Redeemer Croydon Privacy Notice
Your personal data – what is it?
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be by the information alone or in conjunction with any other information. The processing of personal data is governed by the new legislation, the General Data Protection Regulation “GDPR”.
This privacy notice is provided by Redeemer Croydon, which is the data controller for your data. In the rest of this notice “we” refers to Redeemer Croydon.
Redeemer Croydon ensures that your personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How Redeemer Croydon uses your information
We will process some or all of the following strictly where necessary to perform our tasks:
- Names, titles, and aliases, photographs;
- Contact details such as telephone numbers, addresses, and email addresses;
- Where they are relevant to our mission, or where you provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependents;
- Where you make donations or pay for activities such as events, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers;
- The data we process is likely to constitute sensitive personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs.
How do we process your personal data?
The data controllers will comply with their legal obligations to keep personal data up to date; to store and destroy it securely; to not collect or retain excessive amounts of data; to keep personal data secure, and to protect personal data from loss, misuse, unauthorised access and disclosure and to ensure that appropriate technical measures are in place to protect personal data.
We use your personal data for some or all of the following purposes:
- To enable us to meet all legal and statutory obligations
- To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments;
- To minister to you and provide you with pastoral and spiritual care (such as meeting with you).
- To deliver the Church’s mission to our community, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in the constitution and statutory framework of each data controller;
- To administer the church attenders and membership records;
- To fundraise and promote the interests of the Church and charity;
- To maintain our own accounts and records;
- To process a donation that you have made (including Gift Aid information);
- To seek your views or comments;
- To notify you of changes to our services, events and role holders;
- To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other fundraising activities;
Why are we collecting your data?
We collect personal data to provide appropriate pastoral care, to monitor and assess the quality of our services, to fulfil our purposes as a church and to comply with the law regarding data sharing. In legal terms this is called ‘legitimate interests’. When it is required, we may also ask you for your consent to process your data. Most of our data is processed because it is necessary for our legitimate interests. An example of this would be our safeguarding work to protect children and adults at risk. We will always take into account your interests, rights and freedoms. Some of our processing is necessary for compliance with a legal obligation. For example, we are required by HMRC to provide details of your personal data when your donations are eligible for Gift Aid. Religious organisations are also permitted to process information about your religious beliefs to administer membership or contact details. Where your information is used other than in accordance with one of these legal bases, we will first obtain your consent to that use.
We do not share your information with others except as described in this notice.
Storing your data
We hold your data for varying lengths of time depending on the type of information in question but in doing so we always comply with Data Protection legislation. We will contact you annually to check that the information we are holding is accurate and that you agree to us holding it.
Who do we share your information with?
We will not share your information with third parties without your consent unless the law requires us to do so. Your personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks or where you first give us your prior consent. It is likely that we will need to share your data with some or all of the following (but only where necessary):
- Internally: We will share your data amongst staff, trustees, treasurers, elders, team and growth group leaders, for example, only when it is relevant to do so. When you give us your email address or number, for example, that is stored in our staff-only database (we use the programme ChurchSuite). The staff use that information for their specific roles and if you join a growth group or serving team, the leaders are given access to that basic information, for example. Children’s data is seen by their Kids and Tots leaders on a Sunday.
- Legal compliance: We are legally obliged to share some information to adhere to UK law. For example, as we are a registered charity, we must submit our accounts, which need to be audited by a third part accountant. We must also fulfil our legal requirements for safeguarding, for which it may be necessary to share your information with law enforcement entities.
- Approved 3rd Parties: When we use the term 3rd party, we mean systems or organisations that are necessary for Redeemer to function, as we are not able to internally do that work or create those programmes. We will carefully vet these before use to ensure they will in turn keep personal data secure in line with the law. We do not give, sell, trade or share any of your personal data to organisations that we think may be of interest to you, ever.
Examples of our approved 3rd parties are:
IT: Google (staff email and administrative tools), ChurchSuite, Mailchimp (email distribution and design), SurveyMonkey (data collection), Doodle, Dropbox (file storage).
Financial organisations: HMRC (gift aid reporting), our main bank account provider, Stewardship (our accountant), Stripe (online card payment processing).
Venues for Events for attendees only
N.B. Your details will never be shared with anyone outside of Redeemer without your express advance permission, except in certain limited situations, such as where we are required to do so by law or to protect members of the public from serious harm.
How long do we keep your personal data?
We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is current best practice to keep financial records for a minimum period of 7 years to support HMRC audits.
In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed.
We take the safeguarding and personal privacy of children extremely seriously. The information in this Privacy Notice is equally applicable to children. According to UK Law, the age that children are considered a parent’s responsibility for the purposes of data protection is up to 12 years old. Following that age, children’s data protection will be treated in the same way as an adult (with consent sought from them as needed). For more information about Children’s Rights, please visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/
There is a minimum amount of personal data that we need to keep and use for your children, for legal and safeguarding purposes. On Sunday mornings, for example, if your child is going into Kids and Tots, we need to know your child’s name, their age, if they have allergies and who their parents are etc, so we can keep them safe and know what to call them! You will have filled out a registration form the first time you put them in.
Your rights and your personal data
You have the following rights with respect to your personal data:
When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.
- The right to access information we hold on you
- At any point you can contact us to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request we will respond within one month.
- There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee .
- The right to correct and update the information we hold on you
- If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.
- The right to have your information erased
- If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold.
- When we receive your request we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests or regulatory purpose(s)).
- The right to object to processing of your data
- You have the right to request that we stop processing your data. Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims.
- The right to data portability
- You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.
- The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought.
- You can withdraw your consent easily by telephone, email, or by post (see Contact Details below).
- The right to object to the processing of personal data where applicable.
- The right to lodge a complaint with the Information Commissioner’s Office. In the first instance, please do contact the Operations Director to resolve the issue. If no solution can be found, you have the right to contact the Information Commissioners Office to issue a formal complaint.
If we wish to use your personal data for a new purpose, not covered by this Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
If you would like to discuss anything in this privacy notice, please contact the Operations Director
How do we protect your information
We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information (see above for more details on how that is processed).
Do we disclose any information to outside parties?
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
Links to other websites
Our website contains links to other websites of interest. However, once you have used these links to leave our site, please note that we do not have any control over that other website.
Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites, and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to that website.