Donate
Donate

Scarborough Wellness CIC - General Data Protection Regulation (GDPR) Policy and Procedures

1. Introduction

Scarborough Wellness is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all relevant guidance issued by the Information Commissioner’s Office (ICO).

This policy outlines our responsibilities and the procedures we follow to ensure the lawful, fair, and transparent processing of personal data of clients, staff, volunteers, and other stakeholders.

2. Purpose

The purpose of this policy is to:

  • Ensure compliance with data protection legislation.

  • Outline how personal data is collected, processed, stored, and disposed of.

  • Protect the rights and freedoms of individuals whose personal data we hold.

  • Establish accountability for the proper handling of personal information within Scarborough Wellness.

3. Scope

This policy applies to:

  • All employees, volunteers, contractors, session facilitators, session participants and trustees.

  • All personal data processed by Scarborough Wellness, whether digital, paper-based, or otherwise recorded.

4. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.

  • Special Category Data: Sensitive personal data such as health information, ethnicity, religion, or sexual orientation.

  • Data Subject: The individual whose personal data is being processed.

  • Data Controller: Scarborough Wellness CIC, which determines how and why personal data is processed.

  • Data Processor: A third party who processes data on behalf of the Data Controller.

  • Processing: Any operation carried out on personal data, including collection, storage, use, or destruction.

5. Cookies:

The website uses cookies to help personalise your online experience. By accessing Scarborough Wellness CIC website, you agreed to use the required cookies.

A cookie is a text file that is placed on your hard disc by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.

We may use cookies to collect, store, and track information for statistical or marketing purposes to operate our website. You have the ability to accept or decline optional cookies. There are some required cookies that are necessary for the operation of our website. These cookies do not require your consent, as they always work. Please keep in mind that by accepting required cookies, you also accept third-party cookies, which might be used via third-party provided services if you use such services on our website, for example, a video display window provided by third parties and integrated into our website.

Personal information we collect:

When you visit Scarborough Wellness CIC website, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the installed cookies on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products you view, what websites or search terms referred you to the Site, and how you interact with the Site. We refer to this automatically-collected information as “device information". Moreover, we might collect the personal data you provide to us (including but not limited to name, surname, address, payment information, etc.) during registration to be able to fulfil the agreement.

Why do we process your data?

Our top priority is customer data security, and, as such, we may process only minimal user data, only as much as it is absolutely necessary to maintain the website. Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding website usage. This statistical information is not otherwise aggregated in such a way that it would identify any particular user of the system.

You can visit the website without telling us who you are or revealing any information by which someone could identify you as a specific, identifiable individual. If, however, you wish to use some of the website’s features, or you wish to receive our newsletter or provide other details by filling out a form, you may provide personal data to us, such as your email, first name, last name, city of residence, organisation, and telephone number. You can choose not to provide us with your personal data, but then you may not be able to take advantage of some of the website’s features. For example, you won’t be able to receive our newsletter or contact us directly from the website. Users who are uncertain about what information is mandatory are welcome to contact us via contact@scarboroughwellness.com

6. Principles of Data Protection

Scarborough Wellness CIC adheres to the data protection principles set out in the UK GDPR. Personal data shall be:

  1. Processed lawfully, fairly, and transparently.

  1. Collected for specified, explicit, and legitimate purposes.

  1. Adequate, relevant, and limited to what is necessary.

  1. Accurate and kept up to date.

  1. Retained only for as long as necessary.

  1. Processed in a manner that ensures appropriate security.

7. Lawful Basis for Processing

Scarborough Wellness CIC processes personal data under one or more of the following lawful bases:

  • Consent from the data subject.

  • Performance of a contract or agreement.

  • Compliance with a legal obligation.

  • Protection of vital interests.

  • Legitimate interests pursued by the organisation (provided these do not override individual rights).

8. Rights of Data Subjects

Individuals have the following rights under the UK GDPR:

  • The right to be informed about how their data is used.

  • The right of access to their personal data.

  • The right to rectification of inaccurate data.

  • The right to erasure (‘right to be forgotten’) in certain circumstances.

  • The right to restrict processing.

  • The right to data portability.

  • The right to object to processing.

  • Rights related to automated decision-making and profiling (not used by Scarborough Wellness).

9. Data Collection and Use

Scarborough Wellness CIC collects personal data for purposes including:

  • Service provision and wellness session management.

  • Communication with clients and stakeholders.

  • Health and safety compliance.

  • Safeguarding and risk management.

  • Monitoring and evaluating services.

  • Marketing (with appropriate consent).

We only collect information that is necessary for these purposes and ensure data is used appropriately and confidentially.

10. Consent

Where consent is the lawful basis for processing, it must be:

  • Freely given, specific, informed, and unambiguous.

  • Obtained through clear affirmative action (e.g., opt-in forms).

  • Withdrawable at any time by the data subject.

11. Data Storage and Security

  • All digital data is stored securely on password-protected systems.

  • Paper records are digitalised when appropriate, scans of original paper forms are made, then the paper form is either destroyed or kept in locked storage with restricted access.

  • Special category data (e.g., health information) is subject to additional safeguards.

  • Staff and volunteers are trained in data protection practices and confidentiality.

12. Data Retention

Personal data will be retained only as long as is necessary for the purposes for which it was collected, in accordance with our Data Retention Schedule. After this period, data will be securely destroyed or anonymised.

13. Data Sharing

Personal data may be shared with trusted third parties, such as:

  • Partner health and social care providers.

  • Funding and reporting bodies (in anonymised or consented form).

  • Emergency services (where necessary for safety or safeguarding).

We ensure all third-party processors comply with UK GDPR and have data processing agreements in place.

14. Data Breach Procedure

In the event of a personal data breach:

  • It will be reported immediately to the designated Data Protection Lead.

  • A full assessment will be carried out to determine the nature and extent of the breach.

  • If the breach poses a risk to individuals’ rights and freedoms, the ICO will be notified within 72 hours.

  • Affected individuals will be informed if there is a high risk of impact to their privacy.

15. Data Protection Lead

The designated Data Protection Lead for Scarborough Wellness is responsible for ensuring compliance with this policy, providing guidance, and acting as the main point of contact for data protection matters.

Contact Information:

  • Data Protection Lead: Daniel Le Fey Holmes & Kate Stancombe

  • Email: daniel@scarboroughwellness.com

  • Email: kate@scarboroughwellness.com

16. Training and Awareness

All staff, volunteers, and contractors will receive training on data protection, confidentiality, and information security. Ongoing awareness will be promoted through regular updates and reviews.

17. Policy Review

This policy will be reviewed annually or earlier if:

  • There are changes in data protection legislation.

  • Organisational changes affect data handling practices.

  • An audit or breach indicates the need for improvement.

Policy verified: 19/03/26 by D Le Fey Holmes & K Stancombe

Review: March 2027

For The Latest Updates

contact@scarboroughwellness.com

Email

Copyright SWCIC 2026

Funded & Sponsored By

Privacy Policy
Terms & Conditions