Deadline for applications: Sunday, 1 June 2025 (midnight).

The Hope Scott Trust Data Privacy Notice 

A Registered Scottish Charity No: SC016262 

Please read this Privacy Notice carefully before providing us with any information about you or  any other connected person. Where you provide information about another person, you should  first obtain their consent to do so. 

We have developed this Privacy Notice in accordance with the Data Protection Act 1998 and  Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation or GDPR.  Its purpose is to advise you of the personal information we may collect, for what purpose(s), how  we will use it, the lawful basis under which we may do this and your rights under the GDPR.  

1. The categories of data subject to the provisions of the GDPR 

Personal data (Article 4 of the GDPR) by which we mean information which identifies you as an  individual, or is capable of doing so.  

Special categories of personal data (Article 9 of the GDPR) by which we mean information  revealing your racial or ethnic origin, religious or philosophical beliefs, or data concerning your  physical or mental health, including the provision of health care services, which reveal information  about your health status. This data is protected by the GDPR and we need your explicit consent to  retain this data. 

2. Contact details and person responsible for Data Protection  

The Hope Scott Trust is registered with the Information Commissioner’s Office as a Data Controller,  reference No ZA338074. We have a responsibility to ensure that your personal information is  processed in accordance with this Privacy Notice and the above Regulations. 

If you would like to discuss anything in this Privacy Notice please contact Gillian Forsyth, Senior  Trust Administrator at Murray Beith Murray, who is the person responsible for Data Protection for  the Trust. You may contact her at 3 Glenfinlas Street, Edinburgh EH3 6AQ. Telephone 0131 225 1200 – Email gillian.forsyth@murraybeith.co.uk 

3. The personal data we may collect and the purposes for this. 

We process the following personal data on the legal basis of ‘Legitimate Interests’, and the  information below sets out further details on this processing.  

To consider a grant application, we may process the following information. – Contact information, such as your name, permanent address, telephone number and email address. 

– Individual information such as details of your current and previous relevant activities. – Financial information such as project costs, other sources of income, course fees, or maintenance  expenses for your studies and your bank account details for payment of any awards. 

4. The special categories of personal data we may collect and the purposes for this. 

We process any of the special categories of personal data referred to in part 1 above on the legal  basis of ‘Legitimate Interests with consent’, and the information below sets out further details on  this processing. 

To consider a grant application, we may process the following information – Any ‘special categories of personal data’, as described in part 1 above, which you disclose to us  in your application or other communications between us regarding your application.  

We will require your consent to receive, view and assess special categories of personal data. 5. Data Sharing 

We may share information with third parties where this is necessary to enable us to assess grant  applications and/or pay any sums to you or to allow us to comply with our legal or regulatory  obligations.  

We will not share your data with any third party for marketing purposes. The classes of third  parties with whom we will share your personal data, and the reason for this, are as follows. 

Trust administrators 

Records relating to the Trust activities are managed by Trust Administrators. We have an  agreement in place with the Trust Administrators to restrict their processing to administering the  legitimate purposes of the Trust. 

Public Bodies 

We may wish to share your data, including any supporting material which is submitted with your  application with the National Galleries of Scotland or equivalent organisation for archive purposes. 

Tax authorities 

We may have to share information with tax authorities, either directly with overseas authorities or  via Her Majesty’s Revenue and Customs who may share that information with the appropriate tax  authorities abroad. 

Our professional advisers 

Our appointed auditors, lawyers, accountants, other professional advisers may require access to our  records of grant applicants in order to provide us with advice. 

Your professional advisers or representatives 

Where you have appointed an advisor or representative to assist you with your application, we may  share information with them in relation to it. 

Charity Regulators 

We may be required to provide information to our Charity Regulator. 

6. The lawful basis upon which we process personal data and what this means 

Parts 3 and 4 include the lawful basis upon which we process personal data and special categories  of personal data. The following is a brief explanation of what the lawful basis means.  

The Lawful basis under EU directive 2014/65/EU Article 6, 1(f) Legitimate Interests means the  processing is necessary, without your explicit consent, for the legitimate business interests of the  Trust, unless these interests are overridden by your interests or fundamental rights. Our legitimate  business interests are explained in Part 3 of this privacy notice. 

We use your data to make judgements about your application. This is the core function of the  Trust. If you wish to object, please use the contact details in Part 2 to do so. 

We process ‘special categories of personal data’ under Legitimate Interests as described above, but  this is subject to Article 9 (a) Explicit consent because it is considered to be sensitive information which may cause harm to you if processed inappropriately. This means we will obtain your  consent to do so before processing any such information. 

You have the right to withhold your consent to us processing special categories of personal data  and, if this is the case, you should not disclose such data to us nor should you complete the  consent form. 

7. The retention periods for personal data 

We will retain grant application forms for a minimum of 7 years from the date of receipt, regardless  of whether a financial award was made. 

We will retain a database including details of applicants, whether or not these were successful,  indefinitely.  

8. Your rights as a data subject 

The GDPR provides you with the following rights in relation to your personal data: 

The right to be informed 

You have the right to be informed how your data will be processed and of your rights. The  required information is provided in this Privacy Notice. 

The right of access 

You have the right to obtain confirmation that your personal data is being processed and have  access to this. When requested by you, we must provide you with a copy of the information free of  charge within one month. However, we can charge a ‘reasonable fee’ when a request is manifestly  unfounded or excessive. We may also charge a reasonable fee to comply with requests for further  copies of the same information. Data access requests should be submitted using the contact details  in Part 1 of this Privacy Notice. 

The right to rectification 

You are entitled to have personal data rectified if it is inaccurate or incomplete. We must respond  to a request for rectification within one month. This can be extended by two months where the  request for rectification is complex. Data rectification requests should be submitted using the  contact details in Part 1 of this Privacy Notice. 

The right to erasure 

You may request the deletion or removal of your personal data where there is no compelling reason  for its continued processing. We may, however, decline the request where we have a legal or  regulatory obligation to retain the data, or where it is being used in the exercise or defence of a legal  claim. In such circumstances we will write to you explaining our reasons for declining your request  for the data to be erased. Data erasure requests should be submitted using the contact details in  Part 1 of this Privacy Notice. 

The right to restrict processing 

You have a right to ‘block’ or suppress the processing of your personal data. When processing is  restricted, we are permitted to store the personal data, but not to further process it. Data  suppression requests should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to data portability 

Individuals generally have the right to data portability. However, this only applies to personal data  where the processing is based on the legal basis of consent or for the performance of a contract; and  it is carried out by automated means. This right does not apply to the personal data that we  process, as this is processed on the legal basis of Legitimate Interests and processing is not carried out  by automated means. 

The right to object to processing or withdraw consent 

You have the right to object to your data being processed on the legal basis of Legitimate Interests  and the right to object to direct marketing and data profiling. You also have the right to withdraw  consent for us to process any personal data falling into the special categories. Objections to, or  withdrawal of consent for, data processing should be submitted using the contact details in Part 1 of  this Privacy Notice. 

The right to remedies, liabilities and penalties 

You have the right to report any concerns you have about the way we have processed your personal  data with the Information Commissioner’s Office. You may do this online at  https://ico.org.uk/concerns/handling/y or in writing to Information Commissioner’s Office, Wycliffe  House’ Water Lane’ Wilmslow, Cheshire, SK9 5AF. Telephone 0303 123 1113 (England) or 45  Melville Street, Edinburgh, EH3 7HL Tel: 0303 123 1115 (Scotland). 

9. The GDPR Principles 

The GDPR Principles apply to all entities in that control or process personal data on EU citizens and  form the basis for this privacy notice. The Principles require that personal data shall be: 

a) processed lawfully, fairly and in a transparent manner in relation to individuals; and b) collected for specified, explicit and legitimate purposes and not further processed in a  manner that is incompatible with those purposes; further processing for archiving purposes  in the public interest, scientific or historical research purposes or statistical purposes shall  not be considered to be incompatible with the initial purposes; and 

c) adequate, relevant and limited to what is necessary in relation to the purposes for which  they are processed; and 

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to  ensure that personal data that are inaccurate, having regard to the purposes for which they  are processed, are erased or rectified without delay; and 

e) kept in a form which permits identification of data subjects for no longer than is necessary  for the purposes for which the personal data are processed; personal data may be stored for  longer periods insofar as the personal data will be processed solely for archiving purposes in  the public interest, scientific or historical research purposes or statistical purposes subject to  implementation of the appropriate technical and organisational measures required by the  GDPR in order to safeguard the rights and freedoms of individuals; and 

f) processed in a manner that ensures appropriate security of the personal data, including  protection against unauthorised or unlawful processing and against accidental loss,  destruction or damage, using appropriate technical or organisational measures.

Registered Scottish Charity No: SC016262