CREATIVE RECOVERY GDPR PRIVACY POLICY

Creative Recovery is a registered charity (registration number: 1158073) committed to protecting your privacy
and personal data in accordance with UK data protection legislation, including the UK General Data Protection
Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

1. DATA CONTROLLER AND CONTACT INFORMATION

Data Controller: Creative Recovery
Address: Prospect Community Centre, Prospect Street, Barnsley, South Yorkshire S70 2NR
Email: wearecreativerecovery@gmail.com
Data Protection Officer: Company Manager

If you have concerns about how we handle your data, please contact us first. If you remain unsatisfied, you can contact the Information Commissioner’s Office (ICO) at ico.org.uk or call 0303 123 1113.

2. WHAT PERSONAL DATA WE COLLECT

We collect personal data when you:

  • Complete participant registration forms
  • Book to attend events
  • Subscribe to our newsletter
  • Participate in sessions
  • Volunteer or become a trustee
  • Make donations or engage in fundraising
  • Contact us for any reason

Personal data may include:

  • Full name, title, and date of birth/age range
  • Contact details (postal address, email, phone number)
  • Personal goals and interests
  • Diversity monitoring information (voluntarily provided)
  • Health information and emergency contacts (for project participants)
  • Information about other services/support you receive
  • Attendance records and feedback
  • Volunteer hours
  • Donation information and Gift Aid status
  • Correspondence records

Special category data: We may collect health information and diversity monitoring data with your explicit consent where necessary to support you effectively.

Media content: We may collect photographs, film, and audio recordings during creative projects or for evaluation/promotional purposes, always with your specific consent.

3. LEGAL BASIS FOR PROCESSING

We process your personal data under the following legal bases:

  • Consent: For newsletters, marketing communications, photography/filming, and special category data
  • Legitimate interests: For delivering our charitable services, evaluation, reporting to funders, and
    administrative purposes
  • Recognised legitimate interests: For crime prevention, safeguarding, and emergency response (as introduced by the Data (Use and Access) Act 2025)
  • Legal obligation: For Gift Aid processing and regulatory reporting
  • Vital interests: Where necessary to protect someone’s life or prevent serious harm

4. HOW WE USE YOUR PERSONAL DATA

Your data is used to:

  • Deliver our services and support programmes
  • Communicate with you about projects and activities
  • Send newsletters and information about events (with consent)
  • Monitor attendance and evaluate programme impact
  • Report anonymised statistics to funders
  • Ensure participant safety and wellbeing
  • Process donations and Gift Aid claims
  • Manage volunteers and trustees
  • Respond to enquiries and complaints
  • Comply with legal obligations

5. AUTOMATED DECISION-MAKING

In accordance with the Data (Use and Access) Act 2025, if we make any automated decisions that significantly affect you, we will:
  • Inform you about the decision and the logic involved
  • Provide you with the right to request human intervention
  • Allow you to express your point of view and challenge the decision

6. WHO WE SHARE YOUR DATA WITH

We share personal data only when necessary:
Within Creative Recovery: Data is shared among core team members who work under our Data Protection and Confidentiality Policy.

External sharing:

  • Funders: Anonymous, aggregated data for impact reporting
  • Health professionals: If we identify risks to your safety or wellbeing (as stated in registration forms)
  • Collaborating artists: For project delivery (with appropriate data sharing agreements)
  • Legal authorities: If required by law or for safeguarding purposes

We never sell, rent, or trade your personal data with third parties for marketing purposes.

7. DATA RETENTION

  • Digital records: Retained securely for a maximum of 7 years
  • Physical records: Double-locked and retained for 7 years
  • Media files: Transferred to Creative Recovery at project completion; personal copies destroyed
  • Newsletter data: Managed through MailChimp with automatic database cleansing

Data is deleted when no longer needed unless we have a legal obligation to retain it longer.

8. YOUR RIGHTS

Under UK GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data in certain circumstances
  • Restrict processing: Limit how we use your data
  • Data portability: Receive your data in a structured format
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time (for consent-based processing)
  • Complain: Lodge a complaint with the ICO

Subject Access Requests: We will respond within one month. If we need additional information from you, we may pause the response time until we receive it (as allowed under the Data (Use and Access) Act 2025).

9. INTERNATIONAL DATA TRANSFERS

If we transfer your data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions
  • Standard contractual clauses
  • Binding corporate rules

11. COOKIES AND WEBSITE PRIVACY

Cookies we use:

  • Google Analytics: To analyse website usage (anonymised data)
  • Essential cookies: For website functionality

Recent updates: Following the Data (Use and Access) Act 2025, analytics and appearance cookies that improve user experience and pose minimal privacy risks may be used without explicit consent, provided they are proportionate and necessary.

Managing cookies: You can control cookie settings through your browser preferences. Some website functionality may be limited if you disable cookies.

12. MARKETING AND COMMUNICATIONS

Opt-in basis: We only send marketing communications with your consent.
Your preferences: You can:

  • Unsubscribe using links in emails
  • Contact us to change your preferences
  • Specify preferred communication methods when registering

Third-party information: We may occasionally share information about carefully selected partner
organisations that we believe may interest you, but only with your consent.

13. COMPLAINTS HANDLING

As required by the Data (Use and Access) Act 2025, we provide:

  • Electronic complaint forms on our website
  • Clear information about our complaints process
  • Regular updates on complaint outcomes
  • Response timeframes for different types of complaints

14. RESEARCH

When we conduct research (including commercial research as clarified by the Data (Use and Access) Act  2025):

  • We may seek broad consent for related research areas
  • We implement appropriate safeguards for research data
  • We anonymise data wherever possible
  • We follow ethical research standards

15. CHANGES TO THIS POLICY

We may update this policy to reflect legal or operational changes. Significant changes will be communicated through:

  • Email notifications to registered users
  • Website notifications
  • We anonymise data wherever possible
  • Direct communication for substantial changes affecting your rights

16. LEGAL BASIS DETAILS

Legitimate interests assessments: We have conducted legitimate interests assessments for our core activities.
These are available on request.

Consent records: We maintain records of consent given, including when, how, and what you were told.

Data protection by design: We implement privacy considerations into all new projects and systems from the outset.

This policy complies with the UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025, and Privacy and Electronic Communications Regulations. For the most current regulatory guidance, please visit ico.org.uk.

Created: 24 May 2018
Policy Approved:
Next Review Date:
Responsible Person: Company Manager