SponsorStars : Data Protection Policy

  1. General Statement of the Charity’s Duties


The Charity is required to process relevant personal data in four situations


  1. Recording sponsors details
  2. School/student applications
  3. Trustee information

The Charity shall take all reasonable steps to process relevant personal data in accordance with this Policy. Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data. In this Policy, any reference to grant applicants includes current past or prospective applicants. We process personal information to enable us to provide grants and to support and manage our staff.


  1. Data Protection Controller


The Charity has appointed the Company Secretary as Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998 and with the General Data Protection Regulations (GDPR).  The Chair of Trustees is Deputy Data Protection Controller.


  1. Personal Data


Personal data is data relating to a living individual who can be identified from the data.  Personal data includes both automated data and data in manual filing systems.


The Charity receives personal data from the school or pupil directly, from the volunteer or trustee directly or on employee job applications and other forms for employees.


  1. The Principles


The Principles are contained in the GDPR.  These state that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specified, explicit and legitimate purposes;
  • Adequate, relevant and limited to what is necessary;
  1. Accurate and up to date;
  2. Kept in a form which permits identification for no longer than is necessary;
  3. Processed in a manner that ensures appropriate security of the personal data;
  • Not transferred to other countries without adequate protection.


  1. Accountability


The Charity, in accordance with its responsibilities, complies with the principles contained within the GDPR:

  1. The Charity has policies on data protection and on data retention.
  2. All trustees, volunteers and staff have been made aware of their responsibilities in respect of personal data.
  • The Company Secretary is the Data Protection Officer.
  1. The charity uses data impact assessments where appropriate.


  1. Lawful Processing


Data is processed with the consent of the data subject.  This is supplied at the time or at the time that a job application is submitted in the case of prospective employees or when an employment contract is signed.   Consent is specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.  A child under 16 cannot give consent and so consent is required from a person holding parental responsibility.


Data is processed where processing is necessary for the purposes of the Charity’s legitimate interests.


Special categories of data are processed with the explicit consent of the data subject or of the person holding parental responsibility.


  1. Rights for individuals


Individuals have the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling


Individuals are supplied with the following information at the time that grant applications are made:

  • Identity and contact details of the controller and the data protection officer
  • Purpose of the processing and the lawful basis for processing
  • The legitimate interest of the controller where applicable
  • Retention period of data
  • The existence of each data subject’s rights
  • The right to withdraw consent at any time
  • The right to lodge a complaint with a supervisory authority
  • Whether the provision of personal data is part of a statutory or contractual requirement or obligation


  1. Rights of Access


Individuals have a right of access to information held by the Charity. Any individual wishing to access their personal data should put their request in writing to the DPC. The Charity will respond to any such written requests without delay and in any event, within one month.


Certain data is exempt from the right of access under the Data Protection Act. This may include information which identifies other individuals, information which the Charity reasonably believes is likely to cause damage or distress, or information which is subject to legal professional privilege.


  1. Exemptions


Certain data is exempted from the provisions of the Data Protection Act which includes the following:

  • The prevention or detection of crime;
  • The assessment of any tax or duty;
  • Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the Charity.


The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the DPC.


  1. Accuracy


The Charity will endeavour to ensure that all personal data held in relation to an individual is accurate.


Individuals may notify the DPC of any changes to information held about them. An individual has the right to request that inaccurate information about them is erased or corrected.


  1. Security


The Charity will take reasonable steps to ensure that trustees, volunteers and members of staff will only have access to personal data where it is necessary for them to do so. All staff will be made aware of this policy and their duties under the GDPR. The Charity will ensure that all personal information is held securely and is not accessible to unauthorised persons.


  1. Breach notification


A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  The Charity shall comply with the requirements of the GDPR and notify the relevant authority of a data breach where it is likely to result in a risk to the rights and freedoms of individuals.  Individuals will be notified of a breach if the breach is likely to result in a high risk to the rights and freedoms of individuals.


  1. Enforcement


If an individual believes that the Charity has not complied with this Policy or acted otherwise than in accordance with the GDPR, they should utilise the Charity’s complaints procedure and should also notify the DPC in writing using the following contact details:


Company Secretary

Sponsorstars Ltd., 85 Great Portland Street, First Floor, London, W1W 7LT


  1. Information Commissioner’s Office (ICO)


Further information can be found on the ICO website ico.org.uk or by telephoning the ICO helpline 0303 123 1113