KILNSIDE EVANGELICAL CHURCH : PRIVACY STATEMENT
Kilnside Evangelical Church (KEC) has produced this Privacy Statement in the interests of transparency to explain how KEC (“we”) collect, use and store (“process”) personal data and sensitive personal data obtained from individuals (“you”) with whom we have a relationship or involvement. Personal data means any information relating to an identified or identifiable person. “Sensitive personal data” means personal data relating to race or ethnic origin; physical or mental health; political opinions, trade union membership, religious or philosophical beliefs; sex life or sexual orientation; genetic data; or biometric data. Although excluded from the legal definition, for the purposes of this statement sensitive personal data also includes information about criminal offences, convictions, proceedings or allegations.
We are committed to respecting and protecting your privacy.
Who is the Data Controller?
The data controller is the person or organisation which determines why and how personal data is processed. The data controller is Kilnside Evangelical Church, Kilnside Road, Paisley PA1 1RQ (a Scottish Charity – Charity No. SC 030082). Our main contact for data protection purposes is the Church Secretary.
Why do we process your personal data?
We need to obtain and process your personal data :-
- To manage the relationship we have with you (whether you are a church member or adherent; volunteer; visiting speaker; someone who attends church services or other church-based or church-related activities; donor; beneficiary; or other individual who comes into contact with us either in person or online e.g. through our website or Facebook page).
- To further our charitable objective and comply with our statutory obligations as a Scottish Charity.
- To safeguard your health and safety.
- To comply with our child protection responsibilities under the Protection of Vulnerable Groups (Scotland) Act 2007.
- To comply with other legal obligations.
What is our lawful basis for processing your information?
We will only process your information where it is necessary and there is a lawful basis for doing so.
Our lawful basis for processing your personal data is that it is necessary for the purposes of our “legitimate interests” (except where such interests are overridden by your interests, rights or freedoms). Our legitimate interests are to maintain current contact information for those using our premises, services or facilities; to enable us to run the various church services and church-based or church-related activities safely and efficiently; to book visiting speakers for the various services and activities; to support church members, adherents, visitors and others in prayer and pastorally and, where appropriate, to extend this support to and through our wider community; and to administer the financial affairs of the church (including the processing of gifts, grants, etc.) efficiently and in compliance with all relevant legislative requirements.
In certain circumstances, we may also need to process sensitive personal data. The additional basis on which we may do so is :-
- that we obtain your explicit consent e.g. where we need information on allergies or health issues in order to safeguard health or respond appropriately to any medical incident which may occur; or where we need to obtain disclosure information in order to comply with our Safeguarding Policy or our statutory responsibilities under the Protection of Vulnerable Groups (Scotland) Act 2007; or
- that we are entitled to process data on religious belief as long as we do it with appropriate safeguards in the course of our legitimate activities as a religious body, provided that the processing relates solely to members, former members or persons who have regular contact with us in connection with our purposes and that we do not disclose this data outwith the charity without your consent; or
- that we have specific legal authorisation to do so.
Who has access to your information?
Your personal data may be made available to the church elders / trustees, the leader(s) of any relevant activities and any others authorised by us who may have a legitimate need to access your data (e.g. to contact you about cancellation of an activity you may have been planning to attend). It may also be made available to appropriate external regulators and authorities (e.g. HSE and OSCR) or to other third parties where this is necessary (e.g. in a medical emergency when health data may be made available to medical personnel).
How long will we keep your information?
We will keep personal data for no longer than is required having regard to the original purpose for which it was provided. Where data includes financial information, this will be retained for a period of at least 6 years. In some cases (e.g. if a legal dispute arises) it may be necessary to retain information for a longer period until all outstanding issues have been resolved. Some data may also be stored for longer periods where it will be processed solely for archiving purposes in the public interest, historical research or statistical purposes.
What are your rights?
The General Data Protection Regulation (GDPR) gives you the following rights (subject to certain qualifications, limitations, safeguards or exemptions) in relation to your data :-
- The right to be informed (i.e. to be told why and how we obtain and use your data).
- The right of access (i.e. to be able to find out what personal data we hold about you).
- The right to rectification (i.e. to have any incorrect or incomplete data rectified).
- The right to erasure (also known as the right to be forgotten i.e. to have your data deleted).
- The right to restrict processing (i.e. to limit the way we use your data).
- The right to data portability (i.e. to have your data copied to you or another data controller).
- The right to object (i.e. to ask us not to use your data).
- Rights in relation to automated decision making and profiling. This right is not applicable as we do not employ automated decision making or profiling.
- Where the lawful basis for processing your data is consent, you have the right to withdraw your consent at any time.
If you are not happy with the way in which we deal with your complaint or your request to exercise your rights, you can complain to the Information Commissioner’s Office. Further details about how to complain can be found at ico.org.uk.