Data Protection Policy

Who we are and how to contact us

Grace Baptist Church, Portsmouth is a registered charity in England and Wales (registered charity number 1173661).

Contact details

Data Protection Officer
Grace Baptist Church, Portsmouth
46 Copnor Road
Portsmouth
PO3 5AH

Website: graceportsmouth.com

The purpose of this privacy notice

The purpose of this privacy notice is to inform Church members and adherents, visitors, guest speakers, conference and event attendees, partner/associate organisations, other 3rd party entities, website visitors and other relevant stakeholders how we process any personal data i.e. about ‘natural’, living people. When processing personal data, GBCP adheres to the overarching principles that data should be processed in a manner which is responsible, secure, proportionate, lawful, fair and transparent.

Data Controller

The Charity Trustees of Grace Baptist Church Portsmouth (GBCP) are the Data Controller.

Data Protection Officer

GBCP has appointed a Data Protection Officer.

Personal data

Personal data is any information relating to an identified or identifiable living individual.

Legal basis for processing personal data

Our use of personal data is lawful where:

• It is with your consent; or
• Is necessary for the performance of a contract that we have with you; or
• Is in compliance with a legal obligation to which we are subject; or
• Meets the purposes of legitimate interests that we pursue, except where such interests are overridden by your interests or fundamental rights and freedoms; or
• Is in the protection of your vital interests

Special categories of personal data

Normally we do not collect special categories of personal data (formerly known as ‘sensitive data’). Examples of special category data include information about an individual’s: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics; health; sexual orientation, or unspent criminal convictions.

When we do need to process this kind of personal data, it will be done with the explicit consent of the individual or based on the very strict criteria outlined by Article 9 GDPR.

Examples of such personal data that we may obtain include:

• Personal identification documents that may reveal race or ethnic origin, and possibly biometric data of private individuals or applicants;
• Adverse information about potential or existing employees, interns or volunteers that may reveal criminal convictions or offences information. We may need to hold details of any unspent criminal convictions (governed by the rules of their respective jurisdiction where imposed) for so long as they remain unspent;
• Trade-union membership;
• Other data provided to us in the course of our charitable mission.

Normally we do not intentionally process information regarding minors other than to meet our legal obligations, such as in relation to safeguarding.

Lawful processing of data

GBCP is committed to protecting the privacy of all users of its website, and all information held in respect of individuals with whom GBCP has contact. GBCP is committed to acting in accordance with the General Data Protection Regulation 2018, and in particular ensuring that processed data should be:

• Used lawfully, fairly and in a transparent way;
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
• Relevant to the purposes we have told you about and limited only to those purposes;
• Accurate and kept up to date;
• Kept only as long as necessary for the purposes we have told you about;
• Kept securely.

Website privacy

Like many websites, GBCP’s website uses tiny text files called ‘cookies’ to enhance browsing experience and help us manage the website better. Information is stored only for the session the user is on the site. Google Analytics collects information in an anonymous form about how visitors use our site. Google Loader used on the ‘How to find us’ page to provide a Google Map of our location similarly uses cookies.

Indicative List of Categories of Data Subjects

For operational purposes GBCP holds personal data under the following categories, for which the reason, source, type, and legal grounds for holding it are as stated below:

Pastor:

Reason – Personnel administration.

Source – Pastor.

Data – Name; basic contact details; DOB; professional qualifications; pension fund; medical history; National Insurance Number; marital status; driving licence details; employment history and references; Christian testimony; church membership; leisure interests; and, where applicable, immigration status; work permit; bankruptcy records; criminal conviction; and County Court Judgements. In addition, Sensitive information may be held in confidence for personnel management purposes.

Legal Grounds – Legitimate interest, legal requirement, and explicit consent of the employee.

Donors:

Reason – Administration of donations under the Gift Aid Scheme and by standing order.

Source – Donor

Data – Name; basic contact details; church affiliation; donation remittance history; and donation and tax reclaim history.

Legal Grounds – Explicit consent of Donor.

GBCP Members and Adherents:

Reason – Administration of Church Fellowship.

Source – Personal Member.

Data – Name; basic contact details; date membership or adherence commenced and, if applicable, ceased; financial giving history; church membership; and spousal details if Joint Membership.

Legal Grounds – Legitimate interest, and explicit consent of the Personal Member.

Friends of GBCP:

Reason – Receive invitations to and notifications about GBCP events.

Source – Friend or Church correspondent.

Data – Name; basic contact details.

Legal Grounds – Legitimate interest, and explicit consent of the Individual or church correspondent who has himself gained the former’s explicit consent.

Visiting Preachers:

Reason – To preach at GBCP.

Source – Preacher or Church correspondent.

Data – Name; basic contact details.

Legal Grounds – Legitimate interest, and explicit consent of the Individual or church correspondent who has himself gained the former’s explicit consent.

Beneficiaries of Church Giving:

Reason – Administration of gifts to Beneficiaries.

Source – Beneficiaries or Other (see below).

Data – Name; basic contact details; and further varied information necessary to comply with the requirements of each giving arrangement or trust, which may include: DOB; church membership; household financial circumstances; marital status; and number of dependent children.

Legal Grounds – Explicit consent of Beneficiary or Other who has himself gained the former’s explicit consent.

All personal data will be stored for only as long as it is needed or required by statute, and in accordance with GBCP’s data retention instructions, and will be disposed of appropriately. Furthermore, any individual whose personal data is held by GBCP has the right to access the information, rectify inaccuracies, request erasure, and object to processing. In addition, the Individual has the right to data portability, and the right to complain to the Information

Indicative list of legal use of personal data

Our use of personal data: Contacting members and adherents and producing fellowship address list Legal basis: Legitimate interest Legitimate interest: Fulfilling ministry of church

Our use of personal data: Extending pastoral care, outreach activities, preaching and teaching Legal basis: Legitimate interest Legitimate interest: Fulfilling ministry of church

Our use of personal data: Interviewing, calling (recruiting) and employing paid office holders, employees. Legal basis: Legitimate interest Legitimate interest: Fulfilling ministry of church

Our use of personal data: Contact with visitors to services and GBCP friends Legal basis: Legitimate interest Legitimate interest: Fulfilling ministry of church

Our use of personal data: Baptism and membership records Legal basis: Legitimate interest Legitimate interest: Fulfilling ministry of church

Our use of personal data: Participation of volunteers in ministries and activities of church

Legal basis: Legitimate interest Legitimate interest: Facilitating volunteering while ensuring that participation is appropriate, including relevant safeguarding issues

Our use of personal data: Care of the elderly and infirm Legal bases: Legitimate interest, vital interests Legitimate interest: Fulfilling ministry of church

Our use of personal data: Assistance to those with social needs Legal basis: Legitimate interest Legitimate interest: Fulfilling ministry of church

Our use of personal data: Maintaining financial records, including Gift Aid, auditing and inspection of accounts Legal bases: Legitimate interest, legal duty Legitimate interest: Maintaining ministries of church and compliance with legal requirements

Our use of personal data: Other special meetings and events Legal bases: Legitimate interest Legitimate interest: Extending ministry on current issues of interest and concern

Our use of personal data: Provision of support for pastors and Christian workers in other churches and organizations, including publication of news about their ministries Legal basis: Legitimate interest Legitimate interest: Fulfilling ministry of church

Our use of personal data: Complying with legal and regulatory obligation, such as in relation to money laundering, terrorist, fraud and other forms of crime, child safety, tax and immigration requirements.

Legal basis: Legitimate interest, legal duty

Legitimate interest: Maintaining ministries of church and compliance with legal requirements

Our use of personal data: Information about our ministries and other events sent by email Legal basis: Consent

Failure to provide or update data

It is important that the data we hold about you is accurate and current. Please keep us informed if there are any changes. We may be unable to keep in contact with you, to provide you with care or assistance that you have requested or to perform contractual obligations to you if your data is not kept up-to-date.

Disclosure of your personal data

We will not disclose your personal data to any external third party except:

• With your consent, or
• For the purposes of processing payments, or
• Where we are required to do so by law, or
• As stated in the separate privacy notices referred to above, or
• In the exceptional circumstances described immediately below

GBCP may disclose personal data to the following categories of recipients, some of which may be located in third countries or may be international organizations as defined in Article 4(26) of the GDPR:

• Associated entities or charitable organisations.

• Auditors and professional advisors, such as lawyers and consultants.

• Federal, state, and local law enforcement or immigration officials.

• Other governmental or regulatory agencies (such as HMRC) or other third parties as required by applicable law or regulation.

• Third-party service providers, such as providers of:

  • IT system management;
  • Information security;
  • Communications systems;
  • Marketing service providers;
  • Recruitment service providers;
  • Human resources management;
  • Payroll administration; or
  • Retirement plan administration.

In circumstances whether it is necessary or appropriate to share personal data with third parties, we will ensure that they comply with the same data protection principles that we are obligated to meet, including under the GDPR.

If we are helping to provide care for you and we have important information about your health, we may disclose it if it is in your vital interests to do so in an emergency in which you are unable to give consent for yourself.

Data security

We deal with all personal data carefully and have put in place measures with a view to preventing any such personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Fellowship Address List

We periodically issue to members and adherents of the church a fellowship address list of names and contact details. Access to all other personal data is strictly limited to those of our

officers, employees, volunteers, agents and contractors who have a need to know it. They are under a duty of confidentiality and a duty only to use such personal data for the relevant purposes of the church as set out in this notice.

Data retention

We will retain personal data for the relevant purpose and for the relevant periods set out in this notice and in order to comply with legal requirements for the retention of certain data.

In some circumstances you can ask us to delete your data. In addition to your legal right to request erasure you can ask us to delete information we hold about you (other than membership information) at any time. We will review any such request and unless there is some legal reason for us to retain the information we will delete it. Details of retention periods for different aspects of your personal data are available in our data retention schedule which you can request from us by contacting us.

Your legal rights

Unless subject to an exemption under relevant legislation you have the following rights in respect of your personal data:

• Where we rely on your consent to process your data you may at any time withdraw your consent but this right does not affect the lawfulness of any processing of your personal data before such withdrawal
• The right to request a copy of your personal data which we hold
• The right to request transfer of your data to another person (data portability)
• The right to request correction of any personal data that is inaccurate, incomplete or out of date
• The right to request erasure of your personal data where it is no longer necessary for us to continue processing it, where you have successfully exercised your right to object to processing, where we have processed your data unlawfully or where the law otherwise requires your data to be erased
• The right to object to processing of your personal data where you consider that your interests or personal rights and freedoms override our legitimate interests described above
• The right to request restriction of processing where you have disputed the accuracy of the data or the lawfulness of the processing, or where you wish us to retain data that we would otherwise delete

Your right to request transfer of your data to another person applies to data that you have provided to us and that we process by electronic means either with your consent or for the purpose of a contract that we have with you. We can transfer such data where you have provided it to us via our website to enable us to send you information about our ministries by email.

Information that you have given us for the purpose of a contract that we have with you consists of your name, contact details and the goods or services requested. It is held in

manual records and in the office computer. While we will endeavour to provide such data we are not able to develop systems to enable it to be transferred automatically in a machine readable format.

Before responding to a request or objection we may need to request specific information from you as a security measure to ensure that your or your child’s personal data is not disclosed to any person who has no right to receive it.

You will not have to pay any fee to exercise these rights. However, we may charge a reasonable fee for, or may refuse to comply with, any request that is clearly unfounded, excessive or repetitive.

We try to respond to all requests within one month. If it will take longer because your request is complex we will notify you and keep you updated.

You also have the right to lodge a complaint with the Information Commissioner’s Office on 0303 123 1113, using their online portal, or at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire.