top of page

Privacy Policy

(Updated April 2023)

RugbyBootBank Personal and Sensitive Data Policy

This policy applies to all RugbyBootBank staff (volunteers) and all sensitive data processed.



The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) and has been fully adopted by the UK.  

The General Dara Protection Regulation (GDPR) requires holders of data to protect that data from causing harm to living individuals and to demonstrate respect for people. 



The GDPR is based around a set of data principles, which encourage an emphasis on transparency and accountability, which should drive how we record and store data as follows: 

  • Lawfulness, fairness and transparency – Only record data that you would be happy for the individual to see – facts. 

  • Purpose limitation – Use/process the data recorded as minimally as possible. 

  • Data minimalisation – We ask for and record the minimum of personal data. 

  • Accuracy – We ensure that all data is recorded as accurately as possible and make any changes requested by individuals promptly. 

  • Storage limitation – RugbyBootBank has a policy of cleansing data after retaining it for 7 years. 

  • Integrity and confidentiality (security) – Our database is encrypted and secure. No paper records are stored. 



RugbyBootBank will only process personal data where we have at least one of six ‘lawful bases’ (legal reasons) to do so under data protection law (UK GDPR Article 6): 

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose – such as requesting a pair of boots.

2.Contract: the processing is necessary for a contract you have with the individual, or because they have asked RugbyBootBank to take specific steps before entering into a contract. 

3.Legal obligation: the processing is necessary to comply with the law (not including contractual obligations). 

4.Vital interests: the processing is necessary to protect someone’s life. 

5.Public task: the processing is necessary for RugbyBootBank to perform a task in the public interest or for official functions, and the task or function has a clear basis in law. 

6.Legitimate interests: the processing is necessary for the legitimate interests or the legitimate interests of RugbyBootBank or a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  

Whenever RugbyBootBank first collects personal data directly from individuals, it will provide them with the relevant information required by data protection law on how their data is processed through the use of the relevant privacy notice. 



  • RugbyBootBank does not use information that identifies individuals unless it is absolutely necessary. 

  • We keep the use of such information to a minimum and only use for the stated purpose. 

  • We are always able to justify why we are using the information. 

  • We do not leave confidential files and correspondence where they can be read by unauthorised people.

  • We password protect confidential files and keep passwords secure.   



RugbyBootBank will only collect personal data for specified, explicit and legitimate reasons.  

RugbyBootBank will explain these reasons to the individuals when first collecting their data by issuing them with the relevant privacy notice. 

If RugbyBootBank wants to use personal data for reasons other than those given when originally obtained, RugbyBootBank will inform the individuals concerned before proceeding, and give them the option to object.   

Volunteers must only process personal data where it is necessary in order to fulfil their role.  When volunteers no longer need the personal data they hold, they must ensure it is deleted or anonymised.



We collect, store and use the following kinds of personal information: 

  • Name of responsible adult requesting or donating boots

  • Contact details (including postal address, telephone number, e-mail address) 

  • Information about individuals’ activities on our website(s) or social media platforms when they interact with us, and about the device they use to access these, for instance their IP address and geographical location; 

We only collect this type of information about our supporters or beneficiaries where there is a clear reason for us to do so.

Wherever it is practical for us to do so, we will make clear why we are collecting this type of information and what it will be used for.  



We use personal data for a number of purposes.  We will use personal information for the following purposes: 

The management of RugbyBootBank...

  • To further our objectives 

  • Administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems 

  • Test our technical systems to make sure they are working as expected 

  • display content in a way appropriate to the device a supporter is using (for example if they are viewing content on a mobile device or a computer) 

  • Generate reports on our work, services and events 

  • Safeguard our volunteers 

  • Meet our legal obligations, for instance to perform contracts or our obligations to regulators, government and/or law enforcement bodies 

  • Carry out fraud prevention and money laundering checks 

  • Undertake credit risk reduction activities and/or establish, defend or enforce legal claims 

  • Conduct training and quality control 

Supporter Care...

  • Provide supporters with the services, products or information they have asked for 

  • Keep a record of our relationships with supporters 

  • Respond to or fulfil any requests, complaints or queries made to us 

  • Check for updated contact details against third party sources so that we can stay in touch if supporters move (see “Keeping your information up to date” below); 

  • To send our supporters correspondence and communicate with them, using traditional channels and via social media platforms 

  • Process applications for voluntary position


  • Administer donations or support fundraising

  • Audit and administer our accounts 


  • Understand how we can improve our services, products or information by conducting analysis and market research 

  • Manage events 

  • To send our supporters correspondence and communicate with them, using traditional channels and via social media platforms 

  • Identify potential supporters, donors, researchers or other partners 

  • Monitor website use to identify visitor location, guard against disruptive use, monitor website traffic, personalise information which is presented to supporters  



We ask our supporters for their consent to contact them when they contact RugbyBootbank to request / donate boots, to support or to volunteer.



We have a basis to use an individual’s personal information if it is reasonably necessary for us (or others) to do so and in our/their “legitimate interests” (provided that what the information is used for is fair and does not unduly impact their rights). 

We consider our legitimate interests to include all of the day-to-day activities RugbyBootBank carries out with personal information. 

We only rely on legitimate interest where we consider that any potential impact on individuals (positive and negative), how intrusive it is from a privacy perspective and their rights under data protection laws do not override our (or others’) interests in us using your information in this way. 


RugbyBootBank does not sell data to any third parties.  We only share personal data with third parties (referred to in the GDPR as Processors) suppliers and sub-contractors who may process information on our behalf, for example enable fulfilment of a mailing). 



The GDPR defines some type of personal data as “Sensitive” for example; racial/ethnic classification, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health/sex life, sexual orientation and criminal records. RugbyBootBank does not store any of this information.



All supporter personal data collected by RugbyBootBank is held on our secure database for seven years after their last donation/request/activity cessation. This baseline has been selected as it is in line with HMRC Default Standard Retention Periods rules.  



Private and confidential obsolete records will be permanently destroyed and deleted. 



  • Where RugbyBootBank media (videos and photographs) are taken by or received careful consideration will be given as to whether the use of such photographs or videos could render them as personal data within the GDPR.  

  • Photographs meet the definition of personal data where they can be related to an identifiable individual.  Where a photograph is stored and used with other personal information about the subject, consent will be obtained by the individual at the time of taking or providing the image. 



Individuals have a right to make a ‘subject access request’ to gain access to personal information that RugbyBootBank holds about them. This includes: 

  • Confirmation that their personal data is being processed 

  • Access to a copy of the data 

  • The purposes of the data processing 

  • The categories of personal data concerned 

  • Who the data has been, or will be, shared with 

  • How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period 

  • The source of the data, if not the individual 

  • Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual 

Subject access requests should be submitted in writing, either by letter or email to RugbyBootBank. They should include: 

  • Name of individual 

  • Correspondence address 

  • Contact number and email address 

  • Details of the information requested 

If any RugbyBootBank volunteers receive a subject access request they must immediately forward it to the Data Protection Officer. 



When responding to requests, RugbyBootBank:  

  • May ask the individual to provide two forms of identification 

  • May contact the individual via phone to confirm the request was made  

  • Will ordinarily respond without delay and within one month of receipt of the request 

  • Will provide the information free of charge 

  • May tell the individual that RugbyBootBank will comply within 3 months of receipt of the request, where a request is complex or numerous.  

RugbyBootBank will not disclose information, for example if it: 

  • Might cause serious harm to the physical or mental health of the subject or another individual 

  • Results in the disclosure of information relating to another individual who can be identified and where such information cannot be reasonably or sufficiently redacted by RugbyBootBank

  • If the request is unfounded or excessive, RugbyBootBank may refuse to act on it, or charge a reasonable fee which considers administrative costs. A request will be deemed to be unfounded or excessive if it is repetitive or asks for further copies of the same information.  

Individuals also have the right to: 

  • Withdraw their consent to the processing of data, where consent is needed to process it, at any time 

  • Ask RugbyBootBank to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances) 

  • Prevent use of their personal data for direct marketing 

  • Challenge processing which has been justified on the basis of public task and legitimate interest 

  • Request a copy of agreements under which their personal data is transferred outside of the European Economic Area 

  • Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them) 

  • Prevent processing that is likely to cause damage or distress 

  • Be notified of a data breach in certain circumstances 

  • Make a complaint to the ICO 

  • Ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances).  With such a request, they must immediately forward it to the Data Protection Officer. 

The above rights apply only in certain circumstances. They are not absolute or unqualified rights. Guidance can be provided by the Data Protection Officer in each individual case.  



The Data Protection Officer is responsible for notification of RugbyBootBank’s data holdings to the Information Commissioner Office.  They are responsible for monitoring all RugbyBootBank GDPR processes and practices. 

The Data Protection Officer must maintain an internal register of data users and the data held.  This is to be updated annually. 

All volunteers are required to be data protection trained. Data protection will also form part of continuing professional development, where changes to legislation, guidance or RugbyBootBank’s processes make it necessary. 

RugbyBootBank volunteers must process data in accordance with this policy and the data protection guidelines.  



  • Data protection policy is to be reviewed annually.  

  • Volunteers will be advised of any changes

  • rotection guidelines.  


The DPO for RugbyBootbank is Matt Mitchell.

bottom of page