1. Your personal data – what is it?

The PCC of St John’s Church, Pleck, Walsall is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.

The PCC of St John’s Church, Pleck, Walsall complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

We use your personal data for some or all of the following purposes:

• To manage our employees and volunteers;
• To maintain our own accounts and records (including the processing of gift aid applications and other donations);
• To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution;
• To minister to you and provide you with pastoral and spiritual care (such as visiting you when you are gravely ill or bereaved) and to organise and perform ecclesiastical services for you, such as baptisms, confirmations, weddings and funerals;
• To administer parish, deanery, archdeaconry and diocesan membership records;
• To fundraise and promote the interests of the church;
• To inform you of news, events, activities and services running at St John’s;
• To share your contact details with the Diocesan office so they can keep you informed about news in the diocese and events, activities and services that will be occurring in the diocese and which are relevant to the role you are undertaking.
• To enable us to meet all legal and statutory obligations (which include maintaining and publishing our electoral roll in accordance with the Church Representation Rules);
• To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments;
• To deliver the Church’s mission to our community, and to carry out any other voluntary or charitable activities for the benefit of the public;
• To seek your views or comments.
• To provide a useful resource in the form of an online directory of users.

• Explicit consent of the data subject (so that we can keep you informed about news, events, activities and services and process your gift aid donations and keep you informed about diocesan events).
• Processing is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject (an example of this would be our safeguarding work to protect children and adults at risk);
• Processing is necessary for compliance with a legal obligation (for example, we are required by Church Representation Rules to administer and publish the electoral roll, and under Canon Law to announce forthcoming weddings by means of the publication of banns);
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract; (an example of this would be processing your data in connection with the hire of church facilities, or to conduct a funeral, baptism or wedding service)

• Explicit consent of the data subject.
• Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.
• Processing is carried out by a not for profit body with a political, philosophical, religious or trade union aim provided;
  - the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
  - there is no disclosure to a third party without consent.
• Processing relates to personal data manifestly made public by the data subject.
• Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
• Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law.
• Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.

Your personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks or where you first give us your prior consent, or except in certain limited situations, such as where we are required to do so by law or to protect members of the public from serious harm.
It is likely that we will need to share your data with some or all of the following, but only on an as-needed basis:
Internally: We will share your data amongst staff, trustees, treasurers, elders, team and group leaders. When you give us your email address or number, for example, it is stored in our secure staff-only database. The staff use that information for their specific roles and if you join a small group or serving team, the leaders are given access to that basic information, for example.

Legal compliance: We are legally obliged to share some information to adhere to UK law. For example, as we are a registered charity, we must submit our accounts, which need to be audited by a third party accountant. We must also fulfil our legal requirements for safeguarding, for which it may be necessary to share your information with law enforcement entities.

Approved third-parties: When we use the term third-party, we mean systems or organisations that are necessary for St John’s Church to function, as we are not able to internally do that work. We will carefully vet these before use to ensure they will in turn keep personal data secure in line with the law. We do not give, sell, trade or share any of your personal data to organisations that we think may be of interest to you, ever.

Examples of our approved third parties are, but not limited to:

Diocesan: Diocese of Lichfield, The Church of England, other local churches (when carrying out joint events or activities).
IT: Google (staff email, data storage, administrative tools, data management), MailChimp (email distribution and design), SurveyMonkey, Doodle (data collection).
Financial organisations: HMRC (gift aid reporting), Lloyds (banking), Stewardship (giving).
Venues for Events: for attendees only.

We keep your personal data for no longer than reasonably necessary having regard to the original purpose for which the data was processed. In some cases we will be legally obliged to keep your data for a set period.
Examples are below:
Specifically, we retain electoral roll data while it is still current; gift aid declarations and associated paperwork for up to 6 years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently.

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

• The right to request a copy of your personal data which the PCC of St John’s Church, Walsall holds about you;
• The right to request that the PCC of St John’s Church, Walsall corrects any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary for the PCC of St John’s Church, Walsall to retain such data. When we receive your request we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests or regulatory purpose(s));
• The right to object to the processing of your data. Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims;
• The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought. You can withdraw your consent easily by telephone, email, or by post;
• The right to request that the data controller provide the data subject with his/her personal data and, where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable). We will comply with your request, where it is feasible to do so, within one month of receiving your request;
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to object to the processing of personal data, (where applicable);
• The right to lodge a complaint with the Information Commissioners Office.
  To exercise any rights stated above please put your request in writing, detailing your request including full details of your request including specifics about the information being referred to and your full name and a means to be contacted using our email system in the Contact Us page.