Why do we need a Privacy Notice?
Data Protection regulation in the UK requires all organisations to inform individuals about the personal data they hold and use, and the reasons for this. This Privacy Notice is intended to make it easier for you to find out how we use and protect your information.
Who does this Notice apply to?
This Privacy Notice is for all those whose personal information is dealt with in any way by CCX, including lay officers, clergy, employees, volunteers, contractors, suppliers, tenants and clients.
How this Privacy Notice relates to you?
We want to be open and transparent about how we use your personal data. We are a
charity and a limited company. We set out below to have a list of the different types of data that we might use.
This Privacy Notice has in it what the new Data Protection Regulation, requires us to include, and it covers:
1. Your personal data – what is it?
2. Who are we?
3. What is the lawful basis for processing your personal data?
4. How does CCX process your personal data, and for what purposes?
5. Sharing your personal data
6. How long do we keep your personal data?
7. Your rights and your personal data
8. Transfer of data abroad
9. Further processing
10. Contact details
11. Changes to this Notice
CCX holds a range of data. Do you hold all of this information about me?
No, we don’t; only a limited amount of examples in the Notice will apply to you. This will generally be data you have given us, and relevant information collected mostly from parishes and other bodies.
Privacy Notice
1. Your personal data – what is it?
“Personal data” is any information about a living individual which allows them to be
identified from that data (for example a name, photographs, videos, email address, or address). Identification can be by the information alone or in conjunction with any other information. The processing of personal data is governed by the Data Protection Act 2018, the ‘UK GDPR’ which is the retained EU law version of the General Data Protection Regulation (EU) 2016/679, and other legislation relating to personal data and rights such as the Human Rights Act 1998.
2. Who are we?
This Privacy Notice is provided to you by the Gregory Centre for Church Multiplication (CCX) which is the data controller for your data, which we hold and use. This means that we are responsible to you for how we process your data.
3. What is the lawful basis for processing your personal data?
The GDPR requires specification in the Privacy Notice of the lawful basis for processing personal data. Below are the lawful bases which are relevant for our processing activities.
- legitimate interests, or the legitimate interests of a third party (such as another organisation in the Church of England)
- compliance with a legal obligation
- performance of a contract, or to take steps to enter into a contract
- where consent has been obtained Religious organisations are also permitted to process information which reveals a person’s religious beliefs, to administer membership or contact details.
4. How does CCX process personal data?
CCX will comply with its legal obligation to keep personal data up to date; to store and destroy it securely; not to collect or retain excessive amounts of data; to keep personal data secure, and to protect personal data from loss, misuse, unauthorised access and disclosure and to ensure that appropriate technical measures are in place to protect personal data.
We use your personal data for purposes included amongst the following:
Overall purposes
a) To enable us to meet all legal and statutory obligations.
b) To work to deliver the Church’s mission, and to carry out any other voluntary or
charitable activities for the benefit of the public as provided for in our
Memorandum & Articles.
c) To promote and assist the mission and growth of the Church of England, the wider Church in the UK, and further afield.
d) To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practices from time to time with the aim of ensuring that all children and adults-at-risk of abuse or
neglect are provided with safe environments.
In carrying out our overall purposes
e) To administer the work of CCX and to use relevant data collected by us in
analysing the task of planting churches and new missional communities
f) To fundraise and promote the interests of the charity. e.g. information supplied by
donors to use in supporting our work.
g) To maintain our own accounts and records.
e.g. re: Contractors, suppliers and tenants – for putting agreements in place, invoicing
and making payments. Personal data held in this regard forms part of our
contractual arrangements with you.
h) To communicate with you on the work of CCX and notify you of changes to our
services, events and role holders. e.g. those who sign up to receive newsletters.
i) To send you communications which you have requested, or that may be of interest
to you. These may include information about campaigns, appeals, or other
fundraising activities. e.g. those who make donations to CCX
j) To process a grant or application.
k) To manage our employees, volunteers and contractors. We will process data
about individuals for legal, HR, administrative and management purposes and to
enable us to meet our legal obligations.
- Employees – to pay you, according to our contract with you; to monitor your
performance, which we have a legitimate interest to do in taking forward our aims
and objectives; and to confer benefits, such as sick pay, which we have a legal
obligation to do. - During the course of your employment, information you have given us may be shared with our external agents (e.g. our payroll processors) to enable us to manage your employment and comply with our policies and procedures, e.g. prevention of
illegal working, disciplinary, grievance, and performance management policies.
Your information will be held securely in compliance with our retention/data
deletion policy and where relevant, individual policies which reflect these
arrangements.
l) We may process special categories of personal data relating to individuals
including, for example as appropriate:
- information about a physical or mental health condition in order to monitor sick leave and take decisions as to the individual’s fitness for work;
- the individual’s racial or ethnic origin or religious or similar diversity data in order to monitor compliance with equal opportunities legislation;
- in order to comply with legal requirements and obligations to third parties.
m) Our processing may include the taking of photographs, filming and live streaming of particular events for use in promotional or training events, and which may appear in promotional material and/or on our intranet and website. Our website is also accessible from overseas.
5. Sharing your personal data.
Your personal data will be treated as strictly confidential. It will only be shared with third parties including other data controllers where it is necessary for the performance of CCX’s tasks or where you first give us your prior consent.
6. How long do we keep your personal data?
In general, CCX will endeavour to keep data only for as long as we need it. This means that we may delete it when it is no longer needed, in line with our approach to data retention. We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is current best practice to keep financial records for a minimum period of 6 years to support audits from external bodies.
7. Your rights and your personal data.
You have the following rights with respect to your personal data:
- To access the information we hold on you – you can contact us in writing at any time
- To correct and update the information we hold on you – we will make relevant
changes - To have your information erased – you can request deletion
- To restrict the processing of your data – you can object to your data being used
- To move your data (data portability) – you can request data transfer
- To withdraw your consent, where consent was sought – this can be at any time
- To object to the processing of personal data where applicable.
- To lodge a complaint with the Information Commissioners Office.
When exercising any of the rights listed above, in order to process your request, we may need to verify your identity for your security. In such cases, we will need you to respond with proof of your identity before you can exercise these rights.
8. Cookies used on our website (ccx.org.uk)
We have outlined below the cookies which are used on this site and provided details on how to manage them. You can find out more about cookies and how they work from Gov.uk. The table below explains the cookies we use and why.
Cookie | Name | More Information |
Content Management System Cookie | CFID | This cookie is set by our content management system, upon arrival to our website. It is not used by us for any purpose but is needed for the website to function. This cookie is deleted when a user closes their browser. |
Content Management System Cookie | CFTOKEN | This cookie is set by our content management system, upon arrival to our website. It is not used by us for any purpose but is needed for the website to function. This cookie is deleted when a user closes their browser. |
Google Analytics | _utma
_utmb _utmc _utmz |
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where vistors have come to the site from and the pages they visited. Read an overview of privacy at Google. |
How to control and delete cookies
We do not use cookies to collect information about you which is personally identifiable. If you wish to restrict or block the cookies on our website however, you can do this through your browser settings. The built-in ‘Help’ option will give you details on how to achieve this or you can visit the All About Cookies website which offers guidance.
9. Transfer of Data Abroad
In general we do not transfer personal data abroad. However, where this does occur, any electronic personal data transferred to countries or territories abroad will only be placed on systems complying with measures giving broadly equivalent protection of personal rights either through international agreements or contracts which comply with the UK GDPR.
10. Further processing
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where applicable and whenever necessary, we will seek your prior consent to the new processing.
11. Contact Details
Please contact us if you have any questions about this Notice or the information we hold about you or to exercise all relevant rights, queries or complaints at:
Data Protection Officer, Gregory Centre for Church Multiplication, The Old Deanery, Deans Court, London EC4V 5AA. 020 3837 5275
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
12. Changes to this notice
We keep this Privacy Notice under regular review and we will place any updates on our web page.