Responsive image

Data Protection Statement

As part of the application for a grant it is necessary to collect and process personal data. Further information on how we do this in compliance with the latest data protection legislation can be found below.


My personal data is data which by itself or with other data available to you can be used to identify me. You are Santander UK Foundation Limited registered with the Charity Commission for England and Wales (charity number 803655) and registered company number 2509711. Santander UK Foundation Limited is the data controller and is part of the Santander Group. This data protection statement sets out how you’ll use my personal data. I can contact your Data Protection Officer (DPO) at 201 Grafton Gate East, Milton Keynes, MK9 1AN if I have any questions.

Where there are two or more people named on this form, this data protection statement applies to each person separately.

The types of personal data you collect and use

Whether or not my application for a grant is successful, you’ll use my personal data for the reasons set out below. You’ll collect most of this directly during the application journey. The sources of personal data collected indirectly are mentioned in this statement. The personal data you use may include:

  • Full name and personal details including contact information (e.g. charity, Community Interest Company or credit union address, email address, and telephone number);
  • Personal data about other named applicants. I must have their authority to provide their personal data to you and share this data protection statement with them beforehand together with details of what I’ve agreed on their behalf.

Providing my personal data

You’ll tell me if providing some personal data is optional, including if you ask for my consent to process it. In all other cases I must provide my personal data so you can process my grant application.

Monitoring of communications

Subject to applicable laws, you’ll monitor and record my calls, emails, text messages, social media messages and other communications in relation to my dealings with you. You’ll do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of your communications systems and procedures, to check for obscene or profane content, for quality control and staff training, and when you need to see a record of what’s been said.

Using my personal data: the legal basis and purposes

You’ll process my personal data:

  1. As necessary to perform your contract with me for the relevant account, policy or service:
    1. To take steps at my request prior to entering into it;
    2. To decide whether to enter into it;
    3. To manage and perform that contract;
    4. To update your records; and
  2. As necessary for your own legitimate interests or those of other persons and organisations, e.g.:
    1. For good governance, accounting, and managing and auditing your business operations;
  3. As necessary to comply with a legal obligation, e.g.:
    1. When I exercise my rights under data protection law and make requests;
    2. For compliance with legal and regulatory requirements and related disclosures;
    3. For establishment and defence of legal rights;
    4. For activities relating to the prevention, detection and investigation of crime;
    5. To verify my identity, fraud prevention and anti-money laundering checks; and
    6. To monitor emails, calls, other communications, and activities relating to my dealings with you.

I’m free at any time to change my mind and withdraw my consent. The consequence might be that you can’t do certain things for me.

Sharing of my personal data

Subject to applicable data protection law you may share my personal data with:

  • The Santander group of companies* and associated companies in which you have shareholdings;
  • Sub-contractors and other persons who help you provide your products and services;
  • Companies and other persons providing services to you (e.g. CC Works and Charitable Giving who work on behalf of Santander);
  • Your legal and other professional advisors, including your auditors;
  • Fraud prevention agencies, when you consider my grant application;
  • Government bodies and agencies in the UK and overseas (e.g. HMRC who may in turn share it with relevant overseas tax authorities and with regulators e.g. the Prudential Regulation Authority, the Financial Conduct Authority, the Information Commissioner’s Office);
  • Courts, to comply with legal requirements, and for the administration of justice;
  • In an emergency or to otherwise protect my vital interests;
  • To protect the security or integrity of your business operations;
  • To other parties connected with my charity, Community Interest Company or credit union e.g. other people named on the application;
  • When you restructure or sell your business or its assets or have a merger or re-organisation;
  • Market research organisations who help to improve your products or services; and
  • Anyone else where you have my consent or as required by law.

International transfers

My personal data may be transferred outside the UK and the European Economic Area. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards apply to it. These include imposing contractual obligations of adequacy or requiring the recipient to subscribe or be certified with an ‘international framework’ of protection. Further details can be found in the ‘Using My Personal Data’ booklet.

Criteria used to determine retention periods (whether or not I am awarded a grant)

The following criteria are used to determine data retention periods for my personal data:

  • Retention in case of queries. You’ll retain my personal data as long as necessary to deal with my queries (e.g. if my application is unsuccessful);
  • Retention in accordance with legal and regulatory requirements. You’ll retain my personal data after my account, policy or service has been closed or has otherwise come to an end based on your legal and regulatory requirements.

My rights under applicable data protection law

My rights are as follows (noting that these rights don’t apply in all circumstances and that data portability is only relevant from May 2018):

  • The right to be informed about your processing of my personal data;
  • The right to have my personal data corrected if it’s inaccurate and to have incomplete personal data completed;
  • The right to object to processing of my personal data;
  • The right to restrict processing of my personal data;
  • The right to have my personal data erased (the “right to be forgotten”);
  • The right to request access to my personal data and information about how you process it;
  • The right to move, copy or transfer my personal data (“data portability”); and

I have the right to complain to the Information Commissioner’s Office. It has enforcement powers and can investigate compliance with data protection law:

For more details on all the above I can contact your DPO or request the ‘Using My Personal Data’ booklet by asking for a copy in branch or online at

Data anonymisation and aggregation

My personal data may be converted into statistical or aggregated data which can’t be used to identify me, then used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described above.

*Group companies

For more information on the Santander group companies, please see the ‘Using My Personal Data’ booklet available from any Santander branch.