Definitions

Data Protection Law

Mission Motorsport processes personal data in line with the following:

• The UK General Data Protection Regulation (UK GDPR)

• The Data Protection Act 2018

• The Privacy and Electronic Communications Regulations (PECR)

Guidance issued by the Information Commissioner’s Office (ICO)

Data Controller

Mission Motorsport is the Data Controller for the purposes of UK data protection law and is responsible for determining how personal data is processed.

Mission Motorsport is registered with the ICO.

Data Protection Principles

Mission Motorsport is committed to ensuring that personal data is processed in line with the principles of data protection law.  Personal data MUST be: 

• Processed lawfully, fairly and transparently  

• Collected for specified, explicit and legitimate purposes  

• Adequate, relevant and limited to what is necessary  

• Accurate and kept up to date  

• Retained only for as long as necessary  

• Processed and kept securely and protected against unauthorised access, loss or misuse 

• Not transferred outside the UK without appropriate safeguards in place 

• Made available to individuals who exercise their rights under data protection law 

These principles underpin all personal data handling activities across the organisation.

Personal Data We Process

Depending on how the individual engages with Mission Motorsport, Personal data may include: 

Personal Data

Depending on how the individual engages with Mission Motorsport, Personal data may include: 

• Name and contact details. 

• Date of Birth. 

• Employment or military service history. 

• Records of engagement with Services, events or activities. 

• Donation, Gift Aid and payment information. 

• Communications with the charity. 

• Information provided when registering for events, programmes, training or volunteering. 

Special Category Data

Where necessary and appropriate, Mission Motorsport may also process more sensitive personal data including: 

• Health and well being information. 

• Information relating to injury, disability or accessibility needs. 

• Information relating to military Service or recovery needs. 

 Such data is handled with additional safeguard and only where there is a clear and lawful reason to do so, including to provide appropriate support or meeting safeguarding obligations. 

Lawful Processing of Personal Data

Mission Motorsport will only process personal data where there is a valid lawful basis under Article 6 of the UK General Data Protection Regulation (UK GDPR). Depending on the nature of the processing, this may include: 

• Consent – where an individual has given a clear, informed and freely given indication of their agreement. 

• Contract – where processing is necessary for the performance of a contract or to take steps at the request of the individual prior to entering into a contract. 

• Legal obligation – where processing is required to comply with a legal or regulatory obligation. 

• Legitimate interests – where processing is necessary for the legitimate interests of Mission Motorsport, provided these interests are not overridden by the rights and freedoms of the individual. 

• Vital interests – where processing is necessary to protect the life of an individual. 

Consent will not be relied upon where another lawful basis is more appropriate, particularly where there is a power imbalance or safeguarding considerations apply. Where consent is used, individuals have the right to withdraw it at any time. 

Special Category Data 

Where special category personal data is processed, Mission Motorsport will ensure that a valid condition under Article 9 UK GDPR applies, including but not limited to: 

• Employment, social security and social protection law. 

• Safeguarding of children and individuals at risk. 

• Health or social care purposes. 

• Explicit consent, where appropriate. 

Additional safeguards will always be applied to special category data. 

Children’s Personal Data 

Mission Motorsport recognises that personal data relating to children and young people requires enhanced protection. 

Where children’s personal data is processed, the charity will ensure that: 

• Processing is fair, lawful and transparent 

• Information is provided in an age‑appropriate manner where relevant 

• Data is processed in line with safeguarding policies and procedures 

• Additional security and access controls are applied 

 Information provided to children and those with parental responsibility will be clear, age‑appropriate and accessible. 

Data Protection Impact Assessments

Mission Motorsport is committed to embedding data protection into the design of its systems, processes and services, in accordance with the principle of privacy by design and by default. 

A Data Protection Impact Assessment (DPIA) will be completed where processing is likely to result in a high risk to the rights and freedoms of individuals. This may include, but is not limited to: 

• Processing of special category or safeguarding-related data. 

• Large-scale processing of personal data. 

• Introduction of new systems, technologies or data-sharing arrangements. 

• Processing involving vulnerable individuals, including children. 

DPIAs will be reviewed and approved by the Data Protection Officer prior to processing commencing, and risks will be escalated where appropriate. 

Personal data may be stored and managed using approved systems, including customer relationship management (CRM) systems. Where new systems are introduced or existing systems are significantly changed, this will be assessed in line with the organisation’s approach to privacy by design and, where required, through a Data Protection Impact Assessment. 

Individual Rights

Mission Motorsport recognises and upholds the rights of individuals under UK Data Protection Law (UK GDPR). These rights include: 

• The right to be informed about how personal data is used 

• The right of access to personal data 

• The right to rectification of inaccurate or incomplete data 

• The right to erasure (where applicable) 

• The right to restrict processing 

• The right to object to processing 

• The right to data portability 

• The right to withdraw consent, where processing is based on consent. 

• Rights relating to automated decision-making and profiling (where applicable) 

Requests relating to personal data rights will be handled in line with statutory timescales and Mission Motorsport’s internal procedures. Individuals also have the right to raise concerns directly with the Information Commissioner’s Office (ICO). 

Further information on individual rights and how to exercise them is provided in the Mission Motorsport Privacy Notice. 

Data Sharing

Personal data will only be shared where it is lawful, necessary and proportionate.  

Where third parties process personal data on behalf of Mission Motorsport, appropriate Data Processing Agreements will be in place in accordance with Article 28 of the UK GDPR. These agreements will require processors to: 

• Process personal data only on documented instructions 

• Maintain confidentiality and appropriate security measures 

• Not engage sub‑processors without appropriate safeguards 

• Assist Mission Motorsport in meeting its data protection obligations 

• Allow for audit and compliance monitoring where required 

Mission Motorsportwill neversell personal data. 

International Transfers 

Personal data will not be transferred outside the United Kingdom unless appropriate safeguards are in place to ensure an adequate level of protection for individuals’ rights and freedoms.

Where international transfers occur, Mission Motorsport will ensure that one or more of the following safeguards apply: 

• A UK adequacy regulation 

• An International Data Transfer Agreement (IDTA) 

• The UK Addendum to the EU Standard Contractual Clauses 

• Other safeguards recognised under UK GDPR 

These safeguards apply to third‑party service providers, including cloud‑based systems, where data may be processed outside the UK.

Electronic Communications and Marketing 

Mission Motorsport complies with the Privacy and Electronic Communications Regulations (PECR) when sending electronic communications.

Personal data used for marketing or supporter communications will be processed lawfully and in accordance with individuals stated preferences. 

Individuals will be provided with clear options to manage communication preferences and to opt out of marketing communications at any time.  

Mission Motorsport is committed to upholding the highest standards of data protection in its communications and marketing activities. Procedures are regularly reviewed to ensure ongoing compliance with legislative requirements and best practice guidelines. 

Mission Motorsport will not send unsolicited electronic marketing communications where consent or another lawful basis does not apply. 

Personal Data Breaches

Mission Motorsport recognises that personal data breaches may occur despite appropriate safeguards. A personal data breach includes any accidental or unlawful loss, destruction, alteration, unauthorised disclosure of, or access to personal data. 

All actual or suspected personal data breaches must be reported immediately to the Data Protection Officer within 72hrs of discovery. Breaches will be assessed promptly to determine risk to individuals and whether notification to the Information Commissioner’s Office (ICO) and affected individuals is required. 

Personal data breaches are managed in line with Mission Motorsport’s Data Breach Risk Assessment process and relevant ICO guidance. 

Data Retention 

Personal data will be retained only for as long as necessary and in accordance with Mission Motorsport Data Retention Schedule

Data Protection Complaints

Mission Motorsport recognises the right of individuals to raise concerns about how their personal data is handled and to request access to their personal data. 

Subject Access Requests (SARs) 

A Subject Access Request is a request from an individual to access personal data held about them. 

• All Subject Access Requests must be forwarded immediately to the Data Protection Officer. 

• Requests may be made verbally or in writing and do not need to use specific wording. 

• Identity must be verified before personal data is disclosed. 

• Mission Motorsport will normally respond within one month, in line with legal requirements. 

• Extensions, refusals or reactions must be approved by the Data Protection Officer. 

No personal data should be disclosed by staff or volunteers outside this process. 

Data Protection Complaints 

Complaints relating to personal data handling must be treated seriously and escalated promptly. 

• All data protection complaints must be referred to the Data Protection Officer. 

• Complaints will be logged, investigated and responded to appropriately. 

• Where required, complaints may be reported to the Information Commissioner’s Office (ICO). 

Staff must not attempt to resolve data protection complaints independently. 

All personal data breaches will be assessed and managed using the Data Breach Risk Assessment.

Training and Awareness

Mission Motorsport is committed to ensuring that all trustees, staff and volunteers who handle personal data understand their data protection responsibilities. 

Mandatory data protection training will be provided on induction and refreshed periodically. Additional training may be provided where roles involve higher‑risk processing, including safeguarding, health or other special category data. 

Completion of training and awareness activities will be monitored as part of the organisation’s data protection governance arrangements. 

Policy Review

This policy will be reviewed at least annually, or sooner where there are changes in legislation, regulatory guidance, organisational activities, or identified data protection risks. 

Contact Us

If you have any questions or concerns about this policy or how your personal data is used, please contact s using the details below:

e: dataprotection@missionmotorsport.org

a: Mission Motorsport, Unit 11, W& G Industrial Estate, Faringdon Road, East Challow, Oxfordshire, OX12 9TF