Data Protection Policy of Sal’s Shoes (“the Charity”)

1. Purpose of this Policy

This policy sets out how Sal’s Shoes handles personal data to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant laws. It applies to all trustees, staff and volunteers who have access to personal data in the course of their work with the charity.

Our aim is to protect the privacy of everyone whose data we hold and to ensure that it is collected, used, stored, and shared lawfully, securely, and transparently. For our public-facing Privacy Policy, which explains how we collect and use personal data please look here.

2. Scope

This policy covers all personal data processed by Sal’s Shoes, whether stored electronically, on paper, or in other formats.

It applies to data about:

Supporters and donors
Volunteers
Partner organisations
Beneficiaries (including children, where applicable)
Suppliers and contractors
Website visitors and social media contacts

3. Data Protection Principles

We follow the six data protection principles set out in UK GDPR. Personal data must be:

Processed lawfully, fairly, and transparently
Collected for specified, explicit, and legitimate purposes
Adequate, relevant, and limited to what is necessary
Accurate and kept up to date
Kept no longer than necessary
Processed securely

4. Roles And Responsibilities

Trustees have overall responsibility for data protection
The Data Protection Lead (email: [email protected]) oversees day-to- day compliance, provides advice, and acts as the main contact for data protection queries and data subject requests.
All staff and volunteers must follow this policy and handle personal data carefully, only using it for authorised purposes.

5. Lawful Bases For Processing

We process personal data under one or more lawful bases as set out in our Privacy Policy:

Consent
Contract
Legal obligation
Legitimate interests

6. Collecting And Using Personal Data

When collecting personal data, staff and volunteers must:

Only collect what is necessary for the task
Be open about why it is being collected and how it will be used
Check accuracy and keep it up to date
Store it securely

7. Storing And Securing Data

We will:

Keep paper records in locked cabinets or secure rooms
Protect electronic records with strong passwords and encryption where possible
Restrict access to personal data to authorised individuals only
Change passwords regularly and keep them confidential
Avoid storing personal data on personal devices unless authorised and encrypted

8. Sharing Personal Data

We only share personal data with:

Authorised colleagues and trustees who need it to carry out their work
Trusted third-party processors (e.g. payment providers, email platforms) with appropriate contracts in place
Partner organisations when necessary for joint projects, with agreements in place

We will never sell personal data.

9. Data Retention

We keep personal data only as long as necessary for the purpose it was collected, in line with our Privacy Policy. When data is no longer needed, it will be securely deleted, shredded, or anonymised.

10. Data Breaches

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. If you become aware of a possible breach:

Report it immediately to the Data Protection Lead at [email protected]
Do not attempt to fix it yourself without guidance

We will investigate and, where required, report serious breaches to the Information Commissioner’s Office (ICO) within 72 hours.

11. Data Subject Rights

Anyone whose data we hold has rights under UK GDPR, including the right to:

Access their data
Request correction or deletion
Object to processing
Restrict processing
Request data portability

Requests must be passed promptly to the Data Protection Lead. We aim to respond within one month.

12. Training And Compliance

All trustees, staff, and volunteers handling personal data will receive basic data protection training.
This policy will be reviewed annually or when laws or working practices

13. Breach Of Policy

Failure to follow this policy may result in disciplinary action and, in serious cases, legal consequences.

Last date of review: 14/08/25

Next date of review: 14/08/26

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Data Protection Policy