Data Protection & GDPR Compliance Statement
This statement is intended for school IT departments, Data Protection Officers and senior leadership assessing SportsDayPro before processing pupil data. It complements the Privacy Policy and summarises the key facts a school needs for its own data-protection records (including a Data Protection Impact Assessment, DPIA).
SportsDayPro is operated by SportsDayPro (sole trader Ralph Barlow), United Kingdom. Contact: info@sportsdaypro.com.
1. Controller / processor relationship
- The school is the data controller.
- SportsDayPro (sole trader Ralph Barlow) is the data processor, processing personal data solely on the school's documented instructions.
- A Data Processing Agreement incorporating the terms required by Article 28 UK GDPR is entered into with each school. The core Article 28 commitments are set out in §7 below.
2. Categories of data subject and personal data
- Data subjects: pupils, parents/guardians, and school staff.
- Personal data: identity and contact details, school groupings (year/form/house), event entries and athletic results, account/authentication data, and technical/log data. Full detail is in §2 of the Privacy Policy.
- Special category data: none is required or intentionally processed. Sex/competition category is processed only to organise sex-categorised events.
3. Purpose and lawful basis
Personal data is processed only to deliver sports-day management functionality to the school (event organisation, results, records, certificates, parent/pupil access, staff administration). We process under the contract with the school; the school determines its own lawful basis (typically public task).
We do not sell data, serve advertising, or perform profiling/automated decision-making.
4. Data storage location and residency
| Item | Detail |
|---|---|
| Cloud provider | Microsoft Azure |
| Region | UK South (Microsoft UK data centres) |
| Application tier | Azure App Service |
| Data tier | Azure SQL Database |
| Data residency | United Kingdom — no transfer outside the UK |
| International transfers | None. Optional sub-processors operate under UK/EEA data residency. |
5. Security measures (Article 32)
- TLS/HTTPS for all data in transit.
- Encryption at rest via Azure SQL Transparent Data Encryption.
- Multi-tenant isolation enforced at the database layer by row-level security with fail-closed predicates, so a school can never access another school's data — backed by application-layer ownership checks (defence in depth).
- Role-based access control (Student / Staff / Admin permission tiers).
- Salted password hashing; support for Microsoft and Google single sign-on.
- Least-privilege production access and audit logging.
- Regular patching of the underlying platform (managed Azure PaaS).
6. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Hosting and database | UK (UK South) |
| Microsoft (Microsoft Graph) | Email / calendar from the school's own mailbox — only if enabled and consented by the school | UK/EEA |
| OAuth sign-in — only if a user chooses it | UK/EEA |
Schools are notified of changes to sub-processors and may object.
7. Article 28 processor commitments
As processor we commit to:
- Process personal data only on the school's documented instructions.
- Ensure persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (§5).
- Engage sub-processors only under equivalent obligations and with the school's general authorisation, notifying changes.
- Assist the school with data-subject rights requests and with its DPIA / security / breach-notification obligations.
- Notify the school without undue delay on becoming aware of a personal data breach.
- Delete or return all personal data at the end of the engagement (default: deletion within 30 days), save where UK law requires retention.
- Make available the information necessary to demonstrate compliance and allow for audits.
8. Data subject rights
Because we are a processor, rights requests (access, rectification, erasure, restriction, portability, objection) are handled by the school, which instructs us. We provide tools/assistance to export or delete data so the school can respond within statutory timeframes.
9. Retention and deletion
Data is retained for as long as the school needs it. On request, or on termination, the school's data is exported and/or deleted within a reasonable period (default 30 days).
10. Breach notification
We maintain detection and response procedures and will notify the affected school without undue delay of any breach affecting its data, providing the information the school needs to meet its own ICO and individual-notification duties.
11. Regulator and contact
- Supervisory authority: Information Commissioner's Office (ICO), United Kingdom — ico.org.uk.
- Data protection contact at SportsDayPro: info@sportsdaypro.com.
This statement is provided to assist schools' due diligence and does not constitute legal advice. Schools remain responsible for their own data-protection compliance as controller.