Sample: GDPR Privacy Policy

1. Introduction

Sunrise Community Support ("the Organisation", "we", "us", or "our") is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines how we collect, use, store, and protect personal information.

We use your personal data to provide and improve our services. By using our services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Interpretation and Definitions

2.1 Interpretation

Words with initial capital letters have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or plural.

2.2 Definitions

For the purposes of this Privacy Policy:

• "Data Controller" refers to Sunrise Community Support as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
• "Data Processor" means any natural or legal person who processes the data on behalf of the Organisation.
• "Personal Data" means any information relating to an identified or identifiable individual, including name, identification number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.
• "Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
• "Service User" means the individual accessing or using our services, or the legal entity on behalf of which such individual is accessing our services.
• "Processing" means any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

3. Data Controller

Sunrise Community Support is the data controller responsible for your personal data. Our registered charity number is 1234567. Our registered address is 45 High Street, Manchester, M1 4BT. For data protection enquiries, contact our Data Protection Lead at privacy@sunrisesupport.org.uk or telephone 0161 555 0123.

4. Information We Collect

4.1 Personal Data

We may collect and process the following categories of personal data:

• Identity Data: Name, title, date of birth, gender, photographic identification, National Insurance number (where required)
• Contact Data: Home address, email address, telephone numbers, emergency contact details
• Service Data: Information relating to services provided, support needs, care plans, case notes, assessments, and outcomes
• Financial Data: Bank account details for direct debits, donation history, Gift Aid declarations, payment records
• Employment/Volunteer Data: CV, references, DBS check information, training records, performance data
• Technical Data: IP address, browser type, device information when using our website

4.2 Special Category Data

Where relevant to service provision, we may process special category data including:

• Health information and medical records
• Religious beliefs (for dietary or cultural requirements)
• Ethnic origin (for equality monitoring)
• Sexual orientation (where relevant to support needs)

Special category data is processed only where we have explicit consent or where processing is necessary for the provision of health or social care services.

4.3 How We Collect Data

We collect personal data through:

• Direct interactions: application forms, referral forms, correspondence, telephone calls
• Third parties: referrals from local authorities, NHS, other agencies (with your consent)
• Automated technologies: cookies on our website
• Publicly available sources: Companies House, Charity Commission

5. How We Use Your Data

We use personal data for the following purposes:

• To provide and maintain our services to you
• To manage your registration and account
• To perform our contractual obligations
• To contact you regarding service updates, appointments, and important notices
• To process donations and Gift Aid claims
• To comply with safeguarding and regulatory requirements
• To monitor and improve our services
• To produce anonymised statistical reports for funders
• To manage staff and volunteer relationships
• To handle complaints and enquiries

6. Lawful Basis for Processing

We process personal data under the following lawful bases:

• Consent: Where you have given clear consent for us to process your data for a specific purpose. You may withdraw consent at any time by contacting us.
• Contract: Where processing is necessary for the performance of a service agreement with you, or to take steps at your request before entering into a contract.
• Legal Obligation: Where we must comply with statutory requirements, including safeguarding duties, health and safety law, and Charity Commission requirements.
• Legitimate Interests: Where processing is necessary for our legitimate interests (such as preventing fraud, maintaining security, or improving services) and does not override your fundamental rights and freedoms.
• Vital Interests: In emergency situations to protect someone's life or safety.
• Public Interest: Where processing is necessary for the exercise of official functions or tasks in the public interest.

7. Data Sharing

7.1 Who We Share Data With

We may share your personal data with:

• Service Providers: Third parties who help us deliver services (IT providers, payment processors)
• Referral Agencies: Local authorities, NHS, and partner organisations (with your consent)
• Regulators: Charity Commission, CQC, Ofsted, ICO as required
• Professional Advisers: Auditors, legal advisers, insurance providers
• Funders: Anonymised data for monitoring and reporting

7.2 Safeguarding Disclosures

We may disclose personal data without consent where there is a safeguarding concern involving risk to a child or vulnerable adult, in accordance with our Safeguarding Policy and statutory guidance.

7.3 Legal Disclosures

We may disclose personal data where required by law or in response to valid requests by public authorities, including to:

• Comply with a legal obligation
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing
• Protect the personal safety of service users or the public
• Protect against legal liability

8. International Transfers

We do not routinely transfer personal data outside the United Kingdom. Where any transfer is necessary (for example, cloud storage providers), we ensure appropriate safeguards are in place, including UK GDPR-compliant Standard Contractual Clauses or adequacy decisions.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements. Retention periods are determined based on the nature of the data and the purposes for processing.

Our standard retention periods are:

• Service user records: 7 years following end of service provision
• Safeguarding records: 75 years or as required by statutory guidance
• Financial records: 7 years
• Employee records: 6 years after employment ends
• Volunteer records: 6 years after volunteering ends
• Unsuccessful job applications: 6 months
• CCTV footage: 30 days unless required for investigation

10. Your Rights

Under UK GDPR, you have the following rights:

• Right of Access (Subject Access Request): Request a copy of your personal data. We will respond within one month. There is no fee for reasonable requests.
• Right to Rectification: Request correction of inaccurate or incomplete data. We will respond within one month.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data where there is no compelling reason for continued processing. This right does not apply where we have a legal obligation to retain data.
• Right to Restrict Processing: Request limitation of how we use your data while we verify accuracy or consider objections.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
• Right to Object: Object to processing based on legitimate interests or direct marketing. We will stop processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that significantly affect you, unless authorised by law or based on explicit consent.

To exercise any of these rights, contact our Data Protection Lead at privacy@sunrisesupport.org.uk. We may need to verify your identity before processing your request.

11. Data Security

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Password protection and multi-factor authentication
• Role-based access controls
• Regular security assessments and penetration testing
• Staff training on data protection
• Secure disposal of paper records
• Regular backups and disaster recovery procedures

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

12. Data Breaches

In the event of a personal data breach, we will notify the Information Commissioner's Office within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms. Where the breach is likely to result in a high risk, we will inform affected individuals without undue delay. We maintain a breach register and review incidents to prevent recurrence.

13. Cookies

Our website uses cookies to distinguish you from other users and improve your experience. Cookies are small files placed on your device. You can instruct your browser to refuse all cookies or indicate when a cookie is sent. However, some features may not function properly without cookies.

We use the following types of cookies:

• Essential Cookies: Required for the website to function
• Analytics Cookies: Help us understand how visitors use our site
• Functionality Cookies: Remember your preferences

14. Children's Privacy

Where we provide services to children under 13, we obtain consent from a parent or guardian before collecting personal data. We process children's data in accordance with the ICO's Age Appropriate Design Code and our Safeguarding Policy.

15. Links to Other Websites

Our website may contain links to other sites not operated by us. If you click a third-party link, you will be directed to that site. We advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content or practices of any third-party sites.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on our website and updating the "Effective Date" at the top. Where changes are significant, we will notify you directly by email or prominent notice. You are advised to review this policy periodically.

17. Contact and Complaints

If you have questions about this policy or wish to exercise your rights, contact our Data Protection Lead:

• Email: privacy@sunrisesupport.org.uk
• Post: Data Protection Lead, Sunrise Community Support, 45 High Street, Manchester, M1 4BT
• Telephone: 0161 555 0123

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF