INTRODUCTION
Sunrise Senior Living Ltd (“Sunrise”) and Gracewell Healthcare Ltd (“Gracewell”) (collectively “We”) provide quality private residential and assisted living services including access to nursing, respite and dementia care.
This notice describes how Sunrise and Gracewell as data controllers, collect, use and manage the Personal Data they hold about you, including how the Personal Data may be shared and how the confidentiality of Personal Data is maintained. This notice applies to all employees, workers and contractors of Sunrise and Gracewell whose Personal Data is subject to the EU General Data Protection Regulation (GDPR).
We share and process your Personal Data with certain third parties, including the Operating Companies, as described in the “Data Sharing and Transfers” section below. The Operating Companies process your Personal Data and are controllers in common with Sunrise and Gracewell. Full details of the Operating Companies can be found in the glossary at section 1.12. The information marked * below also applies in relation to processing of your Personal Data by the Operating Companies.
The “At a Glance” section contains some very important information that will help explain what Personal Data we process and why. Capitalised terms used in this notice are defined in the Annex of Personal Data Types (section 1.10) and the glossary (section 1.12).
AT A GLANCE
When we refer to Personal Data in this notice, we mean information that can or has the potential to identify you as an individual.
We will collect and process Personal Data about you at the following stages:
Stage |
Description |
When you enquire about a potential vacancy by visiting one of our websites, speaking to us over the telephone or visiting us at one of our residential homes |
|
When you submit an application for consideration and an assessment of your suitability is undertaken. This may involve collecting your Personal Data from you directly or from third parties including employment/recruitment agencies, referees, former employers and background checking authorities. |
|
Contract and ongoing employment relationship |
When you have successfully passed the vetting and on boarding process and have signed a contract of employment and during the course of your ongoing employment |
Enquiry
We will largely rely on our ‘Legitimate Interests’ to process your Personal Data with the exception of those areas marked with an (*) below where we will require your ‘Consent’.
Data Category |
Reason for Processing |
Personal Identifiers Contact Details Personal Information |
To communicate with you regarding your initial enquiry |
*Personal Identifiers *Contact Details Personal Information |
To retain your personal information and to contact you regarding future career opportunities |
Personal Identifiers Contact Details |
Internal record keeping and administration |
Application
We will largely rely on our ‘Legitimate Interests’ to process your Personal Data with the exception of those items marked with an (#) below where we will rely on ‘Compliance with a Legal Obligation’ and items marked with a (*) below where we will require your ‘Consent’. Where we process Special Category Data (marked with a (+) below) we do so to comply with obligations under employment law.
Data Category |
Reason for Processing |
Personal Identifiers Contact Details |
To communicate with you regarding your application for employment |
Personal Identifiers Contact Details Personal Information |
To assess your suitability (skills, strengths, behaviours for the role) |
*Personal Identifiers *Contact Details *Third Party Information |
To verify the information that you have provided, in particular relating to your previous work history, education and professional qualifications |
#Personal Identifiers #Contact Details Personal Information +Special Category Data |
To undertake activities needed to complete the on-boarding and screening process should your application be successful |
Contract and ongoing employment relationship
We will largely rely on ‘Contractual Necessity’ to process your Personal Data with the exception of those areas marked with an (#) below where we will rely on ‘Compliance with a Legal Obligation’
Where we process Special Category Data (marked with a (+) below) we do so to comply with obligations under employment law, to assess working capacity on health grounds or for reasons of substantial public interest.
Data Category |
Reason for Processing |
Personal Identifiers Contact Details |
General management of personnel and work activities inc. appraisals, performance management, managing disciplinary matters, grievances and terminations, planning and monitoring of training requirements and career development activities and creating and maintaining one or more internal employee directories etc |
Personal Identifiers Contact Details Personal Information Financial Information Employment Information Special Category Data Third Party Information |
To carry out our obligations and benefits to you arising from any contract inc. payroll processing, healthcare, pensions, loans, business expenses and reimbursements etc |
Personal Identifiers Contact Details Personal Information Financial Information +Special Category Data Third Party Information Other Information |
For internal audit and accounting purposes together with the preparation and review of management information |
#Personal Identifiers #Contact Details |
To comply with legal and other requirements, such as income tax and national insurance deductions, record-keeping and reporting obligations, physical access policies, conducting audits, management and resolution of health and safety matters, such as accident and insurance claims, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures |
For further details of the Personal Data types contained within each category please refer to the Annex of Personal Data Types which can be found in section 1.10
Your decision to provide any Personal Data described above to us is voluntary. In addition, we will only contact third party referees if you give consent for us to do so. If you chose not to provide any of the Personal Data requested, or do not consent to us contacting third party referees regarding your application, our ability to consider you as a candidate may be limited, we may not be able to perform your contract of employment (such as paying you or providing a benefit) and we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
If you are offered a position at Sunrise or Gracewell, you will be required to complete an application form for the Disclosure and Barring Service, and to provide a copy of any certificate conferred by the Disclosure and Barring Service to us. We are allowed to use your Personal Data in this way to carry out our legal rights and obligations in connection with employment and we have in place an appropriate policy and safeguards which are required by law to maintain when processing such Personal Data. If you fail to provide a satisfactory certificate issued by the Disclosure and Barring Service to us, this may lead to rejection of your application for employment or immediate termination of your employment if it has already commenced.
FURTHER DETAILED INFORMATION
In the usual course of business Sunrise and Gracewell may disclose your Personal Data which will include health information as recorded below (to the extent necessary) to (i) their Affiliates, and (ii) certain third-party processors Sunrise and Gracewell have retained to perform services on their behalf and pursuant to their instructions. This may include sharing with:
Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection laws.
Sunrise, Gracewell and the Operating Companies may also disclose your Personal Data (iii) if they are required to do so by law or legal process, or (iv) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Sunrise, Gracewell and the Operating Companies also reserve the right to transfer your Personal Data in the event of an audit or if they or any of their Affiliates sell or transfer all or a portion of their business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).
Due to the global nature of our operations, we may transfer the Personal Data we collect about you to recipients in countries other than the country in which the Personal Data originally was collected. For example, we may disclose your Personal Data to Sunrise Senior Living, LLC and Sunrise Senior Living Management, Inc. in the U.S. and access to your Personal Data will be limited to individuals who have a need to know the Personal Data for the purposes described in this notice, and may include personnel in the HR, IT, compliance, legal, finance, accounting, internal audit, marketing and risk management functions. The Operating Companies may disclose your Personal Data to their Affiliates based in the U.S. and Canada as the case may be.
Where we or the Operating Companies transfer your Personal Data to a country which may not have the same data protection laws as the country in which you initially provided the Personal Data (such as the U.S.), each such party will protect that Personal Data as described in this Privacy Notice and will comply with applicable legal requirements providing adequate protection for the transfer of Personal Data to recipients in countries other than the one in which you provided the Personal Data. Your Personal Data will also be transferred to our third-party service providers in the U.S. We have implemented appropriate safeguards to ensure an adequate level of data protection, including by concluding data transfer agreements incorporating the European Commission’s Standard Contractual Clauses under Article 46 of the GDPR. You may contact the Data Protection Officer as indicated below to obtain further information on the transfer mechanism.
Sunrise Senior Living, LLC and its subsidiary Sunrise Senior Living Management, Inc are certified under the EU-U.S. Privacy Shield (the “Privacy Shield”) framework developed by the U.S. Department of Commerce and the European Commission respectively, regarding the transfer of personal information from the European Economic Area (“EEA”) and United Kingdom to the US.
Sunrise Senior Living, LLC commits to comply with the Privacy Shield Principles with respect to Consumer Personal Data the company receives from the EEA and United Kingdom in reliance on the Privacy Shield.
Please visit www.sunriseseniorliving.com/eu-us-privacy-shield.aspx to view our EU-US Privacy Shield Privacy Policy.
We maintain appropriate technical and organisational measures designed to protect your Personal Data against loss or accidental, unlawful or unauthorised, alteration, access, disclosure or use.
We retain Personal Data for as long as we reasonably require it for legal and business purposes. In determining data retention periods, Sunrise, Gracewell and our Operating Companies also take into consideration local laws, relevant regulations and contractual obligations.
At any point while we are in possession of or processing your Personal Data, you, the data subject, have the following rights:
All of the above requests will be forwarded on should there be a third party involved in the processing of your Personal Data.
If you would like to exercise any of your data subject rights, please contact us using one of the methods highlighted below.
If you have any questions about this notice or the processing of your Personal Data by us or any of the Operating Companies, please contact the Sunrise and Gracewell Data Protection Officer:
In the event that you wish to make a complaint about how your Personal Data is being processed by us (or third parties as described in 1.3 & 1.4 above) please contact the Data Protection Officer at the address detailed above.
If you are not satisfied with how your complaint has been handled you have the right to lodge a complaint directly with the supervisory authority at the Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel 0303 123 1113 or 01625 5457.
Data Type |
Data Items |
Personal Identifiers |
National Insurance Number NHS Number Online Identifiers (IP Address) Passport Number Immigration documents Visas |
Contact Information |
Name Address Telephone Room Number Community Name |
Personal Information |
Date of Birth Gender Marital Status Photograph Nationality |
Financial Information |
Bank Details Employment Loan Details Life Assurance Details Pension Details PMI Details Tax Details |
Employment Information |
Absence Details Employment Details (Current) Employment Details (Historic) Maternity Details Performance Details Disciplinary and grievance records Qualification and Training Details Reference Details Remuneration Details |
Special Category Data |
Ethnic Origin Health Information Race Religion Criminal records |
Third Party Information |
Children’s Details Dependent Details Guarantor Details NOK Details Reference Details Spouse Details |
You can read more about our use of cookies on our Cookies page
In relation to Sunrise, Gracewell or any Operating Company, any subsidiary or holding company of that entity and any subsidiary of a holding company of that entity.
Consent
In certain circumstances, we are required to obtain your consent to the processing of your Personal Data in relation to certain activities.
Article 4 of the GDPR states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her." In plain language, this means that:
We will keep records of the consents that we have received from you.
You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found in section 1.8.
Article 6 of the GDPR states that we can process your Personal Data on the basis that such processing is necessary in order to enter into or perform a contract with you.
The "Contractual Necessity" lawful basis permits the processing of personal data in two different scenarios:
From the point at which contract negotiations commence and throughout your stay with us we will rely on Contractual Necessity as the lawful basis for the majority of Personal Data processing activities.
Compliance with a Legal Obligation
Article 6 of the GDPR states that we can process your Personal Data on the basis that the we have a legal obligation to perform such processing. Processing is permitted if it is necessary for compliance with a legal obligation.
Article 6 of the GDPR states that we can process your Personal Data where it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of Personal Data.
Sunrise UK Operations Ltd |
Sunrise of Bagshot Sunrise of Banstead Sunrise of Bassett Sunrise of Beaconsfield Sunrise of Chorleywood Sunrise of Eastbourne Sunrise of Edgbaston Sunrise of Elstree Sunrise of Fleet Sunrise of Frognal Sunrise of Guildford Sunrise of Hale Barns Sunrise of Mobberley Sunrise of Purley Sunrise of Solihull Sunrise of Sonning Sunrise of Southbourne Sunrise of Tettenhall Sunrise of Virginia Water Sunrise of Westbourne Sunrise of Winchester |
Sunrise Operations Bramhall II Ltd |
Sunrise of Bramhall |
Sunrise Operations Cardiff Ltd |
Sunrise of Cardiff |
Sunrise Operations Esher Ltd |
Sunrise of Esher |
Sunrise Operations Weybridge Ltd |
Sunrise of Weybridge |
Sunrise Healthcare 4 Ltd |
Holding company for Shelbourne Senior Living |
Sunrise Healthcare 3 Ltd |
Sunrise of Adderbury Sunrise of Bath Sunrise of Bookham Sunrise of Camberly Sunrise of Church Crookham Sunrise of Edgbaston Sunrise of High Wycombe Sunrise of Horley Park Sunrise of Kentford Sunrise of Newbury Sunrise of Salisbury Sunrise of Sutton Sunrise of Sutton Coldfield Sunrise of Weymouth Sunrise of Woking Sunrise of Fareham |
Sunrise Healthcare 1 Ltd |
Sunrise of Frome |
Shelbourne Senior Living Ltd |
Sunrise of Sway |
Maids Moreton Operations Ltd |
Sunrise of Maids Moreton |
Bayfield Court Operations Ltd |
Sunrise of Chingford |
Sunrise Operations (Ascot) Ltd |
Sunrise of Ascot |
Gracewell Healthcare 4 Ltd |
Holding company for Shelbourne Senior Living |
Gracewell Healthcare 3 Ltd |
Gracewell of Adderbury Gracewell of Bath Gracewell of Bookham Gracewell of Camberly Gracewell of Church Crookham Gracewell of Edgbaston Gracewell of Fareham Gracewell of High Wycombe Gracewell of Horley Park Gracewell of Kentford Gracewell of Newbury Gracewell of Salisbury Gracewell of Sutton Gracewell of Sutton Coldfield Gracewell of Weymouth Gracewell of Woking |
Gracewell Healthcare 1 Ltd |
Gracewell of Frome |
Shelbourne Senior Living Ltd |
Gracewell of Sway |
Maids Moreton Operations Ltd |
Gracewell of Maids Moreton |
Bayfield Court Operations Ltd |
Gracewell of Chingford |
Gracewell Operations (Ascot) Ltd |
Gracewell of Ascot |