top of page

GDPR Data Protection Policy

1. Introduction
Rights and Equality Sandwell are committed to adhering to all Data Protection laws and regulations while maintaining the highest standards of ethical conduct. This policy sets forth the expected behaviours of Rights and Equality Sandwell Employees and Third Parties regarding the collection, use, retention, transfer, disclosure, and destruction of any Personal Data belonging to a Rights and Equality Contact (i.e., the Data Subject).

Personal Data is any information (including opinions and intentions) relating to an identified or identifiable natural person. Personal Data is subject to certain legal safeguards and regulations, which impose restrictions on how organisations process Personal Data.

An organisation that handles Personal Data and makes decisions about its use is known as a Data Controller. Rights and Equality Sandwell, as a Data Controller, is responsible for ensuring compliance with the Data Protection requirements outlined in this policy. Non-compliance may expose Rights and Equality Sandwell to complaints, regulatory action, fines, and/or reputational damage.

Rights and Equality Sandwell’s leadership is fully committed to the effective implementation of this policy and expects all Rights and Equality Sandwell Employees and Third Parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.

2. Scope
This policy applies to all Rights and Equality Sandwell Entities where a Data Subject’s Personal Data is processed:

In the context of the business activities of the Rights and Equality Sandwell Entity.
For the provision or offer of services to individuals (including those provided or offered free-of-charge) by a Rights and Equality Sandwell Entity.
To actively monitor the behaviour of individuals.
Monitoring the behaviour of individuals includes using data processing techniques such as persistent web browser cookies or dynamic IP address tracking to profile an individual with a view to:

Taking a decision about them.
Analysing or predicting their personal preferences, behaviours, and attitudes.
This policy applies to all Processing of Personal Data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files structured to allow ready access to information about individuals.

Updated: Ann Llewellyn 3.1.24

This policy establishes a worldwide baseline standard for the Processing and protection of Personal Data by all Rights and Equality Sandwell Entities. Where national law imposes a stricter requirement than this policy, the national law must be followed. Where national law imposes a requirement not addressed in this policy, the relevant national law must be adhered to.

The protection of Personal Data belonging to Rights and Equality Sandwell Employees is not within the scope of this policy. It is covered in the Rights and Equality Sandwell ‘Data Protection for Employee Data’ policy.

3. Policy Dissemination & Enforcement
The management team of each Rights and Equality Sandwell Entity must ensure that all employees responsible for the Processing of Personal Data are aware of and comply with the contents of this policy.
All Third Parties engaged to Process Personal Data on behalf of Rights and Equality Sandwell must be aware of and comply with this policy. Compliance assurance must be obtained from all Third Parties before granting them access to Personal Data controlled by Rights and Equality Sandwell.
4. Data Protection by Design
To ensure all Data Protection requirements are identified and addressed:

Each new system or process must go through an approval process authorised by the CEO.
An IT system and application design review process will assess the impact of new technology uses on Personal Data security.
5. Compliance Monitoring
To ensure an adequate level of compliance with this policy:

The CEO will conduct an annual Data Protection compliance audit.
The audit will assess compliance with policy requirements, operational practices, and effectiveness, including:
Assignment of responsibilities.
Employee awareness and training.
Data Subject rights and incident management.
Currency and accuracy of policies and Personal Data.
Conformity of Data Processor activities.
Adequacy of procedures for addressing non-compliance.
Major deficiencies will be reported to and monitored by the Executive Management team.

Updated: Ann Llewellyn 3.1.24

6. Data Protection Principles
Rights and Equality Sandwell adopts the following principles for the collection, use, retention, transfer, disclosure, and destruction of Personal Data:

Principle 1: Lawfulness, Fairness, and Transparency
Personal Data must be processed lawfully, fairly, and transparently in relation to the Data Subject.

Principle 2: Purpose Limitation
Personal Data must be collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.

Principle 3: Data Minimisation
Personal Data must be adequate, relevant, and limited to what is necessary for the intended purposes.

Principle 4: Accuracy
Personal Data must be accurate and kept up to date. Processes must address out-of-date, incorrect, and redundant data.

Principle 5: Storage Limitation
Personal Data must not be retained longer than necessary for the intended purposes.

Principle 6: Integrity and Confidentiality
Personal Data must be protected against unauthorised access, loss, or damage through appropriate technical and organisational measures.

Principle 7: Accountability
Rights and Equality Sandwell must demonstrate compliance with all six principles above.

bottom of page