- Your personal data – what is it?
“Personal Data” is any information relating to an identified or identifiable natural living person, commonly referred to as the ‘data subject’. Identification can be by the information alone or in conjunction with any other information that the data controller may possess or be likely to obtain. The processing of personal data is governed by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
- Who are we?
The Parochial Church Council (PCC) of St. Paul’s with St. Agatha’s, Woldingham is the data controller for your data. This means that it decides how your personal data is processed and for what purposes. The PCC works in close conjunction with the incumbent of the parish that is, our Team Vicar. We may need to share personal data we hold with the incumbent so that they can carry out their responsibilities. The incumbent acts as joint data controller for your data. This means we are both responsible to you for how we process your data.
This Privacy Notice is provided to you by the PCC on behalf of the PCC and on behalf of the incumbent as joint data controllers. In the rest of this Privacy Notice we use the word “we” to refer to the joint data controllers.
- How do we process your personal data and what is the legal basis of processing your data?
The data controllers will comply with their legal obligation to keep personal data up to date; to store and destroy it securely; to not collect or retain excessive amounts of data; to keep personal data secure; to protect personal data from loss, misuse, unauthorised access and disclosure; and to ensure that appropriate technical measures are in place to protect personal data.
We use your personal data for some or all of the below purposes.
As a visitor:
- To send you communications which you have requested and that may be of interest to you. These may include our newsletter, and information about campaigns, events and other fundraising activities (by email and/or hard copy);
- To process photos taken of you, with your consent, which we may use to publicise our activities;
As a participant in a church service relating to a life event:
- Where you are enquiring about or participating in life events such as a baptism, marriage or funeral then we will process your contact information and other personal information relating to the event, which constitutes processing necessary for our legitimate interests, or processing in compliance with a legal obligation(for example we are required to announce forthcoming weddings by means of Wedding Banns);
- For reasons of pastoral care or support we may contact you and or make you aware of other courses or events which you may be interested in (for example an All Souls service Easter or Christmas Services, marriage course), which constitutes data processing under the lawful basis of legitimate interests.
As a member on the electoral roll or as an individual or family who are church members:
- Your contact details will be collected and may be used for pastoral or discipleship purposes; and to promote the activities and interests of the Church and charity, which constitutes processing under lawful basis of legitimate interests;
- If you join the electoral roll, your title, name and address along with a declaration are legally required to fulfil Church Representation Rules 2017 (CRR);
- If you sign up as a volunteer on a rota your contact information may be shared with others on the list to enable volunteers to swap duties which is processing under the lawful basis of legitimate interests;
- If you consent to being part of our church directory, your contact information will be shared with other church directory recipients;
- Your personal information relating to demographics may be collected and used to support the development of our mission, which constitutes processing under lawful basis of legitimate interests;
- Your financial information, such as bank account and card numbers, relating to planned donations and reclaiming gift aid. We may share these details with third parties, such as HMRC, under the lawful basis of legal obligation, and we may contact you in relation to further fundraising opportunities under the lawful basis of legitimate interests.
As a user of a church building:
- Where you are enquiring about or using our buildings we will process your contact information and payment information under the lawful bases of legitimate interest, or, in cases where you hire our facilities, contractual necessity;
As a paid employee or contractor working on behalf of the PCC:
- We will process your data under lawful bases of legitimate interest, contractual and legal obligations for legal, personnel, administrative and management purposes. Where we process sensitive personal data, we may rely on a number of lawful bases, including (but not limited to) your consent, or processing necessary for the purposes of exercising or performing any right or obligation relating to your employment.
- We may process sensitive personal data including, as appropriate:
- information about your physical or mental health or condition in order to
monitor sick leave and take decisions as to your fitness for work;
- your racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;
- information in order to comply with legal requirements and obligations to third parties.
As a trustee including a member of the PCC, church warden, PCC secretary and deanery synod representative:
- Your contact details will be processed to enable registration and update of the Diocesan directory and or with the Charity Commission, which is processing under lawful bases of legal obligation and legitimate interests.
- We may collect and process data relating to your ability and suitability regarding the trustee role as part of our due diligence, which is processing under the lawful basis of legitimate interests.
As a person requiring a Disclosure and Barring Service (DBS) check due to working with children or vulnerable adults:
- Your contact details and any other relevant documents as required for a DBS check will be processed under the lawful bases of legitimate interests, and processing necessary for the safeguarding of children and of individuals at risk.
In addition to the above, the data we process is likely to constitute sensitive personal data because, as a church organisation, the fact that we process your data at all may be suggestive of your religious beliefs. Where you provide this information, we may also process other sensitive personal data.
Religious organisations are permitted under GDPR to process information about your religious beliefs to administer membership or contact details.
In circumstances where your personal data is used on the basis of obtaining your consent, you may indicate your consent in a number of ways, including, as permitted by law, ticking a box (or equivalent action) to indicate your consent.
- Sharing your personal data
Your personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks or where you give us your prior consent.
It is likely that we will need to share your data with some or all of the following (but only where necessary):
- Other members of the congregation to carry out a service for your benefit or where it is in the legitimate interest of the Church. For example, sharing contact details on a rota to enable swapping of duties;
- Our agents, servants and contractors. For example, we use a third party to process our DBS checks and we may also ask a commercial provider to send out newsletters on our behalf, or to maintain our database software;
- Other clergy or lay persons nominated or licensed by the bishops of the Diocese of Southwark to support the mission of the Church in our parish. For example, our clergy are supported by our area dean and archdeacon, who may provide confidential mentoring and pastoral support.
- Assistant or temporary ministers, including curates, deacons, licensed lay ministers, commissioned lay ministers or persons with Bishop’s Permission To Officiate (PTO) who may participate in our mission in support of our regular clergy.
- As a trustee including a member of the PCC, church warden, PCC secretary and deanery synod representative your contact details will be shared with the Diocese of Southwark and or the Charity Commission.
- In accordance with our Diocesan Safeguarding Policy “A Safe Church” personal data relating to safeguarding may be shared confidentially between the Parish Safeguarding Officer and the Diocesan Safeguarding team.
- How long do we keep your personal data?
We keep data in accordance with the guidance set out in the guide “Save or Delete: the Care of Parish Records” which is available from the Church of England website at https://www.churchofengland.org/more/libraries-and-archives/records-management-guides. We will only keep data for as long as we need it, however we may keep some records permanently if we are required to do so.
Where we no longer need to process your personal data for the purposes set out in this Privacy Notice, we will delete your personal data from our systems.
- Your rights and your personal data
To exercise your rights, please send your request to us in writing (using the contact details below). When exercising your rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights:
- The right to access information we hold on you
- The right to correct and update the information we hold on you
- The right to have your information erased: In the case that you request that we erase the data we hold, we will confirm whether the data has been deleted or the reason why it cannot be deleted (e.g. because we need it for our legitimate interests or a regulatory purpose).
- The right to object to processing of your data.
- The right to data portability.
- The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought.
- The right to object to the processing of personal data where applicable.
- The right to lodge a complaint with the Information Commissioner’s Office.
7. Transfer of Data Abroad
Any electronic personal data transferred to countries or territories outside the European Economic Area (EEA) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is also accessible from overseas so on occasion some personal data may be accessed from overseas. We take all reasonable steps to ensure that your personal data is processed securely and will only transfer your personal data outside the EEA where it is compliant with applicable data protection legislation and the means of transfer provides adequate safeguards in relation to your personal data.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact Details
Please contact us if you have any questions about this Privacy Notice or the information we hold about you or to exercise all relevant rights, queries or complaints at: The Data Controller, email: firstname.lastname@example.org
If you are unhappy with how your personal data has been processed, you have the right to lodge a complaint with the Information Commissioners Office at any time. You can contact the Information Commissioners Office on 0303 123 1113 via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.