Student Motorsport – GDPR Policy 2025 (General Data Protection Regulation)

Last Updated: April 15th, 2025

Version: 1.0

Student Motorsport – Trading as Student Motorsport Limited

Registered in England and Wales

Company Number: 09238023

  1. Introduction

Student Motorsport (“we,” “us,” or “our”) is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, and share your personal data in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.  

  1. Data Controller

Student Motorsport is the data controller responsible for your personal data.  

  1. Data Collection and Purposes

We collect personal data for various purposes, including:

  • Website Access and Use: We collect data related to your browsing activity on our website, including IP addresses and usage patterns. This helps us improve our website and provide relevant content. Legal basis: Legitimate interest (improving website functionality and user experience).  
  • Please refer to our Cookie Policy [TBC] for detailed information on how we use cookies.  
  • Customers (Schools, Colleges, Universities, Student Teams): We collect contact details, financial information (for invoicing and payments), and records related to our services. Legal basis: Contractual obligation (to provide our services).  
  • Team Communication, PR, Managing Records, and Administration (Participating Racing Teams): We collect contact details, team member information, performance data, and media content for communication, PR, and administrative purposes. Legal basis: Contractual obligation, legitimate interest (promoting team activities).  
  • Affiliated Organisations (Associates, Sponsors, Partners): We collect contact details and communication records for maintaining our relationships and promoting collaborations. Legal basis: Legitimate interest (communication, collaboration).  
  • Work Experience: We collect contact details (including next of kin/emergency contacts), CVs, and safeguarding information for managing work experience placements. Legal basis: Contractual obligation (work experience agreements), legal obligation (safeguarding).  
  • Social Media: We collect and store media content (photos, videos) involving affiliated third parties securely on Google Drive (Google Workspace). Legal Basis: Legitimate interest (promotion of events and activities) Consent when required for usage of images of individuals.  
  • Recruitment and HR: We collect data from job applicants (CVs, applications) and employees (contracts, performance reviews, payroll information). Legal basis: Contractual obligation, Legal obligation.  
  • Marketing and Customer Relations: We may collect email addresses and other contact details for marketing communications, with your consent where required. Legal Basis: Consent, Legitimate Interest.  
  • Customer Service and Sales: We collect customer data to provide support and process sales transactions. Legal Basis: Contractual obligation.  
  • Financial Data: We collect financial information for processing payments and managing accounts. Legal Basis: Contractual obligation, Legal obligation.  
  1. Data Storage and Security

We store your personal data securely in:

  • Google Drive (Google Workspace): For website data, design, intellectual property, customer data, media and PR, finance, participant, and work experience data.  
  • FreeAgent: For financial processing and accounting.  
  • Google Cloud Platform: For Website hosting.  
  • Meta Business Suite: For managing our social media.  

We implement appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, or disclosure. We will regularly review and update our security measures on a monthly basis.  

  1. Data Sharing

We may share your personal data with:

  • Our affiliated organisations (associates, sponsors, partners) for communication and collaboration purposes.  
  • Service providers (e.g., FreeAgent) for specific business functions.  
  • When required by law.  

We will not sell or rent your personal data to third parties.  

Specifically, we may share your data with the following categories of third parties:

  • IT service providers who assist with website hosting and data storage.
  • Financial service providers who process payments on our behalf.
  • Affiliated organisations (sponsors, partners) for joint marketing and promotional activities, where we have a legitimate interest and have conducted a Legitimate Interests Assessment.
  • Legal authorities, when required by law.
  1. Your Rights

Under GDPR, you have the following rights:

  • Right to access: You can request a copy of your personal data.  
  • Right to rectification: You can request corrections to inaccurate or incomplete data.  
  • Right to erasure: You can request the deletion of your personal data (where applicable).  
  • Right to restrict processing: You can request limitations on how we process your data.  
  • Right to data portability: You can request to receive your data in a portable format.  
  • Right to object: You can object to the processing of your data.  
  • Right to withdraw consent: If we rely on consent, you can withdraw it at any time.  
  • Right to complain to the ICO: You can lodge a complaint with the Information Commissioner’s Office (ICO).  
  1. Data Retention

We will retain your personal data for as long as necessary to fulfil the purposes outlined in this policy, or as required by law.  

Specifically, we will retain data as follows:

  • Customer data (contact details, financial information): Retained for seven years after the termination of the contract, in accordance with financial record-keeping requirements.
  • Team member data (contact details, performance data): Retained for two years following the end of the competition + 1 year for any queries.
  • Website access data (IP addresses, usage patterns): Retained for 12 months.
  • Marketing data: Retained until consent is withdrawn.
  • Recruitment data: Retained for one year after the recruitment process is completed (or longer if required by law).

We will review these retention periods regularly and update them as necessary.

  1. Cookies and Tracking

Our website uses cookies to enhance your browsing experience. Please refer to our Cookie Policy [INSERT COOKIE POLICY LINK HERE] for more information.  

  1. Data Processing

Any operation performed on personal data, including collection, storage, use, and disclosure, is conducted in compliance with GDPR.  

  1. Data Sharing with Third Parties

We will obtain appropriate consent or have a lawful basis for sharing personal data with third parties.  

  1. Data Deletion (Right to Erasure)

Individuals have the right to have their personal data deleted under GDPR, and we will comply with these requests when legally required.  

  1. Responding to Data Subject Requests

We have a suitable process in place to respond to data subject requests, including requests for access, rectification, and erasure.  

  1. Record Keeping

We keep records of our data processing activities to ensure compliance with GDPR.  

  1. Data Transfer

Currently, Student Motorsport does not transfer personal data outside of the UK. If, in the future, we need to transfer data outside of the UK, we will ensure that appropriate safeguards are in place in compliance with UK GDPR. This may include:  

  • Transferring data to countries with an adequate level of protection as determined by UK adequacy regulations.
  • Implementing Standard Contractual Clauses (SCCs) approved by the Information Commissioner’s Office (ICO).
  • Obtaining your explicit consent for the transfer, where required.
  1. Data Protection Impact Assessment (DPIA)

We have considered the need for a Data Protection Impact Assessment (DPIA) and have determined that, currently a DPIA is not required as our processing activities do not involve systematic and extensive profiling with significant effects, large-scale use of sensitive data or public monitoring. We will review the need for DPIAs on a regular basis, particularly if there are any significant changes to our processing activities.  

  1. Staff Training

All staff will receive initial data protection training upon joining Student Motorsport. This training will cover the principles of UK GDPR, the importance of data security, and the organisation’s data protection policies and procedures. Refresher training will be provided annually, and whenever there are significant changes to data protection law or our policies. Training will be delivered through a combination of online modules, and in-person workshops.  

  1. Contact Us

If you have any questions or concerns about this Privacy Policy or your personal data, please contact us at:

[Your Contact Information – Email and Postal Address]  

  1. Changes to this Privacy Policy

We will review and update this Privacy Policy at least annually, or more frequently if there are any changes to data protection law or our processing activities, to ensure that it accurately reflects our data processing practices. We may update this Privacy Policy from time to time. We will notify you of any significant changes.  

  1. ICO Information

For further information on your rights and data protection, please visit the Information Commissioner’s Office (ICO) website: https://ico.org.uk/