INTRODUCTION

Welcome to the privacy notice for Bethel Evangelical Church, Gorseinon, Swansea.

As a church and registered charity, we respect your privacy and are committed to protecting your personal data.  In accordance with GDPR, this privacy notice outlines our reasons for collecting your data and how we use it, along with your legal rights.  It is available online below, or you may have been provided with a hardcopy (printed) version of the notice.  A glossary is provided at the end to explain the meaning of some of the terms used.

  1. Who is collecting your data?

Bethel Evangelical Church in Gorseinon, Swansea is an unaffiliated independent Evangelical church and a registered charity.  We are the data controller, which means we decide how your personal data is processed and for what purposes.  If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us using the following details:

Bethel Evangelical Church
West Street
Gorseinon
SA4 4AA

Email: webmaster@bethel-gorseinon.org.uk

Website: www.bethel-gorseinon.org.uk

This privacy notice was last reviewed on: 29th May 2020

It is important that the personal data we hold about you is accurate and current. Please keep us informed if any of your personal data that you have shared with us changes during your relationship with the church.

  1. What personal data do we collect about you and why?

Personal data, or personal information, means any information about a living individual from which that person can be identified.  The bullet points below outline the different categories of data collected by the church, what kind of data we need to process for those categories, and what is the legal basis that allows us to do so:

  • Consent Forms – when a child attends a new meeting or church trip, parents or guardians will be asked to complete a registration form, providing details for themselves (e.g. name and contact information) and their child (e.g. name, date of birth, medical information) so that they can be contacted in emergencies and so that we can look after the individual needs of each child. The legal basis for processing this data is legitimate interest.
  • Church Directory – church members and adherents are asked for their contact information (name, address, and telephone number) to form a central directory that facilitates collaboration, prayer and communication. The legal basis for processing this data is consent.
  • Attendance Records – at some meetings, a person’s name will be logged against the date and meeting name to track attendance. This information will be used for gift awards and tracking retention times, so that we know when to erase a person’s personal data after they’ve stopped attending.  The legal basis for processing this data is legitimate interest.
  • Distribution Lists – church attendees voluntarily subscribe to the church or missionary newsletters, providing us with their email address and/or mailing address. The legal basis for processing this data is consent.
  • Rotas & RSVP – volunteers choose to put their names on various church rotas (flowers, teas etc.) or to register interest in attending special meetings. These are displayed on the church notice board so that responsibilities can be shared and tracked.  The legal basis for processing this data is legitimate interest.  Should a person object to putting their name on a public noticeboard, they may speak to a church officer to express their interest verbally instead.
  • Sermon Data – the sermons of our pastor and visiting speakers are recorded to CD and MP3 at every Sunday service. This includes the speakers name, voice recording and/or photograph.  Copies are provided for members unable to attend the church and are also published on the church website.  The legal basis for processing this data is consent.
  • Image Data – includes photographs taken of attendees for the purpose of promoting future meetings and events or for special outreach organised through literature or church website. The legal basis for processing this data is consent.
  • Video Data – includes CCTV recordings in and around the church for the purposes of crime detection and prevention, and to safeguard our volunteers and visitors. The legal basis for processing your data captured on video is legitimate interest.
  • Meeting Minutes – member names will be recorded in church minutes if they make an important contribution to the meeting. Names of visiting speakers and other people of interest to the church may also be recorded for completeness.  The legal basis for processing this data is legitimate interest.
  • Employment Data – includes employment history, training records, pension information, details about next of kin and other details relating to your employment for a specific role within the church. The legal basis for processing this data is legal obligations.
  • Financial Data – includes bank account details, gift aid declarations and national insurance numbers, required for pay, reimbursements and tax purposes. The legal basis for processing this data is legitimate interest.
  • Managing Trustee Data – personal information (name, address etc.) of church managing trustees are recorded for registration with the Charity Commission. The legal basis for processing this data is legal obligations.
  • Missionary Details – contact names and addresses for the missionary families that the church supports are held by designated members so that donations can be sent and contact maintained. The legal basis for processing this data is legitimate interest.
  • Safeguarding Data – volunteers are required to provide personal data as part of the self-declaration process for DBS applications. Volunteer DBS certificates are also collected and securely stored in the church to provide evidence of volunteer checks and to track renewal dates.  The legal basis for processing this data is legitimate interest.
  • Marriage Records – the church is required to record personal information (name, address, parent details etc.) when a marriage takes place in the church. The legal basis for processing this data is legal obligations.
  • Technical Data – includes internet protocol (IP) address, usernames, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access websites and social media pages operated by the church.
  1. How is your personal data collected?

For most of the categories of data described above, you would have provided your personal data through some contact with the church, namely through forms, documents or lists that you filled out; these will have been for a specific purpose that you knew about beforehand.  Alternatively, the data will have been collected by a volunteer running a group or activity that you were attending e.g. attendance registers, meeting minutes etc.

For categories where your data is collected through some other means, this is covered below.

Sermon data is collected by MP3 and CD recording devices.  This is captured on removable media (SD card and CD’s) which is processed by a designated media team that does not exceed three people.

Video data is collected by four CCTV cameras mounted on the exterior of the church building, which monitor the following locations:

  1. Flat roof – records on a continuous basis with motion detection limited to the flat roof area.
  2. Side of Church – records on a continuous basis with motion detection limited to the south pathway of the church.
  3. Rear of Church – records on a continuous basis with motion detection restricted to the rear church yard (oil tank).
  4. Car Park – this will record on a timed basis when there is a meeting or activity in the church and will be used for the monitoring and protection of attendee vehicles.

Video data is recorded on a hard drive located in the church building and is only accessible by a maximum of four nominated administrators via a secure portal.  These will normally be church leaders.

Technical data about your device and browsing actions might be collected through interaction with the church website.  This will be done automatically through the use of cookies and other similar technologies.  Please see our cookie policy available on our website for further details.

  1. Who is your data shared with?

In most cases, your data will be shared with the volunteer team that supports the meetings or activities that you attend and to which your data relates.  Volunteers from other meetings will not have access to your data, but where necessary it may be shared with church leadership that support the volunteer teams.

Sensitive data such as financial, safeguarding or employment information is shared on a need-to-know basis.  Where we use a third-party service provider to process payments, they have access only to information needed to perform their function and can use it only for this specific purpose.

If you gave your consent to being included in the Church Directory, then your name, address, telephone and email can be found by others in the same directory.

As noted above, rotas and meeting sign-ups are placed on public notice boards.  These are located in the front porch of the church and as such, anyone entering the building has sight of them.

With consent, information about you may be visible to the public via our website (e.g. leaders’ biographies) or promotional material for specific meetings.

Your data will not be shared with other third parties unless you give consent or unless required by law.

  1. How long will your data be held?

We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Personal data that is provided or obtained during your contact with the church (e.g. consent forms, registers etc) will be retained for a period of 12 months after you (or your child) stopped attending meetings or stopped your contact with the church.  After this time, your data will be reviewed and securely shredded and disposed of.

Personal data that is collected as part of being a church member (e.g. church directory, rotas, distribution lists etc) will only be retained for the duration that you remain a member.  When a person leaves church membership, their personal data will be erased from the aforementioned locations.

Personal data that is captured through a mechanism that constitutes being an important part of church history and its function (e.g. meeting minutes, sermon recordings etc), will be retained for the duration that the church remains open and active.

Personal data that relates to the functioning of the church (e.g. employment contracts, volunteer and trustee data, financial and gift aid records etc.) will be retained for a minimum period of seven years. When this personal data is considered obsolete, paper copies will be securely shredded and disposed of.

Video data is retained for approximately a two-week rolling period.  As the disk drive fills up, old data is automatically overwritten and replaced with the latest video feed data.  Technical data is retained for up to 12 months before expiring.

Personal data that is captured in the process of registering marriages will be retained indefinitely in accordance with the church’s legal role as registrar for the wedding.

  1. Can you see your data?

You may request details of all the information that Bethel Evangelical Church holds about you by completing a Subject Access Request (SAR) using the form available on our website.  Alternatively, speak to an officer of the church about obtaining a hard copy if you cannot access the internet.

  1. Can you ask for your data to be deleted?

In specific circumstances, you have the right to request that Bethel Evangelical Church erase some or all of the personal data that we hold about you.  Examples of when you have the right to be forgotten might include situations where we no longer need your data for the purpose that we originally collected it for.  Alternatively, you may have originally given consent for us to use your data but would now like to withdraw that consent.

If you would like to exercise this right, please contact us in writing using the contact information above.  We will then review your request and respond accordingly.

  1. What if there is a problem?

If you have a concern about the way we are collecting or using your personal data, you should raise your concern preferably with us in the first instance or directly to the Information Commissioner’s Office at: https://ico.org.uk/concerns

  1. Glossary

“controller” is the data controller described in Section 1 of this privacy notice.  They exercise overall control over the purposes and means of the processing of personal data.

“data subject” is a living, identified or identifiable individual about whom personal data is held. e.g. our members, volunteers, employees, those who join us in worship and/or those who are interested in and supportive of the work of Bethel Evangelical Church and third parties such as missionaries we support.

“consent” is a very clear and specific statement that gives permission with regards to how the data you provide might be used.

“GDPR” means the General Data Protection Regulation ((EU) 2016/679).  Personal data is subject to the safeguards specified in the GDPR.

“lawful bases” are the five lawful grounds on which we can lawfully process personal data set out under Article 6 of GDPR.  The lawful basis or bases on which we rely are set out under Section 2 of this privacy notice.

“personal data” is any information identifying a living individual or information relating to an individual that can be identified from that information/data (alone or in combination with other information in your hands or that can reasonably be accessed). Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. Personal information includes an individual’s name, address, date of birth, telephone number, email address, a photograph or disability, health or ethnicity data.

“Processing” “processed” or “process” means any activity that involves the use of personal data.  It includes obtaining, recording or holding the data, or carrying out any activity or set of activities on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it.  Processing also includes transmitting or transferring personal data to third parties e.g. sharing member information by email and shredding when information is no longer required.