Privacy Policy

This Privacy Notice explains when and why we collect personal information about you, how we use it and the conditions under which we may disclose it to others. Your personal data is defined as any information that can directly or indirectly identify you. This notice also explains how we keep your data safe and secure and includes information you need to know about your rights and how to exercise them. If you have any questions regarding our Privacy Notice and our use of your personal data, or would like to exercise any of your rights, please get in touch via the following information: 

Write to us: Data Protection Officer, Gregory Centre for Church Multiplication, The Old Deanery, Deans Court, London EC4V 5AA

Email us at: dataprotection@ccx.org.uk

Call us at: 020 3837 5275

1. Who are we? 

We are CCX and for the purposes of UK Data Protection Law, we are registered with the ICO. We are a leading centre for church multiplication in the UK.

2. Personal data collected, how and why we collect it, and on what lawful basis  

Please click on the relevant appendices below 

Appendix 1 – Human Resources

Appendix 2 – Service Users and Clients

Appendix 3 – Fundraising and Marketing

3. Your Rights 

Under data protection laws in the UK and EU, you have certain rights over the personal information that we hold about you. If you would like to exercise your rights, please get in contact with any of the details listed above. Here is a summary of the rights we think apply: 

a. Right to be Informed 

You have the right to be informed as to how we use your data and under what lawful basis we carry out any processing. This Privacy Notice sets this information out however if you would like further information, please get in touch.  

b. Right of Erasure – also known as the right to be forgotten 

You may ask us to delete some or all of your information we hold about you. Sometimes where we have a legal obligation we cannot erase your personal data. 

c. Right to Object 

You have the right to object to processing where we are using your personal information such as where it is based on legitimate interests or for direct marketing. 

d. Inaccurate personal information corrected 

Inaccurate or incomplete information we hold about you can be corrected. The accuracy of your information is important to us and we are working on ways to make this easier for you to review and correct the information that we hold about you. If any of your information is out of date or if you are unsure of this, please get in touch through any of the contact details listed in this notice. 

e. Right of restriction 

You have a right to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy, or we are not lawfully allowed to use it. 

f. Right to Access your information  

You have a right to request access to a copy of your personal information that we hold about you, along with the information on what personal information we use, why we use it, who we share it with, how long we keep it for and whenever it has been used for automated decision making. You can make a request for access free of charge and proof of identity is required. 

g. Automated decision making 

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. You have the right to question the outcome of automated decisions that may create legal effects or create a similar significant impact on you.  

h. Portability 

You can ask us to provide you or a third party with some of the personal information that we hold about you.  

i. Right to withdraw consent  

Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data 

4. Transferring your information outside of the United Kingdom 

Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs). 

5. Complaints procedure 

If you are unhappy with the way we process your data, please get in touch by using one of the contact methods above. You can also make a complaint to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK. They can be contacted by at 0303 123 1113 or you can write to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 

6. Changes to our Privacy Notice 

This privacy notice is kept under regular review.  If we make any significant changes to the way in which we process your information, we will let you know by either reaching out to you or posting a banner on the website. 

 

APPENDIX 1 – Human Resources 

Freelancers, job applicants and current and former employees, trustees, volunteers 

1. How and when do we collect information about you? 

You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement. In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references. 

2. What types of information is collected about you and who provides it?  

We keep several categories of personal data on our employees/freelancers/job applicants/trustees in order to carry out effective and efficient processes. Specifically, depending on your type of engagement with CCX, we may process the following types of data: 

a. personal details such as name, address, phone numbers 

b. name and contact details of your next of kin 

c. your photograph, your gender, marital status, faith or religion 

d. footage of the organisation events where you may appear 

e. information of any disability or other medical information you have disclosed  

f. right to work documentation 

g. information gathered via the recruitment process such as that included in a CV, cover letter or application form, references from former employers, details on your education and employment history etc 

h. National Insurance number, bank account details and tax codes 

i. information relating to your employment with us (e.g job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings.  

j. internal and external training modules undertaken 

k. information on time off from work including sickness absence, family related leave etc 

l. IT equipment use including telephones and internet access 

m. your biography and picture for the website (if applicable). 

We may also process special category of data which include health information, sexual orientation, race, ethnic origin, political opinion, religion, trade union membership, genetic and biometric data. We may also process criminal records information if the role involves DBS check.  

3. How is the information used? 

We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/ trustee agreement, without which we would be unable to employ you.Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligation. We process information in relation to the DBS for our safe recruitment practices.  We use People HR, Zero , ExpenseIn as processors. 

4. Lawful basis for processing 

We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees. We may also have legal obligation in order to process and share your data, for example we need to share salary information to HRMC or use some of your data to enrol a new employee on a pension scheme.  

We may rely on our legitimate interest for processing activity such as keeping supervision and appraisal records; using your image, bio and videos/pictures of the organisations’ events where you may appear on our website or marketing/fundraising materials to promote the charity.  

Some special categories of personal data, such as information about health or medical conditions is processed in order to carry out employment law obligations (such as those in relation to colleagues with disabilities and for health and safety purposes). We may also process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief for the purposes of equal opportunities monitoring. 

When processing criminal records (for example, in order to perform DBS check), the organisation relies on the lawful basis of legitimate interest. When processing special category of data and criminal records, we rely on additional conditions of the UK GDPR and DPA 2018.  

5. How long do we keep your data? 

We only keep your data for as long as we need it for, which will be at least for the duration of your employment/engagement with us though in some cases we will keep your data for a period of 7 years after your employment/engagement has ended. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 12 months.  

Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting us using the details above if you want to know more about retention period.  

Data is destroyed or deleted in a secure manner as soon as the retention date has passed.  

6. Confidentiality – who do we share your data with? 

Personal Data in relation to your salary is shared with HRMC as part of our legal obligation. Personal Data may be shared with third parties for the following reasons: for the administration of payroll, pension, HR functions (for example the online holiday booking system), administering other employee benefits (such as the Childcare Voucher Scheme) and with the building security team for the issuing of you building access pass. When sharing information with third parties, we have data sharing, processor agreements or contracts in place to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data. 

 

APPENDIX 2 – Service Users and Clients 

1. How we collect information about you? 

We collect your information in the following ways:

  1. When you register for an event
  2. When you sign up for training courses
  3. When we reach out to you for attending or speaking at our events 
  4. When we identify people in different church networks 
  5. When you participate with Myriad 
  6. When you submit mentor applications 
  7. Applicants for grants

The information we collect may include name, data of birth, gender, ethnicity, religion, contact details, health conditions, life background, safeguarding information. This information is provided to us directly by you in most cases. We may also collect information through case studies, and also click photographs at events, or record videos that appear on our website.

2. How is your information used? 

We may use your personal information to  

  • To work to deliver the Church’s mission, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in our Memorandum & Articles. 
  • To promote and assist the mission and growth of the Church of England, the wider Church in the UK, and further afield. 
  • To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practices from time to time with the aim of ensuring that all children and adults-at-risk of abuse or neglect are provided with safe environments. 
  • To administer the work of CCX and to use relevant data collected by us in analysing the task of planting churches and new missional communities 
  • To communicate with you on the work of CCX and notify you of changes to our services, events and role holders. e.g. those who sign up to receive newsletters. 
  • To send you communications which you have requested, or that may be of interest to you. These may include information about campaigns, appeals, or other fundraising activities. e.g. those who make donations to CCX 
  • To process a grant. 
  • Our processing may include the taking of photographs, filming and live streaming of particular events for use in promotional or training events, and which may appear in promotional material and/or on our intranet and website. Our website is also accessible from overseas. 
  • To process and share information for safeguarding 
  • Collate anonymised or pseudonymised statistical information for funders, the charity  and delivery partners 

3. Lawful basis for processing 

We mainly rely on the following lawful basis for processing your information:

  1. When you register for events, or when we reach out to you for speaking at events, we process your information on the basis of legitimate interest
  2. When you sign up for training courses, we process your information on the basis of contractual obligation
  3. For searching people in different church networks, we rely on legitimate interest.
  4. For processing your data within Myriad, we rely on legitimate interest.
  5. For processing grants, we rely on legitimate interest. 
  6. For case studies, and photography, we rely on your consent.

When we process special category of data and criminal records, the lawful basis is substantial public interest read with conditions from the Data Protection Legislation.  

4. How long do we keep your data for? 

We retain the personal data of all service users for a period of in line with our retention periods. If you would like to know more about this, please contact us at the email address above. 

5. Confidentiality, data sharing and safeguarding  

  • We may share your data with other organisations involved in providing support. These organisations act as data processors (such as Eventbrite, Mailchimp, Salesforce), and process such data on our behalf.  We share such information on the basis of legitimate interest.
  • When sharing information with funders, we will provide information anonymously. We may share your data with the Church of England on the basis of legitimate interest.
  • To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concern with the authorities. In such circumstances, we apply vital interest and legitimate interest as our lawful basis. Data subjects’ rights and other UK GDPR provisions may be restricted when concerning personal data processed in these circumstances. Exceptions and exemptions are applied on a case by case basis.  

 

APPENDIX 3 – Fundraising and Marketing 

Information we collect: 

When you make a donation 

Information is provided by you via a donation form on our website or via third party donation platforms (e.g Just Giving and Virgin Money Giving). The information gathered may be: name, email address, Gift Aid sign up, company name if donation made by an organisation, donation details, reasons to engage, postal address. We use PandaDoc as a processor. 

This information allows us to process your donation, and deal with any potential enquiry. We rely on our legitimate interest to process this data.  If you agree that we can claim Gift Aid on your donations we are legally required to keep a record of the claim and your Gift Aid declaration.  If you are donating using a third party, please also refer to the privacy notice published on their websites.  

When you sign up to our events 

Information is mainly provided by you via our website forms, via third party platforms (e.g Eventbrite) or in person during the events by paper forms. The information gathered may be: name, email address, company name if applicable, donation/payment details, reasons to engage, postal address, email address contact preference. 

This information allows us to administer your sign up, process payments, and deal with any potential enquiry. We rely on the legitimate interest to process this data.   

During these types of events, we may also take photographs and video recordings of people attending where you may be included. This information allows us to showcase our work and have effective external communication. We rely on our legitimate interest to process this data.  If you are signing up to an event using a third party, please also refer to the privacy notice published on their websites. 

When you show interest in supporting us (e.g through a gift in your will or a pledge) and you decide to contact us 

Information is provided mainly by yourself, via online forms or phone/email conversation with us. The information gathered may be: occupation, title, details of any correspondence had with ourselves, date of birth, fundraising appeals responses, event participations with us, details of your reasons to engage with us. This information allows us to deal with your inquiry and show you how to get engaged. We rely on our legitimate interest to process this data.

Marketing Communications: 

Your contact details may be used to provide you with information about our services or our fundraising opportunities via email, text or other electronic message. We will only send you fundraising and marketing communications by email, text or other electronic message if you have provided your consent, or if you have been involved in ​​a commercial transaction with us. You may opt-out of our fundraising and marketing communications at any time by clicking the unsubscribe link at the end of our e-marketing communication. Alternatively, you can let us know by using any of the contact details listed at the top of this notice.