OnePlusOne is committed to protecting the rights and freedoms of individuals and safely processing their data in accordance with all legal obligations.

This policy sets out how we handle personal data of our customers, employees, suppliers, research participants, and other individuals in compliance with:

- UK General Data Protection Regulation (UK GDPR)
‍
- Data Protection Act 2018
‍
- Data (Use and Access) Act 2025

We process personal data fairly, lawfully, and transparently, demonstrating our compliance through appropriate documentation, policies, and procedures.

‍Last reviewed: October 2025
Next review: October 2026

This policy covers all personal data processed by OnePlusOne, including:

- Current and former employees
‍
- Job applicants and recruitment candidates
‍
- Customers and clients
‍
- Research participants (survey respondents, interview subjects, evaluation participants)
‍
- Suppliers and partners
‍
- Website visitors and online service users

The policy applies to all data formats (digital, paper, audio, video) and locations (on-site systems, cloud storage, third-party systems, backup archives, mobile devices).

Under UK GDPR, you have the following rights regarding your personal data:

Right to be informed: You have the right to clear information about how we use your data
‍
Right of access: You can request a copy of the personal data we hold about you
‍
Right to rectification: You can ask us to correct inaccurate or incomplete data
‍
Right to erasure: You can request deletion of your data in certain circumstances
‍
Right to restrict processing: You can ask us to limit how we use your data
‍
Right to data portability: You can request your data in a commonly used format
‍
Right to object: You can object to certain types of processing, including direct marketing
‍
Rights related to automated decision-making: You have rights regarding automated decisions that significantly affect youTo exercise any of these rights, please contact our Data Protection Officer.

We maintain appropriate security measures to protect your personal information, including:

- Encryption of sensitive data

- Access controls and authentication

- Regular security testing and monitoring

- Staff training on data protection

- Secure disposal procedures

- Business continuity and disaster recovery plans

We conduct regular reviews of our security measures and update them as needed to ensure ongoing protection.

We only process personal data when we have a valid legal basis, which may include:

- Consent: You have given clear permission

- Contract: Processing is necessary to fulfil a contract with you

- Legal obligation: We must process data to comply with the law

- Vital interests: Processing is necessary to protect someone's life

- Public task: Processing is necessary for a task in the public interest

- Legitimate interests: Processing is necessary for our legitimate interests (where these don't override your rights)

Some personal data requires extra protection. This includes information about:

- Racial or ethnic origin

- Political opinionsReligious or philosophical beliefs

- Trade union membership

- Health data

- Sex life or sexual orientation

- Genetic data

- Biometric data (where used for identification)

We only process special category data where we have both a lawful basis under Article 6 and an additional condition under Article 9 of UK GDPR.

We only keep your personal data for as long as necessary. Our Data Retention Schedule sets out specific retention periods based on:

- Legal and regulatory requirements

- Operational needs

- The purposes for which data was collected

Once data is no longer needed, we securely delete or destroy it.

If we experience a data breach that poses a risk to your rights and freedoms, we will:

- Report it to the Information Commissioner's Office (ICO) within 72 hours

- Notify you directly if the breach is likely to result in high risk to you

- Document the breach and our response

We have procedures in place to detect, report, and investigate suspected data breaches.

If we transfer your data outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:

- Adequacy decisions (where the destination country has equivalent protection)

- Standard Contractual Clauses approved by the ICO

- Other legally approved transfer mechanisms

When we use external organisations to process data on our behalf, we ensure they:

- Meet our security and data protection standards

- Have appropriate contracts in place (Article 28 UK GDPR)

- Only process data according to our instructions

- Maintain appropriate technical and security measures

If you provide us with personal data about other people (such as family members or colleagues), you must:

- Ensure they're aware their data is being shared

- Provide them with our privacy information

- Only share data you have permission to share

Data Protection Officer: Matthew Nel
‍
Email: dpo@oneplusone.org.uk
‍
Address: OnePlusOne, c/o MHA MacIntyre Hudson6th Floor2 London Wall PlaceLondonEC2Y 5AU

For general data protection queries or to exercise your rights, please contact our Data Protection Officer.

Information Commissioner's Office (ICO)
‍
If you're unhappy with how we've handled your data, you can complain to the ICO:

Website: ico.org.uk
‍
Phone: 0303 123 1113
‍
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We review this policy annually and update it as needed to reflect changes in:

- Data protection law
‍
- Our processing activities

- Best practice guidance

- ICO recommendations

When we make significant changes, we'll notify affected individuals.

Need the complete detailed policy document?

Contact us to request a copy of our complete GDPR Data Protection Policy, which includes all definitions, procedures, and legal references.

This page provides a summary of our GDPR policy. The full policy document is available on request.

Email: dpo@oneplusone.org.uk