GDPR Policy
Last updated: 15 May 2026
Effective date: 15 May 2026.
This GDPR Policy explains how Avela Global, operating Ideas Made Real (IMR), approaches personal data where the EU General Data Protection Regulation, UK GDPR or materially similar European data-protection requirements apply. It should be read with the IMR Privacy Policy, Cookie Policy and Applicant Registration Terms and Conditions.
1. Scope
This policy may apply where an individual is located in the European Economic Area or United Kingdom, where AG offers programme-related services to such individuals, where website tracking is directed to them, or where an applicable contract or law requires GDPR-standard handling.
IMR is principally a GCC programme. Nothing in this policy limits rights that an individual may have under applicable UAE, GCC, EU, UK or other mandatory data-protection law.
2. Controller details
Controller: Avela Global. Programme: Ideas Made Real (IMR). Contact: privacy@avelaglobal.com. Registered office: [insert registered office address].
Where a third-party provider, production company, university, sponsor, venue, technology provider or delivery partner determines its own purposes and means of processing, that party may be an independent controller. Where it processes data on AG’s instructions, it will be treated as a processor subject to appropriate contractual controls.
3. GDPR principles
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation;
- integrity and confidentiality;
- accountability.
4. Lawful bases
| Processing activity | Indicative lawful basis |
|---|---|
| Registration, applicant account, eligibility checks and programme communications | Contract or pre-contractual steps; legitimate interests; legal obligation where applicable. |
| Assessment, scoring, shortlisting, mentoring and finalist selection | Legitimate interests in running a fair, auditable programme; contract or pre-contractual steps. |
| Safeguarding, welfare, emergency or incident handling | Vital interests; legal obligation; substantial public interest or explicit consent where applicable. |
| Applicant idea review for commercial viability and feasibility | Legitimate interests and pre-contractual steps, limited strictly to programme assessment and support purposes. |
| Marketing, PR, documentary, photography, video or public storytelling involving identifiable individuals or applicant ideas | Consent or specific release, unless another lawful basis clearly applies and is documented. |
| Website analytics and non-essential cookies | Consent where required; legitimate interests for strictly necessary security and operational cookies. |
| Legal claims, audit trails, selection integrity and dispute management | Legitimate interests; legal obligation; establishment, exercise or defence of legal claims. |
5. Special category data and children/minors
AG will avoid collecting special category data unless necessary. Where such data is required for safeguarding, accessibility, health, emergency, media, welfare or legal reasons, AG will apply additional safeguards and will rely on a suitable Article 9 condition or equivalent lawful basis where GDPR applies.
If a participant is treated as a minor under applicable law, AG may require verifiable parent or guardian consent and may restrict activities until safeguarding and consent requirements are satisfied.
6. Individual rights under GDPR-standard handling
Subject to legal limits and verification, an individual may have the right to:
- access personal data held about them;
- correct inaccurate or incomplete data;
- request erasure where there is no overriding lawful reason to retain it;
- restrict processing in certain circumstances;
- object to processing based on legitimate interests or direct marketing;
- receive certain data in a structured, commonly used and machine-readable format;
- withdraw consent where processing is based on consent;
- complain to a relevant supervisory authority.
These rights may be limited where AG must keep records for selection integrity, auditability, safeguarding, legal claims, regulatory compliance, insurance, dispute handling, or the rights and freedoms of others.
7. Response process
Requests should be sent to privacy@avelaglobal.com. AG will normally respond within one month where GDPR applies, subject to permitted extensions for complex or multiple requests. AG may ask for identity verification and clarification of the request.
8. International transfers
Where GDPR applies and personal data is transferred outside the EEA or UK, AG will use appropriate safeguards where required, which may include adequacy decisions, standard contractual clauses, international data-transfer agreements, transfer risk assessments, technical safeguards, role-based access, encryption, pseudonymisation or other lawful transfer mechanisms.
9. Processors and partner controls
AG will require processors handling GDPR-relevant personal data to process data only on documented instructions, maintain confidentiality, apply appropriate security, assist with rights requests and breach management, restrict sub-processing, return or delete data at the end of services, and support audit or assurance where reasonably required.
10. Data protection by design
- using only data required for the relevant IMR purpose;
- separating sensitive records from scoring records where practical;
- using anonymised or aggregated reporting to sponsors wherever possible;
- restricting access to scoring, mentor notes, safeguarding records and applicant materials;
- requiring separate media/documentary consent before public use of identifiable content or applicant ideas;
- maintaining audit trails for selection and decision-making.
11. Personal data breaches
AG will assess suspected personal data breaches promptly. Where GDPR applies and a breach is likely to result in a risk to individuals, AG will notify the relevant supervisory authority within the required timeframe where legally required. Where a breach is likely to result in a high risk to affected individuals, AG will notify affected individuals where legally required.
12. Automated decision-making and profiling
AG does not intend to make final selection, finalist or winner decisions based solely on automated processing that produces legal or similarly significant effects. Programme decisions are subject to human review, governance, scoring, moderation and documented approvals.
13. Applicant ideas and public use
Applicant ideas remain the applicant’s intellectual property. Under GDPR-standard handling, application materials and venture details will not be used for marketing, PR, documentary, sponsor promotion, public storytelling or publication without a separate written consent or release route and appropriate confidentiality/IP controls.
14. Contact and complaints
Privacy contact: privacy@avelaglobal.com
Individuals may also have the right to contact the data protection authority in their country of residence or the place of alleged infringement, where GDPR applies.