Data Protection and Privacy

Our GDPR Policies

The Canadian Centennial Scholarship Fund (CCSF) is committed to meeting the European Union General Data Protection Regulation (GDPR) requirements, effective 25 May 2018. The CCSF is a UK Charity that exists to award scholarships to Canadian citizens who are in need of such assistance to enable them to study or obtain education or training in the United Kingdom.

The CCSF respects your privacy and takes protecting it very seriously. Any personal information you provide to us is held in strict confidence. Our policies are set out in this document. If you have any concerns, questions or wish to ask us not to hold your information, please write to us at

CCSF Privacy Policy

For the purposes of the GDPR, the Data Controller is the CSSF. This Policy sets out why we collect your personal information and how we use that information. We may change this Policy from time to time. If we make any significant changes we will advertise this on the website or contact you directly to explain any changes.

Type of personal information we collect
In fulfilment of its obligations, the CCSF collects personal information about applicants for the award of its scholarships. The information we collect when you apply as a potential candidate for a CCSF award is set out in the application form. We also collect personal information about supporters and donors (name, email address, affiliation).  We collect information only when you provide it to us directly in support of the CCSF’s purposes. We explicitly ask for your consent to retain your information and your information is used solely for fulfilling the purposes of the CCSF.

How we collect information
We may collect your personal information from you when you contact us or have any involvement with us, e.g. when you enquire about our activities, submit an application, volunteer for us, attend a meeting, or take part in our events.

Where we collect information
Scholarship applicant information is collected when it is emailed to the CCSF at applicant is explicitly asked to consent to CCSF’s collection of their personal data at the time the application is submitted.  Supporter, donor and any other individual personal information is collected at the point that contact is made with the CCSF using any method, with the consent of the individual.

How we use your information
The CCSF will share your information only with Trustees/Members of the CCSF and the Maple Leaf Trust (MLT), the main source of funding for the CCSF. We will share your personal information with designated data processors, e.g. our bank, only to fulfil the purposes of the CCSF and only when we have received your consent.

We use your personal information in a number of ways which may include: evaluating scholarship applications, transferring funds into scholarship recipient bank accounts, emailing approved photos and academic profile to the MLT, donors and other supporters, posting your academic profile online with your explicit permission, organising activities you have told us you want to be involved in, seeking your views on our activities, or maintaining our organisational records and ensuring we know how you prefer to be contacted.

In the event that an application for a scholarship is successful, the CCSF and the MLT may wish to publicise the award. Scholarship recipients must agree to have their details including a photograph released in order to receive an award. The CCSF will occasionally seek explicit permission from an individual to prepare a scholarship holder profile which it hosts at its website. The CCSF maintains a record of the purposes for which we process the personal information that we hold.

Legal basis for processing your information
The use of your information for the purposes set out above complies with the provisions of the GDPR, click hereand the purposes of the CCSF. If you want to contact us about your preferences regarding the purposes for which we process your information, please contact us at

How we keep your information safe
We understand the importance of the security of your personal information and take appropriate steps to safeguard it. See our Data Protection Policy below.We do not collect and retain sensitive personal information, we will not share your information without your explicit permission, and we do not collecting information about children as defined under the GDPR.

Who has access to your information
Only persons authorised by the CCSF Data Controller have access to your information and we ensure that they are appropriately trained to manage your information. No data transmission over the internet can be guaranteed to be 100% secure. While we strive to safeguard your information, we cannot guarantee the security of any information you provide online – you do this at your own risk.

When we contract with a third party, for example, to support our website, mailings, events, processing donations, undertaking financial transactions, we provide them with only the information that is necessary to provide their service or function and we ensure that an agreement is in place that requires them to operate with the same care over data protection as we do. We may disclose your personal information if we are required to do so under any legal obligation, but we will not otherwise share your information without your consent. We do not use ‘cookies’. If this should this change, we will advise you via our website and updating of our policy.

Keeping your information up to date
We will appreciate it if you let us know when your contact details change. Contact us at

How long we keep your information for
We hold your personal information for as long as it is necessary for the relevant purpose of the CCSF, see our Data Protection Policy below. Periodically, we may ask you to renew your consent. If you ask us to stop contacting you, we will keep a record of your contact details and limited information needed to comply with your request.

Your rights
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain can be found here.

Please check this Policy each time you consider giving your personal information to us.

Updated 18 May 2018

CCSF Data Protection Policy

The Canadian Centennial Scholarship Fund (CCSF) is the Data Controller for the purposes of the European Union General Data Protection Regulation (GDPR).This policy is intended to ensure that your personal information is dealt with properly and securely and in accordance with the GDPR and other related legislation. It will apply to information regardless of the way it is used or recorded and applies for as long as the information is held.

The GDPR applies to all computerised data and manual files if they come within the definition of a filing system. Broadly, a filing system is one where the data is structured in some way that is searchable on the basis of specific criteria (e.g. so you would be able to use an individual’s name to find their information) and, if this is the case, it does not matter whether the information is located in a different physical location.

CCSF Data Collection and Uses
The CCSF normally collects and processes personal information about the following categories of individuals:

  • Volunteers including Trustees and Members
  • Potential Beneficiaries
  • Beneficiaries
  • Individually named Bursars/Postgraduate Department Contacts of UK and overseas Universities, Colleges and Conservatories which provide information about our Scholarships or which offer alternative sources of funds for students.
  • Supporters and other individuals who come into contact with the CCSF.

The CCSF will process your personal information in ways that may include: evaluating scholarship applications, transferring funds into scholarship recipient bank accounts, emailing approved photos and profiles to the MLT, donors and other supporters, posting your profile online with your explicit permission, organising activities you have told us you want to be involved in, seeking your views on our activities, or maintaining our organisational records and ensuring we know how you prefer to be contacted.

We will also process your personal information to comply with statutory and other legal obligations relating to safeguarding.

Personal Data Definitions
‘Personal data’ is information that identifies an individual, and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain. A sub-set of personal data is known as ‘special category personal data’ and the CCSF does not collect or process such data. For definitions click here.

Data Protection Principles
The data protection principles as laid down in the GDPR are followed by the CCSF at all times. These principles mean that the CCSF will inform individuals as to the purpose of collecting any information from them, as and when we ask for it; be responsible for checking the quality and accuracy of the information; regularly review our records to ensure that information is not held longer than is necessary, and that it is held in accordance with the GDPR.

The Right to Request Details
You have the right to request details of the data processing activities that we carry out with your personal information by making a Subject Access Request which is subject to various legal provisions.  To make a request contact us at We will deal with any request with minimum delay and at the latest within one month of receipt and subject to .

Your Additional Rights
These rights include:

  • the right to request rectification of information that is inaccurate or out of date;
  • the right to erasure of your information (known as the “right to be forgotten”);
  • the right to restrict the way in which we are dealing with and using your information; and
  • the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
  • rights in relation to automated decision making and profiling including profiling for marketing purposes.

All of these rights are subject to certain safeguards and limits or exemptions under the GDPR. To exercise any of these rights, please contact

Records Retention Policy
The CCSF holds personal data of successful applicants for the duration of the award (normally one or two years). Files of unsuccessful applicants will be destroyed ten months following the application deadline. CCSF will ensure that when information is authorised for disposal it is done appropriately and that appropriate security measures to safeguard personal information are in place.

Conditions for Data Processing
The CCSF will ensure that you give consent that is specific to a particular type of processing activity, and that consent is informed, unambiguous and freely given as well as necessary for the performance of the CCSF’s purposes. The processing must be necessary for a legitimate interest of the CCSF or of a third party, except where this interest is overridden by the rights and freedoms of the individual concerned.

Disclosure of Personal Data
The most usual reasons that the CCSF will authorise disclosure of personal data to a third party are to carry out its purposes, e.g. payment of scholarship award or to give a confidential reference relating to a current or former scholar or volunteer.

The CCSF may receive requests from third parties (i.e. other than the data subject, the CCSF or MLT) to disclose personal data it holds about individuals. This information will not generally be disclosed unless a specific exemption under the GDPR which allows disclosure applies, or where disclosure is necessary for the legitimate interests of the third party concerned or the CCSF. All requests for the disclosure of personal data must be sent to the Data Controller at

Security of Personal Data
The CCSF will take reasonable steps to ensure that those authorised by the Data Controller to access personal data have access only to that which is necessary for them to carry out their duties. Any individual who is authorised will be made aware of this Policy and their duties under the GDPR. The CCSF will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons. Your data is held using an Cloud service (currently Dropbox) in a password protected folder. Hard copy applications of past successful scholars are held securely at the offices of Blakes, Cassels and Graydon LLP, in London England

Other Rights of Individuals
The CCSF has an obligation to comply with the rights of individuals under the GDPR, and takes these rights seriously.

Right to object to processing
You have the right to object to the processing of your personal data on the grounds of pursuit of a public interest or legitimate interest where you do not believe that those grounds are made out. Where such an objection is made, it must be sent to the Data Controller at The Data Controller will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings. The Data Controller is responsible for notifying you of the outcome of their assessment within 7 working days of receipt of the objection or as close to this as possible since CCSF is voluntary association.

Where your personal data is being processed for any of the purposes of the CCSF, you have the right to object at any time to the processing of personal data and your personal data will no longer be processed by the CCSF.

Right to rectification
You have the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, and where adequate proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and your will be notified.

Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data, and communicated to the individual. The individual shall be given the option of a review under the complaints procedure, or an appeal direct to the Information Commissioner.

You also have a right to have incomplete information completed by providing the missing data, and any information submitted in this way will be updated without undue delay.

Right to erasure
You have a right, in certain circumstances, to have your data permanently erased without undue delay. This right arises:

  • where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed;
  • where consent is withdrawn and there is no other legal basis for the processing;
  • where an objection has been raised under the right to object, and found to be legitimate;
  • where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met);
  • where there is a legal obligation on the CCSF to delete.

The Data Controller will make a decision regarding any application for erasure of personal data, and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other controllers, and/or has been made public, reasonable attempts to inform those controllers of the request shall be made.

Right to restrict processing
Processing of an individual’s personal data may be restricted:

  • where the accuracy of data has been contested, during the period when the Charity is attempting to verify the accuracy of the data;
  • where processing has been found to be unlawful, and the individual has asked that there be a restriction on processing rather than erasure;
  • where data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise or defence of a legal claim;
  • where there has been an objection made, pending the outcome of any decision.

Right to portability
If you want to send your personal data to another organization, you have a right to request that CCSF provide that information in a structured, commonly used, and machine readable format. A request for this should be made to the Data Controller at

Breach of any Requirement of the GDPR
Any breaches of the GDPR, including a breach of any of the data protection principles, shall be reported as soon as it is discovered, to the CCSF Data Controller.

The CCSF Chair will assess:

  • the extent of the breach;
  • the risks to the data subjects as a consequence of the breach;
  • any security measures in place that will protect the information;
  • any measures that can be taken immediately to mitigate the risk to the individuals.

Unless the Data Controller concludes that there is unlikely to be any risk to individuals from the breach, it will be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the Charity, unless a delay can be justified due to the voluntary nature of the CCSF.

The Information Commissioner will be told:

  • details of the breach, including the volume of data at risk, and the number and categories of data subjects;
  • the contact point for any enquiries.
  • the likely consequences of the breach;
  • measures proposed or already taken to address the breach.

If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals then the Data Controller will notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.

Data subjects will be told:

  • the nature of the breach;
  • who to contact with any questions;
  • measures taken to mitigate any risks.

The Data Controller will then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure will be reviewed by the CCSF Trustees and a decision made about implementation of those recommendations.

If you have any concerns or questions in relation to this policy, please contract This policy will be updated as necessary and will be reviewed annually.

Policy Updated 18 May 2018

CCSF Data Protection Processes

CCSF undertakes to adhere to its Privacy Policy and Data Protection Policy. The CCSF has reviewed and updated it policies and procedures prior to the implementation of the GDPR. It has assessed these policies and procedures and determined that its collection and processing of personal data of data subjects meets the required standards of the GDPR, that data collection and processing are in line with the CCSF’s purposes, that its policies and procedures yield benefit for scholarship recipients, and that the risk of data breaches is minimal and unlikely to create harm for the Data Subjects for whom it holds personal information.

The CCSF ensures that:

  • Existing and new Trustees/Members are informed of its Privacy Policy, Data Protection Policy and associated practices.
  • That data holdings are reviewed annually and deleted as appropriate (normally unsuccessful CCSF scholarship applications are deleted within ten months following the application deadline.
  • All retained data are held in a central password protected Dropbox folder or as emails by those authorised by the Data Controller (Trustees/Members of CCSF) and one additional volunteer who supports the activities of CCSF and is explicitly so authorized by the Chair of CCSF in writing.
  • Any hardcopy information containing personal data is reviewed annually and retained only if it is required to enable CCSF to fulfill its purposes. It is retained only by those authorised by the Data Controller (Trustees/Members of CCSF).
  • The data collected and held by CCSF and its data processing are not deemed likely to result in high risk to individuals. CCSF is not involved in deploying new technologies, does not engage in profiling and does not process special categories of data. CCSF therefore does not conduct Data Protection Impact Assessments.

If you have questions about our processes, please contact

Updated 18 May 2018