INTRODUCTION

Sunrise Senior Living Ltd (“Sunrise”) and Gracewell Healthcare Ltd (“Gracewell”) (collectively “We”) provide quality private residential and assisted living services including access to nursing, respite and dementia care.

This notice describes how Sunrise and Gracewell as data controllers, collect, use and manage the Personal Data they hold about you, including how the Personal Data may be shared and how the confidentiality of Personal Data is maintained. This notice applies to all employees, workers and contractors of Sunrise and Gracewell whose Personal Data is subject to the EU General Data Protection Regulation (GDPR).

We share and process your Personal Data with certain third parties, including the Operating Companies, as described in the “Data Sharing and Transfers” section below. The Operating Companies process your Personal Data and are controllers in common with Sunrise and Gracewell. Full details of the Operating Companies can be found in the glossary at section 1.12. The information marked * below also applies in relation to processing of your Personal Data by the Operating Companies.

The “At a Glance” section contains some very important information that will help explain what Personal Data we process and why. Capitalised terms used in this notice are defined in the Annex of Personal Data Types (section 1.10) and the glossary (section 1.12).

AT A GLANCE

  1. When do we collect Personal Data about you? *

When we refer to Personal Data in this notice, we mean information that can or has the potential to identify you as an individual.

We will collect and process Personal Data about you at the following stages:

Stage

Description

Enquiry

When you enquire about a potential vacancy by visiting one of our websites, speaking to us over the telephone or visiting us at one of our residential homes

Application

When you submit an application for consideration and an assessment of your suitability is undertaken. This may involve collecting your Personal Data from you directly or from third parties including employment/recruitment agencies, referees, former employers and background checking authorities.

Contract and ongoing employment relationship

When you have successfully passed the vetting and on boarding process and have signed a contract of employment and during the course of your ongoing employment

  1. What Personal Data may we collect from you and why?

Enquiry

We will largely rely on our ‘Legitimate Interests’ to process your Personal Data with the exception of those areas marked with an (*) below where we will require your ‘Consent’.

Data Category

Reason for Processing

Personal Identifiers

Contact Details

Personal Information

To communicate with you regarding your initial enquiry

*Personal Identifiers

*Contact Details

Personal Information

To retain your personal information and to contact you regarding future career opportunities

Personal Identifiers

Contact Details

Internal record keeping and administration

Application

We will largely rely on our ‘Legitimate Interests’ to process your Personal Data with the exception of those items marked with an (#) below where we will rely on ‘Compliance with a Legal Obligation’ and items marked with a (*) below where we will require your ‘Consent’. Where we process Special Category Data (marked with a (+) below) we do so to comply with obligations under employment law.

Data Category

Reason for Processing

Personal Identifiers

Contact Details

To communicate with you regarding your application for employment

Personal Identifiers

Contact Details

Personal Information

To assess your suitability (skills, strengths, behaviours for the role)

*Personal Identifiers

*Contact Details

*Third Party Information

To verify the information that you have provided, in particular relating to your previous work history, education and professional qualifications

#Personal Identifiers

#Contact Details

Personal Information

+Special Category Data

To undertake activities needed to complete the on-boarding and screening process should your application be successful

Contract and ongoing employment relationship

We will largely rely on ‘Contractual Necessity’ to process your Personal Data with the exception of those areas marked with an (#) below where we will rely on ‘Compliance with a Legal Obligation’

Where we process Special Category Data (marked with a (+) below) we do so to comply with obligations under employment law, to assess working capacity on health grounds or for reasons of substantial public interest.

Data Category

Reason for Processing

Personal Identifiers

Contact Details

General management of personnel and work activities inc. appraisals, performance management, managing disciplinary matters, grievances and terminations, planning and monitoring of training requirements and career development activities and creating and maintaining one or more internal employee directories etc

Personal Identifiers

Contact Details

Personal Information

Financial Information

Employment Information

Special Category Data

Third Party Information

To carry out our obligations and benefits to you arising from any contract inc. payroll processing, healthcare, pensions, loans, business expenses and reimbursements etc

Personal Identifiers

Contact Details

Personal Information

Financial Information

+Special Category Data

Third Party Information

Other Information

For internal audit and accounting purposes together with the preparation and review of management information

#Personal Identifiers

#Contact Details

To comply with legal and other requirements, such as income tax and national insurance deductions, record-keeping and reporting obligations, physical access policies, conducting audits, management and resolution of health and safety matters, such as accident and insurance claims, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures

For further details of the Personal Data types contained within each category please refer to the Annex of Personal Data Types which can be found in section 1.10

Your decision to provide any Personal Data described above to us is voluntary. In addition, we will only contact third party referees if you give consent for us to do so. If you chose not to provide any of the Personal Data requested, or do not consent to us contacting third party referees regarding your application, our ability to consider you as a candidate may be limited, we may not be able to perform your contract of employment (such as paying you or providing a benefit) and we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

If you are offered a position at Sunrise or Gracewell, you will be required to complete an application form for the Disclosure and Barring Service, and to provide a copy of any certificate conferred by the Disclosure and Barring Service to us. We are allowed to use your Personal Data in this way to carry out our legal rights and obligations in connection with employment and we have in place an appropriate policy and safeguards which are required by law to maintain when processing such Personal Data. If you fail to provide a satisfactory certificate issued by the Disclosure and Barring Service to us, this may lead to rejection of your application for employment or immediate termination of your employment if it has already commenced.

FURTHER DETAILED INFORMATION

  1. Data sharing and transfers *

In the usual course of business Sunrise and Gracewell may disclose your Personal Data which will include health information as recorded below (to the extent necessary) to (i) their Affiliates, and (ii) certain third-party processors Sunrise and Gracewell have retained to perform services on their behalf and pursuant to their instructions. This may include sharing with:

  • Sunrise Senior Living, LLC (US) and Sunrise Senior Living Management, Inc for the provision and delivery of services, IT application support, internal audit reviews and investigations, quality assurance, program monitoring, management reporting and other internal purposes.
  • Operating Companies to deal with any legal and compliance matters (including compliance with any matters relating to the Care Quality Commission), for record keeping, internal audit, reviews, management information, operational, administrative and reporting purposes. Full details of the Operating Companies can be found in the glossary. The Operating Companies may disclose your Personal Data to their Affiliates, including those based in the U.S. and Canada, as the case may be.
  • business partners, suppliers and sub-contractors for the provision of the contracted services,
  • organisations providing IT systems support and hosting in relation to the IT systems on which your Personal Data is stored,
  • third party debt collectors for the purposes of debt collection,
  • delivery companies for the purposes of transportation,
  • third party service providers who perform services on our behalf based on our instructions, for instance, for the purposes of storage of Personal Data and confidential destruction, for the purposes of providing background checking, payroll and benefits services. We do not authorise these service providers to use or disclose the Personal Data except as necessary to perform services on our behalf or comply with applicable legal obligations.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection laws.

Sunrise, Gracewell and the Operating Companies may also disclose your Personal Data (iii) if they are required to do so by law or legal process, or (iv) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Sunrise, Gracewell and the Operating Companies also reserve the right to transfer your Personal Data in the event of an audit or if they or any of their Affiliates sell or transfer all or a portion of their business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).

  1. Third Country Data Transfer

Due to the global nature of our operations, we may transfer the Personal Data we collect about you to recipients in countries other than the country in which the Personal Data originally was collected. For example, we may disclose your Personal Data to Sunrise Senior Living, LLC and Sunrise Senior Living Management, Inc. in the U.S. and access to your Personal Data will be limited to individuals who have a need to know the Personal Data for the purposes described in this notice, and may include personnel in the HR, IT, compliance, legal, finance, accounting, internal audit, marketing and risk management functions. The Operating Companies may disclose your Personal Data to their Affiliates based in the U.S. and Canada as the case may be.

Where we or the Operating Companies transfer your Personal Data to a country which may not have the same data protection laws as the country in which you initially provided the Personal Data (such as the U.S.), each such party will protect that Personal Data as described in this Privacy Notice and will comply with applicable legal requirements providing adequate protection for the transfer of Personal Data to recipients in countries other than the one in which you provided the Personal Data. Your Personal Data will also be transferred to our third-party service providers in the U.S. We have implemented appropriate safeguards to ensure an adequate level of data protection, including by concluding data transfer agreements incorporating the European Commission’s Standard Contractual Clauses under Article 46 of the GDPR. You may contact the Data Protection Officer as indicated below to obtain further information on the transfer mechanism.

  1. How we protect your Personal Data

We maintain appropriate technical and organisational measures designed to protect your Personal Data against loss or accidental, unlawful or unauthorised, alteration, access, disclosure or use.

  1. Retention period

We retain Personal Data for as long as we reasonably require it for legal and business purposes. In determining data retention periods, Sunrise, Gracewell and our Operating Companies also take into consideration local laws, relevant regulations and contractual obligations.

  1. Your rights as a data subject

At any point while we are in possession of or processing your Personal Data, you, the data subject, have the following rights:

  • Right of access – you have the right to request a copy of the Personal Data that we hold about you. Sunrise, Gracewell and our Operating Companies reserve the right to charge a reasonable fee based on our or their administration costs where further copies are requested.
  • Right of rectification – you have the right to correct Personal Data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the Personal Data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply you have the right to request that we restrict the processing.
  • Right of portability – in certain circumstances you have the right to have the Personal Data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing and profiling

All of the above requests will be forwarded on should there be a third party involved in the processing of your Personal Data.

If you would like to exercise any of your data subject rights, please contact us using one of the methods highlighted below.

  1. Contact Information

If you have any questions about this notice or the processing of your Personal Data by us or any of the Operating Companies, please contact the Sunrise and Gracewell Data Protection Officer:

  • By email at dpo@sunriseseniorliving.com
  • By writing to us at Data Protection Officer, Sunrise House, Post Office Lane, Beaconsfield, Buckinghamshire HP9 1FN

  1. Complaints

In the event that you wish to make a complaint about how your Personal Data is being processed by us (or third parties as described in 1.3 & 1.4 above) please contact the Data Protection Officer at the address detailed above.

If you are not satisfied with how your complaint has been handled you have the right to lodge a complaint directly with the supervisory authority at the Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel 0303 123 1113 or 01625 5457.

  1. Personal data types & items

Data Type

Data Items

Personal Identifiers

National Insurance Number

NHS Number

Online Identifiers (IP Address)

Passport Number

Immigration documents

Visas

Contact Information

Name

Address

Email

Telephone

Room Number

Community Name

Personal Information

Date of Birth

Gender

Marital Status

Photograph

Nationality

Financial Information

Bank Details

Employment Loan Details

Life Assurance Details

Pension Details

PMI Details

Tax Details

Employment Information

Absence Details

Employment Details (Current)

Employment Details (Historic)

Maternity Details

Performance Details

Disciplinary and grievance records

Qualification and Training Details

Reference Details

Remuneration Details

Special Category Data

Ethnic Origin

Health Information

Race

Religion

Criminal records

Third Party Information

Children’s Details

Dependent Details

Guarantor Details

NOK Details

Reference Details

Spouse Details

  1. Use of cookies

You can read more about our use of cookies on our Cookies page

  1. Glossary

Affiliate

In relation to Sunrise, Gracewell or any Operating Company, any subsidiary or holding company of that entity and any subsidiary of a holding company of that entity.

Consent

In certain circumstances, we are required to obtain your consent to the processing of your Personal Data in relation to certain activities.

Article 4 of the GDPR states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her." In plain language, this means that:

  • you have to give us your consent freely;
  • you have to know what you are consenting to;
  • you should have choice over which processing activities you consent to and which you don’t; and
  • you need to take positive and affirmative action in giving us your consent

We will keep records of the consents that we have received from you.

You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found in section 1.8.

Contractual Necessity

Article 6 of the GDPR states that we can process your Personal Data on the basis that such processing is necessary in order to enter into or perform a contract with you.

The "Contractual Necessity" lawful basis permits the processing of personal data in two different scenarios:

  • Situations in which processing is necessary for the performance of a contract to which you, the data subject, is a party. This may include, for example, processing your health details for the provision of residential care.

  • Situations that take place prior to entering into a contract such as pre-contractual relations. For example, a formal review of the health confirmation collected during the care package assessment to determine the level of care required and the associated residential costs.

From the point at which contract negotiations commence and throughout your stay with us we will rely on Contractual Necessity as the lawful basis for the majority of Personal Data processing activities.

Compliance with a Legal Obligation

Article 6 of the GDPR states that we can process your Personal Data on the basis that the we have a legal obligation to perform such processing. Processing is permitted if it is necessary for compliance with a legal obligation.

Legitimate Interests

Article 6 of the GDPR states that we can process your Personal Data where it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of Personal Data.

Operating Companies

Sunrise UK Operations Ltd

Sunrise of Bagshot

Sunrise of Banstead

Sunrise of Bassett

Sunrise of Beaconsfield

Sunrise of Chorleywood

Sunrise of Eastbourne

Sunrise of Edgbaston

Sunrise of Elstree

Sunrise of Fleet

Sunrise of Frognal

Sunrise of Guildford

Sunrise of Hale Barns

Sunrise of Mobberley

Sunrise of Purley

Sunrise of Solihull

Sunrise of Sonning

Sunrise of Southbourne

Sunrise of Tettenhall

Sunrise of Virginia Water

Sunrise of Westbourne

Sunrise of Winchester

Sunrise Operations Bramhall II Ltd

Sunrise of Bramhall

Sunrise Operations Cardiff Ltd

Sunrise of Cardiff

Sunrise Operations Esher Ltd

Sunrise of Esher

Sunrise Operations Weybridge Ltd

Sunrise of Weybridge

Sunrise Healthcare 4 Ltd

Holding company for Shelbourne Senior Living

Sunrise Healthcare 3 Ltd

Sunrise of Adderbury

Sunrise of Bath

Sunrise of Bookham

Sunrise of Camberly

Sunrise of Church Crookham

Sunrise of Edgbaston

Sunrise of High Wycombe

Sunrise of Horley Park

Sunrise of Kentford

Sunrise of Newbury

Sunrise of Salisbury

Sunrise of Sutton

Sunrise of Sutton Coldfield

Sunrise of Weymouth

Sunrise of Woking

Sunrise of Fareham

Sunrise Healthcare 1 Ltd

Sunrise of Frome

Shelbourne Senior Living Ltd

Sunrise of Sway

Maids Moreton Operations Ltd

Sunrise of Maids Moreton

Bayfield Court Operations Ltd

Sunrise of Chingford

Sunrise Operations (Ascot) Ltd

Sunrise of Ascot

Gracewell Healthcare 4 Ltd

Holding company for Shelbourne Senior Living

Gracewell Healthcare 3 Ltd

Gracewell of Adderbury

Gracewell of Bath

Gracewell of Bookham

Gracewell of Camberly

Gracewell of Church Crookham

Gracewell of Edgbaston

Gracewell of Fareham

Gracewell of High Wycombe

Gracewell of Horley Park

Gracewell of Kentford

Gracewell of Newbury

Gracewell of Salisbury

Gracewell of Sutton

Gracewell of Sutton Coldfield

Gracewell of Weymouth

Gracewell of Woking

Gracewell Healthcare 1 Ltd

Gracewell of Frome

Shelbourne Senior Living Ltd

Gracewell of Sway

Maids Moreton Operations Ltd

Gracewell of Maids Moreton

Bayfield Court Operations Ltd

Gracewell of Chingford

Gracewell Operations (Ascot) Ltd

Gracewell of Ascot