1. Your personal data – what is it?
Personal data is any information (either electronic or on paper) relating to a living individual who can be identified from that data. The way we deal with personal data is governed by the General Data Protection Regulation (GDPR).2. Who are we?
We are St James’ Church, Devizes. Our legal governing body is the Parochial Church Council of the Ecclesiastical Parish of St James’ Southbroom, Devizes, which is a registered charity number 1134059 and they are the data controller (and so make decisions on how your personal data is processed and for what purposes). The vicar of St James’, Devizes when acting as a data controller also works under this policy.
In order to help you to exercise your rights in relation to your data we have appointed a Data Protection Champion. You can contact him with any enquiries relating to this statement or how we use information about you, including if you would like us to stop contacting you.
Details of how to contact us are at the end of this statement.3. How do we process your personal data?
We comply with our obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use personal data for the following purposes: -
4. What is the legal basis for processing your personal data?
- To enable us to provide a voluntary service for the benefit of the public in Devizes and the surrounding area;
- To co-ordinate our pastoral work;
- To administer membership and electoral roll records;
- To fundraise and promote the charitable interests of the church;
- To manage our employees and volunteers;
- To maintain our own accounts and records (including the processing of gift aid applications);
- To inform you of news, events, activities and services running at St James’, Devizes;
- To fulfil our legal and professional obligations in relation to Health and Safety, Safeguarding, counselling, registration of marriage and other activities.
The data we hold can be divided into three types.
5. Sharing your personal data
- Church Operational Data. This is the information we need for the day-to-day running of the church. Examples of this includes information such as names and contact detail of church members and records relating to involvement in church activities.
- We hold this data as part of our legitimate interests. This means that processing is carried out by us as a not-for-profit body with a religious aim provided that: the processing relates only:
- to members or former members (or those who have regular contact with it in connection with those purposes); and
- there is no disclosure to a third party without consent.
- Contact Details enabling us to keep people up to date with news and events at St James’ (regarded by the GDPR as marketing data). An example of this is the weekly email update from the church office. After May 25th 2018 we will only contact people in this way if they have consented for us to do so by opting explicitly opting-in. The legal basis for holding this data is the consent of the data subject (ie the person whose data is being held).
- Contractual Data Examples of this include data we need to carry out the contracts of employment with our staff and venue hire contracts with those hiring our premises. The legal basis for holding this information is that processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;
Your personal data will be treated as strictly confidential and will only be shared with other members of the church in order to carry out a service to other church members or for purposes connected with the church.6. How long do we keep your personal data?
We have a policy to ensure that we only keep your data for as long as we need to, and after that it is securely disposed of. This policy is in accordance with the guidance set out in the guide "Keep or Bin: Care of Your Parish Records" which is available from the Church of England website.
Specifically, we retain electoral roll data while it is still current; gift aid declarations and accounting paperwork for up to 6 years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently.7. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
8. Further processing
- The right to request a copy of personal data which we holds about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right to withdraw your consent to the processing at any time
- When we are processing data because you have given your consent, or to perform a contract with you, you have the right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (this is known as the right to data portability).
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- When we process data to provide you with information about St James’ (marketing), in order to carry out our work (legitimate interests) or to produce research statistics, you have the right to object to the processing of personal data, (where applicable)
- The right to lodge a complaint with the Information Commissioners Office.
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.9. Contact Details
Our Data Protection Champion is Jeremy Davidson. You can contact him by email at email@example.com or by writing to him via the church office - St James’ Church, Church Walk, Devizes, SN10 3AA.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or by writing to the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.