What’s included in this Privacy Notice?
Bedwas Pentecostal Church (“BPC”) known as Hope Church, Bedwas is a charitable incorporated organisation in fellowship with Assemblies of God GB. You can find out more information about us at Hope Church (bedwaschurch.org)
This document (our “privacy notice”) sets out information relating to how we use Personal Data relating to individuals we have dealings with, including members, participants in kids, youth, adult, courses and training programmes or people who make donations to the Church, and users of our website. It also sets out information about what rights individuals have in relation to their Personal Data and various other matters required under data protection law.
In particular, this privacy notice provides information to individuals about how they can object to our use of their Personal Data, how they can withdraw any permissions they have given to us to enable us to process their Personal Data and how they can make a complaint.
Who does this Privacy Notice Apply to?
1. Members;
2. Donors;
3. Participants in kids, youth and adult programmes;
4. Users of our website;
5. Individuals who engage with us on social media.
Data Protection Lawful Bases for Processing – special note
1. We must always have a Lawful basis for processing Personal Data.
2. However, certain post or office holders, due to their type of office, appointment, within the Church, are not engaged under a traditional employment contract and an Employer/Employee relationship may not exist. (e.g. volunteers)
3. Nevertheless, in such cases, the arrangements for their appointment to their role within the Church will be deemed to be a Contract for the purposes of determining the lawful basis for processing their Personal Data under the Data Protection Act 2018 and (UK)GDPR. A non-exhaustive list of such arrangements includes:
i. Stipendiary and Non Stipendiary ministers
ii. Other ministry licensed (e.g. visiting ministers/missionaries)
iii. Voluntary service within the Church
iv. A range of other posts and offices
What’s our Approach to Privacy?
We take your privacy extremely seriously and want you to feel confident that your Personal Data is safe in our hands. We will only use your Personal Data in accordance with data protection law prevailing in the UK at the relevant time.
Under data protection law, when we use your Personal Data, we will be acting as a data controller. Essentially, this means that we will be making decisions about how we want to use your Personal Data and why.
Below, we summarise the main rules that apply to us under data protection law when we use your Personal Data:
# Rules
1. We must be upfront about how we intend to use your Personal Data and must use your Personal Data in accordance with the prescribed data protection principles. These principles are shown below:
We are responsible for ensuring that personal data under our control is processed in accordance with the data protection principles which require data is processed:
1. Fairly and lawfully
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and Secure;
5. Not kept longer than necessary
6. Processed in accordance with your rights
7. Not transferred to countries outside the UK without safeguards.
8. In a manner that ensures appropriate security of the personal data.
Providing privacy information to individuals (such as this privacy notice) is one aspect of helps us to fulfil this obligation.
2. We must only use your Personal Data if one of the legal grounds set out in data protection law apply. These legal grounds are:
1. You have consented to our use of your Personal Data;
2. We need to use your Personal Data to perform a contract between us;
3. We need to use your Personal Data to comply with the law.
4. The processing is necessary in order to protect the vital interests of you or of another natural person.
5. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. We (or someone else) has a legitimate reason for needing to use your Personal Data and it would not be unfair to you if your Personal Data was used for this purpose. This is known as having a “legitimate interest” and we must weigh up your rights and our interests before we can rely upon this basis;
3. We must only use certain types of Special Category Personal Data (such as information relating to a person’s health, racial origin or religion) if we can also satisfy one of the conditions set out in data protection law. These conditions are:
• You have given us your explicit consent to use the information;
• We need to use the information in the course of the legitimate activities of the Church in Wales and the information is not being disclosed outside the Church in Wales;
• We need to use the Personal Data in relation to your employment.
• You have already made the information public;
• We need to use the information to protect your vital interests or the vital interests of another person;
• We need to use the information for archiving purposes
• Where there is substantial public interest
• For the purposes of occupational medicine or public health issues.
• We need to use the information in connection with a legal claim.
4. We must only share your Personal Data with others if we have a legal ground for doing so (see point 2 above) and/or (in relation to Special Category Personal Data) we can satisfy a condition (see point 3 above).
5. Generally speaking, we must only use your Personal Data for the specific purposes we have told you about. If we want to use your Personal Data for other purposes, we need to contact you again to tell you about this.
6. We must not hold more Personal Data than we need for the purposes we have told you about and must not retain your Personal Data for longer than is necessary for that purpose (known as the “retention period”). We must also dispose of any information that we no longer need securely.
7. We must ensure that we have appropriate security measures in place to protect your Personal Data.
8. We must act in accordance with your rights under data protection law (more information about your rights can be found on our website at Hope Church (bedwaschurch.org)
9. We must not transfer your Personal Data outside of the UK without safeguards being in place such as an ‘Adequacy Agreement’ exists between the UK and that Country.
How will we use your Personal Data?
How we will use your Personal Data, the legal bases we will rely upon, how long we will keep your Personal Data and other details will depend upon who you are and why we need your Personal Data in the first place.
In this section, we provide specific privacy information relating to the different categories of individuals that this privacy notice applies to.
Members and Donors
Qu? Rules
What Personal Data we will use
• Your name;
• Your contact details (such as your postal address, telephone number and/or email address);
• Your Bank Account Details;
• Whether you are a UK taxpayer;
• Your connection with the Church
How we will obtain the Personal Data
• The information is provided directly from the donor.
For what purposes we will use the Personal Data
• We will use the Personal Data in order to process your donation (whether a one off or a regular donation) and to obtain any tax reimbursements through gift aid.
With whom we share your Personal Data
• We will share your name, amount of your donation and whether tax is reclaimed with the Treasurer/Accountant for accounting and records purposes.
• We will share your Personal Data with HMRC in order to obtain any gift aid tax reimbursements, where applicable.
The legal grounds we rely upon
• Processing your data will be necessary for the purposes of entering into a contract and for the performance of the contract between us to obtain any tax reimbursements. These donations allow the Church to further its aims.
• If and to the extent that your donation to the Church reveals your religious beliefs, our processing of that Special Category Personal Data is conducted with your explicit Consent.
How long we retain the Personal Data and why
• Your contact details will be retained for the duration of the giving and for 7 years thereafter.
Consequences of not providing/permitting us to obtain Personal Data • Failure to provide us with your name address and bank account details will mean we cannot process any donation other than a cash or cheque donation.
Participants in church programmes
Qu? Rules
What Personal Data we will use
• Your name;
• Your contact details (such as your postal address, telephone number and/or email address);
• Your connection with the Church
How we will obtain the Personal Data
• Provided directly when joining a programme.
For what purposes we will use the Personal Data
• We will use the Personal Data to facilitate programme participation, internal administration purposes and inform of future similar programmes
The legal grounds we rely upon
• Use of your Personal Data is based on your Consent.
• Where the details reveal your religious belief because of your connection with or contact with the Church, our processing of that Special Category Personal Data will be carried out with your explicit Consent.
How long we retain the Personal Data and why
• Your contact details will be retained for 12 months following conclusion of the programme or your consent is withdrawn.
• If a safeguarding matter is raised involving children and/or adults at risk, a record will be retained securely by our Safeguarding Team indefinitely. This is because the Church has a Legal Obligation to take all reasonable precautions to ensure that the Church is a safe place for all.
Individuals who undertake courses or training with us
Qu? Rules
What Personal Data we will use
• Your name;
• Your contact details (such as your postal address, telephone number and/or email address);
• Your attendance record of courses (whether online or in person), dates of completion and marks of any assessments;
• Your connection with the Church
How we will obtain the Personal Data
• Some of the information is entered by you into our registration and sign-up forms or entered by us on your request (if asking to be registered on a course).
For what purposes we will use the Personal Data
• The information you provide is used by us to arrange our training programme and to ensure that training delivery is to the highest possible standards. It is also used to maintain and accurate of record of who has been training, to what level, on what dates.
The legal grounds we rely upon
• Our collection and use of the information is based on our legal obligation in holding a record of who within our organisation has been trained to what level and on what dates
How long we retain the Personal Data and why
• We keep records of all completed training for a period of 2 years from the date of completion. This is so that refresher or updated training can be offered to the appropriate persons at the appropriate time.
• If you do not provide us with the Personal Data requested in the training sign-up you will be unable to participate in our training resources, whether online or in person.
Engaging with us on social media
Any social media posts or comments you send to us (on WhatsApp or Facebook page, for instance) will be shared under the terms of the relevant social media platform on which they're written and could be made public.
Other people, not us, control these platforms. We are not responsible for this kind of sharing. So before you make any remarks or observations about anything, you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you'll understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you're unhappy about it.
Automated Decision-making and Profiling
Automated decision-making takes place when an electronic system uses Personal Data to make a decision without human intervention and a legal decision or similarly important decision is made based on the information.
We will only use automated decision making about you in very limited circumstances and when there is a legal basis for our activities. E.g. conducting pre employment or safeguarding DBS checks.
When we will share your personal data with others
Sometimes, we will need to share your Personal Data with others. This section sets out details of who we will share your Personal Data with and why. It also tells you about our legal grounds for doing so under data protection law and steps we will take to protect your Personal Data.
Please note that we will never sell your Personal Data on to third parties.
What rights do you have under Data Protection Law?
Under data protection law, you have a number of different rights relating to the use of your Personal Data. The table below contains a summary of those rights and our obligations. More information about your rights and our obligations can be found on the Information Commissioner’s Office (ICO) website https://ico.org.uk/.
Your rights
• This involves Our obligations
A right of access This is a right to obtain access to your personal data and various supplementary information. • We must provide you with a copy or your Personal Data and the other supplementary information without undue delay and in any event within one month of receipt of your request;
• We cannot charge you for doing so save in specific circumstances (such as where you request further copies of your Personal Data).
A right to have personal data rectified
• This is a right to have your Personal Data rectified if it is inaccurate or incomplete.
• We must rectify any inaccurate or incomplete information without undue delay and in any event within 1 month of receipt of your request;
• If we have disclosed your Personal Data to others, we must (subject to certain exceptions) contact the recipients to inform them, that your Personal Data requires rectification.
A right to erasure
• This is a right to have your Personal Data deleted or removed.
This right only applies in certain circumstances (such as where we no longer need the Personal Data for the purposes for which it was collected).
We have the right to refuse to delete or remove your personal data in certain circumstances.
• If this right applies, we must delete or remove your Personal Data without undue delay and in any event within 1 month of receipt of your request;
• If we have disclosed your Personal Data to others, we must (subject to certain exceptions) contact then recipients to inform them that your Personal Data must be erased.
A right to data portability
• This is a right to obtain and re-use your Personal Data for your own purposes;
• It includes a right to ask that your Personal Data is transferred to another organisation (where technically feasible).
• This right only applies in certain limited circumstances.
• Following a request relating to Data Portability we will transmit the relevant personal data to the data subject or their nominated data controller where it is possible and technically feasible for us to do so. • If this right applies we must provide your Personal Data to you in a structured, commonly used and machine reasonable form
• Again, we must act without undue delay and in any event within 1 month of receipt of your request;
• We cannot charge you for this service.
A right to object
• This is a right to object to the use of your Personal Data.
• The right applies in certain specific circumstances only.
• You can use this right to challenge our use of your Personal Data based on our legitimate interests;
• You can also use this right to object to use of your Personal Data for direct marketing • If you object to us using your Personal Data for direct marketing, we must stop using your Personal Data in this way as soon as we receive your request.
• If you object to other uses of your Personal Data, whether we have to stop using your Personal Data will depend on the particular circumstances.
A right to object to automated decision making
• This is a right not to be subject to a decision which is made solely on the basis of automated processing of your Personal Data where the decision in question will have a legal impact on you or a similarly significant effect.
• We may use Automated decision making about you if it is necessary for entering into or performing a Contract with you or where you Consent to the actions.
• Where such a decision is made, you must be informed of that fact as soon as reasonably practicable;
• You then have 21 days from receipt of the notification to request that the decision is reconsidered or that a decision is made that is not based solely on automated processing;
• Your request must be complied with within 21 days.
A right to restrict processing
• This is a right to ‘block’ or suppress processing of your Personal Data.
• This right applies in various circumstances including where you contest the accuracy of your information).
• If we are required to restrict our processing of your Personal Data we will be able to store it but not otherwise use it.
• We may only retain enough information about you to ensure that the restriction is respected in future.
• If we have disclosed your Personal Data to others, we must (subject to certain exceptions) contact them to tell them about the restriction on use.
Legitimate Interests
• If the processing is based on Legitimate Interests, you are entitled to know what and whose Legitimate Interests they are.
• This lawful basis is used only after conducting a three part test to ensure the data subjects rights are properly protected
• There are some exceptions to the additional information rule. If we obtain your Personal Data from a source other than yourself, the additional information rules will apply unless:-
• You already have the information regarding our processing; or it would take a disproportionate effort or be impossible to provide you with it; or you are already legally protected under separate provisions; or we have a legal duty not to disclose it.
Data from sources other than the Data Subject.
• If we process data about you but we have not obtained the data personally from you, we must provide you with the information described in this Privacy Notice and some additional information.
• You are entitled to know the source of the information and whether the source is publicly accessible.