Living Rock Trust (LRC) is fully committed to compliance with the new data privacy law which is being introduced in the UK on 25 May 2018.
As a result, we have updated our Data Protection Policy and Privacy Notice to address the new GDPR standards which strengthen your existing privacy rights; this is part of our ongoing commitment to be transparent about how we use your personal data and keep it safe within Living Rock Trust (LRC).
This privacy notice, sets out the legal basis on which the personal information we have collected from you, or that you have provided to us, will be processed.
We’d encourage you to review our Data Protection Policy. It’s available on our website as well as within My ChurchSuite, if you have been given log in details as a member or current visitor of LRC.
Within our new Data Protection Policy, we’ve provided more details about the information we collect and how we use it. The new data protection law also asks us to give you more control over how your data is used.
Our legal basis for processing personal data is different depending upon the purpose it was collected for. Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis and is transparent.
The legal basis for processing your data
- Data collected to keep you informed about a specific area you expressed an interest in, is held to fulfil your legitimate interest and ours;
- Data collected through membership of LRC, is held to fulfil your legitimate interest and ours;
- Data collected through our booking systems for the events and courses that we run is held for our legitimate interests or because of a contractual obligation to do so;
- Data collected about your children or young people are held on parental consent and vital interests;
- Data collected to carry out DBS checks is necessary for legitimate interests and for compliance with a legal obligation to safeguard children and adults at risk;
- Employee (or applicant), volunteer and church member data records are processed to comply with legal and contractual obligations and to fulfil our legitimate interests as a church community;
- Data collected for the hire of our premises is necessary for legitimate interests and because of a contractual obligation to do so;
The purpose of processing your data
LRC will process your data for the following reasons:
- General administration – which includes keeping an up to date record of current visitors and members (including children), in order to provide pastoral care, to prepare ministry rotas, to send birthday cards as well as maintain records of giving for audit and tax purposes;
- Communication – to contact you regarding upcoming activities and details about events that you have booked into or you have specifically requested information about. This would also include communication with people outside LRC who have enquired about hiring the building;
- Statistical Analysis – to understand the church’s geographic locations in order to allocate people into life groups, to be able to accommodate children and youth into appropriately staffed groups;
Any member or current visitor of LRC has the right to ‘opt’ out to receiving information regarding events and other church related communications at any time. This can be achieved by a written request to email@example.com.
Change of purpose of processing your data
We commit to only process your personal information for the purposes for which it was collected, except where we reasonably consider that the reason for processing changes to another reason and that reason is consistent with the original basis for processing. Should we need to process personal information for another reason, we will inform you of this and advise you of the lawful basis upon which we will process.
In the event that you enter into an employment contract with us, any information already collected may be processed further in accordance with our Data Protection Policy which can be accessed on our website.
Who do we share your data with
Your data may be shared with elders, trustees and employees of LRC where it is necessary for them to undertake their duties. This includes, for example, the elders and trustees in order to make decisions regarding salary for current or prospective employees, the finance department for administering payment of bills and/or payroll and keeping accurate details of members and visitor giving for tax and audit purposes.
It may be necessary for us to share your personal data with a third party or third party service provider (including, but not limited to, contractors, agents or other associated/group companies within, or outside of the European Union (EU)). Data sharing may arise due to a legal obligation, as part of the performance of a contract or in situations where there is another legitimate interest (including a legitimate interest of a third party) to do so.
The list below identifies which activities are carried out by third parties on our behalf:
- Pension provider;
- Accountancy services;
- Insurance providers;
- Legal advisors;
If data is shared, we expect third parties to adhere and comply with the GDPR and protect any data of yours that they process. We do not permit any third parties to process personal data for their own records. Where they process your data it is for a specific purpose according to our instructions.
How long the data will be stored
- Your data will be stored for as long as you are a member or current visitor of LRC. If we receive confirmation that you are no longer regularly attending LRC, we will delete your personal details after 6 months of this happening. The only information we will keep is your name, date of membership and date of leaving for historic purposes. Occasionally, we may continue to use data without further notice to you. This will only be the case where any such data is anonymised and you cannot be identified as being associated with that data;
- If we have entered into a contract with you regarding the hiring of the building, we will keep your details for as long as you are using the building and up to 12 months after your last visit;
- All personal data regarding children is held up to 6 months after a child last attended;
- Employment or tax related data will be kept in accordance with official guidance regarding retention periods for specific records, usually up to 6 years;
- If we receive a job application form from you but your application is not successful, we will keep your data for up to 12 months once the recruitment process ends;
Under GDPR legislation you have a number of rights about how your data is processed. The lawful basis for our processing can also affect which rights are available to individuals. Full details of your personal rights can be found on the Information Commissioner’s Office website.
Your rights include;
- Right to be informed – this encompasses our obligation to provide ‘fair processing information’ on how we use your data through a privacy statement;
- Right of access – individuals have the right to access their personal data (Subject Access Request);
- Right to rectification – individuals have the right to have their personal data rectified to ensure it’s accurate and complete;
- Right to erasure (or right to be forgotten) – individuals have the right to request the deletion or removal of their personal data where there is no compelling reason for its continued processing (except where we are required to hold the data by law and where there is legitimate interest to withhold it);
- Right to data portability – individuals have the right to obtain and reuse their personal data for their own purposes across different services;
- Right to object – individuals have the right to object to processing their personal data in certain circumstances;
24/05/18 Policy Introduced. Approved by Christopher Alton as Chair of Trustees.