Fair Processing Notice
Eldad Elim Church (the data controller) maintains records of its members and other persons who regularly attend services and/or other church related events and group meetings so that it can provide appropriate and timely pastoral care and keep these persons updated on church events, activities and related matters of interest.
The Data Protection Law
The controller acknowledges its obligations as per the data protection law, which provides a number of requirements in terms of processing activities involving personal data. The controller further acknowledges the general principles of processing as well as the rights of a data subject and more information in relation to these provisions are provided within this fair processing notice.
The Principles of Processing
Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner.
In order to administer the various church activities and provide pastoral care, the controller collects personal data from data subjects. Some of this data is classified as “Special Category Data” and the fact that it is being collected in connection with church related activities indicates a potential religious affiliation by the data subject.
The personal data that is collected for this purpose includes:
In terms of the lawful basis for processing, this is being done in the context of the legitimate activities of a religious, non-profit organisation.
Who do we share data with?
We do not share personal data widely, but as part of our legitimate activities we may include some personal information on internal prayer leaflets or the church bulletin which might then be available to visitors to the church or to others within the connect groups and hence the basis for this processing is consent which can be withdrawn at any time.
Personal contact data will not be shared with any third party unless it is in connection with the legitimate activities of the church.
Personal data must not be collected except for a specific, explicit and legitimate purpose and, once collected, must not be further processed in a manner incompatible with the purpose for which it was collected.
The controller acknowledges its responsibility with regards to this data protection principle and therefore the controller maintains that it will not further process that personal data in a way which is incompatible to its original reason for processing as specified in section 2a, unless the controller is required to do so by law.
Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
The controller maintains that it will only process the personal data which is detailed in section 2a, and will not process any further personal data that is not necessary in relation to the original reason for processing personal data as specified in section 2a, unless the controller is required to do so by law.
Personal data processed must be accurate, kept up-to-date (where applicable) and reasonable steps must be taken to ensure that personal data that is inaccurate is erased or corrected without delay.
The controller will ensure that all personal data that it holds is accurate and kept up-to-date, and any personal data that is inaccurate will be erased or corrected without delay.
Personal data must not be kept in a form that permits identification of a data subject for any longer than is necessary for the purpose for which it is processed.
Where a data subject provides personal data to the controller through the consent form, the controller will only hold that personal data for the duration of the time that they remain a member or attend services and/or other events/activities. Where notification is provided that none of these situations will continue the data controller will ensure that their personal data is deleted.
We will retain personally identifiable data until such times as the data subject has moved on from the church plus a period of two years.
Integrity and confidentiality
Personal data must be processed in a manner that ensures its appropriate security, including protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller maintains to process all personal data with appropriate levels of security. Personal data provided by data subjects is collected and stored in hard copy (the consent form) as well as on computer. In order to prevent unauthorised or unlawful processing, the controller has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information that is collected.
The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
The contact details of the controller are as follows:
Eldad Elim Church
tel: 01481 723078 ~ email: [email protected] ~ www.eldadchurch.org.gg
We have not appointed a fully trained and qualified data protection officer, but data protection issues should be addressed to the church secretary and senior minister using the email address - [email protected]
Data Subject Rights
Right of access
A data subject has the right to be advised as to whether a controller is processing personal data relating to them and, if so, that individual is entitled to one free copy of their personal data (with further copies available at a fee prescribed by the controller). This is known as a Subject Access Request (SAR). Upon receipt of an SAR, the controller has a period of one month to adhere to the request (an extension of two further months can be sought by the controller depending upon the complexity and number of requests submitted by the data subject).
Right to data portability
A data subject has the right to data portability, this means that an individual is able to arrange for the transfer of their personal data from one controller to another without hindrance from the first controller. This right can only be utilized where the processing is based on consent or for the performance of a contract. This right cannot be used for processing by a public authority.
Where a data subject invokes the right to data portability, the data subject has the right to be given their personal data in a structure, commonly used and machine-readable format suitable for transmission from one controller to another. Upon the request of a data subject, the controller must transmit their personal data directly to another controller unless it is technically unfeasible to do so.
Exception to right of portability or access involving disclosure of another individual’s personal data
A controller is not obliged to comply with a data subject’s request under the right of access or right to data portability where the controller cannot comply with the request without disclosing information relation to another individual who is identified or identifiable from that information.
Right to object to processing
A data subject has the right to object to a controller’s activities relating to the processing of personal data for direct marketing purposes, on grounds of public interest and for historical or scientific purposes.
Right to rectification
A data subject has the right to require a controller to complete any incomplete personal data and to rectify or change any inaccurate personal data.
Right to erasure
A data subject has the right to submit a written request to a controller regarding the erasure of the data subject’s personal data in certain circumstances. These include where:
Right to restriction of processin
A data subject has the right to request, in writing, the restriction of processing activities which relate to the data subject’s personal data. This right can be exercised where:
Right to be notified of rectification, erasure and restrictions
Where any rectification, erasure or restriction of personal data has been carried out, the data subject has a right to ensure that the controller notifies any other person to which the personal data has been disclosed about the rectification, erasure or restriction of processing. The controller must also notify the data subject of the identity and contact details of the other person if the data subject requests this information.
Right not to be subject to decisions based on automated processing
A data subject has the right not to be subjected to automated decision making without human intervention.
Right to make a complaint
An individual may make a complaint in writing to the supervisory authority (the Office of the Data Protection Commissioner) if the individual considers that a controller or processor has breached, or is likely to breach, an operative provision of the data protection law, and the breach involves affects or is likely to affect any personal data relating to the individual or any data subject right of the individual (as listed above).
Complainant may appeal failure to investigate or progress and may appeal determinations
An individual may appeal to the Court where: