In a nutshell
Data privacy notice
This notice applies to the Parochial Church Councils (PCCs) of
- St Mark’s church, Ampfield;
- St Denys' church, Chilworth; and
- All Saints and St John the Baptist, North Baddesley.
The PCCs are the data controllers for personal data relevant to their churches. Unless otherwise stated, in this notice “PCC” refers to the three named PCCs, above. This website is run by the PCC of All Saints and St John the Baptist, North Baddesley. The PCC of North Baddesley is the data controller for the website and personal data relating to the website.
Personal data is data about a living person who can be identified from that data. Our processing of personal data is covered by the UK Data Protection Act 2018, and the General Data Protection Regulations (GDPR).
We use personal data that you share with us. We don’t get personal data from third parties. We don’t do any automated decision making based on your personal data.
How do we process your personal data?
The PCCs follow the rules for GDPR and the Data Protection Act. This means that we will keep personal data up-to-date; we store it securely and destroy it when we no longer need it; we only collect and keep the data we need; we protect personal data from loss and misuse, and make sure that personal data is only seen by those who are authorised and have a need to see it.
We use personal data for following purposes:
- To provide a voluntary service for the benefit of the public in our parishes;
- To administer the electoral roll and membership records;
- To fundraise and promote the interests of the church;
- To manage our employees and volunteers, including sharing information about rotas;
- To maintain our accounts and records (including dealing with gift aid applications); and
- If you agree, to inform you of news, events, activities and services running in the benefice.
What is the legal basis for us processing personal data?
GDPR and the Data Protection Act give different ways in which it is legal to process personal data.
- We ask for your consent to keep you informed about news, event, activities and services, to put you on our mailing lists. You can withdraw that consent at any time. When we send you emails, we may track whether you have opened the email or not to help us monitor and maintain our mailing list.
- We have a legal obligation to process some personal data - data in this category is:
- Information related to Gift Aid;
- Employment-related information, including social security; and
- Information we are required to process for social protection law (including data on Disclosure and Barring Service checks for employees and volunteers, and data on convictions relating to safeguarding matters), or a collective agreement.
- We have a legitimate interest in processing data relating to members of the worshipping community and those who volunteer with the church, for example to schedule events and arrange rotas.
- We have a legitimate interest in keeping limited data (IP addresses) in website logs to allow us to maintain the site and diagnose problems. We don’t use this data for any other purpose.
- We process data as a not-for-profit body with a religious aim; this processing relates only to members, former members, or those who have regular contact and we do not disclose information to third parties without consent. This allows us to process so-called “special category” data, which includes information such as religious beliefs.
Where is your personal data held?
Sensitive and special category data will be held on the church computer, which is password protected and has an encrypted (BitLocker) disk, or in paper records in the church safe.
We make use of third-party providers to store and manage some of our data. This data may be stored outside the UK. Most data is transferred to countries that are currently allowable under UK GDPR rules (countries for which there is an adequancy determination that they provide adequate safeguards for personal data):
- Our website is hosted by SiteGround, data is stored in a UK-based datacenter.
- Mail is stored or routed via SiteGround.
- Our contact forms are provided by Zoho. Zoho is headquartered in California in the USA. Our data is stored and processed in a European hosted datacentre.
- Our mailing lists are provided by Mailchimp. Mailchimp is headquartered in Atlanta in the USA. Mailchimp provides GDPR-compliant Standard Contractual Clauses for the storage and processing of our data.
- UK-hosted and church-managed accounts are used for sensitive information, such as safeguarding.
Some data may be transferred to countries for which there is no so-called adequacy regulation (in other words, the country is not regarded as having an adequate data-protection system).
- Information relating to members (e.g. volunteers and rotas) may be shared via third-party services such as Google Drive or with volunteers' own email services. We do not ask everyone who volunteers to have a church-provided email; we do ask volunteers to respect the principles of the GDPR and Data Protection Act when dealing with church business.
- Some information relating to weddings, funerals and baptisms may be shared within the church via third-party services such as Google Drive, Gmail and similar mail services which have datacentres outside the UK.
Use of social media
We publish content on platforms including YouTube, Facebook, Instagram, Twitter and Vimeo. Your use of these platforms is governed by their data protection policies. They may collect information about your use of their sites.
How long do we keep your personal data?
We follow the guidance set out in “Keep of bin: care of your parish records”.
We will normally keep data as follows:
- Electoral roll data, while it is still current;
- Gift aid declarations and associated information for up to six years after the calendar year to which they relate;
- Parish registers (baptisms, marriages and funerals) are kept permanently;
- Email and other information that you provide for subscribing to mailing lists (etc.) are kept for as long as you are subscribed; and
- Safeguarding information is kept for as long as legally required.
Unless subject to an exemption under the Data Protection Act or GDPR, you have the following rights:
- The right to request a copy of any personal data which the PCC holds about you.
- The right to request that the PCC corrects any personal data which is incorrect.
- The right to request that your personal data is erased. (In some cases we may have a legal obligation to retain some data.)
- The right to withdraw your consent for processing of your data, at any time.
- The right to request that the PCC provide you with your personal data and, where possible, to send that data directly to another data controller (this is known as the right to data portability). This only applies in certain circumstances.
- The right, where there is a dispute in relation to the accuracy or processing or your data, to request that further processing of your personal data be restricted.
- The right to object to the processing of your personal data. This only applies to some processing.
- The right to lodge a complaint with the Information Commissioner’s Office.
If we wished to use your personal data for a purpose not currently covered by this Privacy Notice, we will provide you with a new notice explaining this new use. We will do this before we start the new processing. If appropriate we will ask your consent.
For any questions, complaints, or to use any of your data protection rights, in the first instance please contact the North Baddesley parish administrator at firstname.lastname@example.org. If your query relates to another church, please tell us which church, so we can forward your message to the right person.
The ICO can be contacts on 0303 123 1113, via their website, or at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.