and documentation

Personal Data: Images, video, audio and likeness

Lawful Bias: Legitimate interests; consent where required; contractual necessity for featured talent/contributors

Purpose 4
Event reporting and client service delivery

Personal Data: Attendance, engagement, event outcomes, non-sensitive reporting data

Lawful Bias: Legitimate interests; performance of contract

Purpose 5
Dietary, allergy, accessibility, health and safety or travel/accommodation arrangements

Personal Data: Dietary, allergy, accessibility, health/safety, passport/travel/accommodation data

Lawful Bias: Legitimate interests; performance of contract; legal obligation; explicit/separate consent where required

Purpose 6
Marketing and future invitations

Personal Data: Contact details, preferences, engagement history

Lawful Bias: Consent where required; legitimate interests for permitted B2B marketing; soft opt-in where applicable

Where you sign up for an Event, submit information via a QR Code or registration form, or opt in to receive marketing communications, we may process your personal data on the basis of your consent where consent is required by applicable law. You may withdraw your consent at any time by clicking the unsubscribe link in our emails or by contacting DPO@the-independents.com.

Withdrawing consent will not affect the lawfulness of processing carried out before consent was withdrawn. In some cases, we may still process the minimum personal data necessary to manage the Event, maintain suppression records, comply with legal obligations, protect our rights or ensure security, where permitted by applicable law.

Where we process personal data in connection with Event photography, filming, Event operations, attendance management, security, reporting or client service delivery, we generally rely on our legitimate interests, contractual necessity, legal obligations or other lawful grounds available under applicable law, unless consent is required.

Marketing communications are optional. Where required by applicable law, we will only send marketing communications, or share your details with a client for their own marketing purposes, if you have opted in or otherwise consented. Where your details may be shared with a client for their own marketing purposes, we will identify the relevant client at or before the point of collection where required by applicable law. You can unsubscribe at any time using the link provided in our emails or by contacting DPO@the-independents.com.

We do not sell or rent your personal data.

Where necessary for the relevant Event, we may share limited personal data with clients, venues, event partners, front-of-house providers, security providers, logistics providers, photographers, videographers, production teams, mailing companies, travel providers and other suppliers involved in operating, documenting or administering the Event.

We may also share personal data with third-party service providers and platforms providing IT, hosting, CRM, database, email marketing, analytics, registration, ticketing, event administration and related services, including platforms such as Launchmetrics or Mailchimp where applicable.

We may disclose personal data to professional advisers, regulators, public authorities or other persons where required or permitted by law.

Where we disclose personal data to third parties, we take appropriate steps designed to ensure that such persons respect the security of your personal data and process it in accordance with applicable data protection laws.

We do not share full VIP, talent, influencer or guest databases with clients or third parties as a matter of course. Where we share names, guest list details, contact details, dietary/accessibility information, travel details, images or other Event information, we do so only where necessary for the relevant Event, campaign, booking, logistics, reporting or client service purpose and on a need-to-know basis.

Because we operate as part of an international group, your personal data may be accessed by or transferred to Karla Otto Group, The Independents Group, clients, event partners, venues, service providers and other relevant third parties in jurisdictions outside your country of residence, including the UK, EEA, United States, Hong Kong, Singapore, Korea, PRC / Mainland China and other countries in which we or our service providers operate.

Where we transfer personal data internationally, we take steps designed to ensure appropriate protection in accordance with applicable law. These may include adequacy decisions, EU Standard Contractual Clauses, UK-approved transfer mechanisms, transfer impact assessments, contractual safeguards, consent where required, local filings or assessments where required, or other lawful transfer mechanisms.

More information about international transfers is set out in our General Privacy Notice and Local Law Addendum.

We retain your personal data only for as long as reasonably necessary for the purposes for which it was collected, including Event management, attendance records, guest list administration, photography and filming, reporting, marketing, compliance, legal, audit and dispute purposes.

In general:

• Event registration, guest list and attendance information is retained for the duration of the relevant Event and for a reasonable period afterwards for Event administration, reporting, audit, legal and relationship management purposes.
• Event sign-up and follow-up data is typically retained for up to 2 years after the relevant Event, unless you continue to engage with us, consent to further communications, or a longer period is required or permitted by law.
• Images and recordings are retained for as long as reasonably necessary for Event documentation, publicity, reporting, archive, marketing and legitimate business purposes, unless you object and we are required or able to comply.
• Marketing contact data is retained until you unsubscribe, opt out or object, after which we may retain limited suppression details to ensure we respect your preferences.
• Usage, device and QR Code data is retained for as long as necessary for analytics, security, reporting and Event administration purposes, and is then deleted or anonymised.
• Records required for legal, tax, accounting, audit, insurance, regulatory or dispute purposes may be retained for longer where required or permitted by law.

When personal data is no longer required, we will delete it, anonymise it or securely archive it in accordance with our policies and applicable law. Further details are set out in our Data Retention Policy, available on request.

Depending on your location, you may have rights to:

• Access your personal data.
• Correct incomplete or inaccurate data.
• Request deletion of your data where no legal obligation exists to retain it.
• Object to processing based on legitimate interests or profiling.
• Request restriction of processing.

Further details of your rights, including any additional rights available under applicable local law, are set out in our General Privacy Notice, Local Law Addendum and any applicable local privacy schedule.

To exercise your rights, contact us at DPO@the-independents.com. We aim to respond within one month or within such other timeframe as required by applicable law and may charge a reasonable fee if requests are unfounded or excessive.

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss or disclosure. Access is limited to personnel with a business need to know, and third-party processors are bound by confidentiality obligations.

We may update this Privacy Notice from time to time. Updates will be posted on our website with the effective date. Please check regularly for changes.

For questions regarding this Privacy Notice or to exercise your rights, contact us at DPO@the-independents.com

If you are located in the European Economic Area (EEA), the United Kingdom or Switzerland, you have the right to make a complaint at any time to your local data protection supervisory authority.

For example, you may contact:

-The UK Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/ ; or

-The French Commission Nationale de l’Informatique et des Libertés (CNIL): https://www.cnil.fr/en/contact-cnil

A list of EU/EEA Data Protection Authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en.

We would, however, appreciate the chance to address your concerns before you approach a supervisory authority, so please contact us in the first instance at DPO@the-independents.com.

Updated: 16 January 2026