1 INTRODUCTION
1.1 The Roman Catholic Archdiocese of Southwark (the "Diocese") is a charity registered with the CharityCommission in England and Wales. Our charity number is 1173050 and our registered address is 150St George’s Road, London, SE1 6HX. In this Statement, references to 'we' and 'us' mean theArchdiocese.
1.2 When you provide us with Personal Data in order to engage with us and/or benefit from our activities,we will keep a record of the data you give to us in order to enable us to comply with our statutoryobligations and to achieve our charitable objects of advancing and maintaining the Roman Catholicreligion through the operation of our parishes and our other activities.
1.3 For the purpose of the General Data Protection Regulation 2016/279 (GDPR), the Diocese, through itsTrustees will be a Data Controller in respect of your Personal Data. In some cases, the Diocese maybe a joint Data Controller of your Personal Data (e.g. where your data is shared between the Dioceseand another organisation for a particular purpose, such as schools admissions). Please be aware thatour parishes form part of the Diocese and are not separate legal entities. Parishes are not DataControllers nor do they process Personal Data on behalf of the Diocese as a Data Processor.
1.4 Everyone has rights with regard to how their Personal Data is handled by organisations. The Dioceseis committed to ensuring that Personal Data is properly and securely managed in accordance with therelevant Data Protection Rules, and believes this is an important part of achieving trust and confidencebetween the Diocese and those with whom it interacts. Please read this Notice to understand howwe use and protect the information that you provide to us or that we obtain or hold about you, andto understand what your rights are in relation to information that we hold. This Statement applies toinformation about living identifiable individuals only.
2 WHAT PERSONAL DATA DO WE HOLD ABOUT YOU?
2.1 We may hold the following types of Personal Data:
2.1.1 Name and contact details;
2.1.2 Gender, age, date of birth, marital status and nationality;
2.1.3 Information about your education/work history, training and professional qualifications;
2.1.4 Information about your family and any dependants;
2.1.5 Information about your current involvement in Diocese activities and events;
2.1.6 Financial information (e.g. bank details) and details of any donations you have made to usin the past;
2.1.7 Information obtained as a result of any background checks on clergy, employees andvolunteers;
2.1.8 CCTV recordings and photographs;
2.1.9 Information we collect through your use of our website(s), such as IP addresses and otherinformation collected using cookies;
2.1.10 Information about other events, activities and training; and
2.1.11 Any other information which you choose to provide to us.
2.2 We may also hold Special Categories of Personal Data (e.g. information about your religious beliefs,information about your health and wellbeing, information revealing racial or ethnic origins,information concerning your sexual orientation or in the case of background checks, informationabout criminal records or proceedings).
2.3 We may also receive Personal Data about you from third parties, for example, your family members,other parishioners, other dioceses and religious orders, medical professionals, local authorities,government departments and their agencies, schools and other educational establishments, thepolice and other law enforcement bodies.
HOW AND WHY DO WE PROCESS YOUR PERSONAL DATA?
3.1 The Personal Data which we hold about you, whether it is collected directly from you or whether wereceive it from a third party, may be Processed in a number of ways, for example:
3.1.1 to communicate with you in relation to news about or activities and events taking place inthe Diocese or in any diocesan parish, including seeking feedback and informing you of anychanges to our activities;
3.1.2 to improve our activities and the way we communicate with you including our website orthe website of any parish;
3.1.3 to carry out our activities, from weddings and funerals to general pastoral and spiritualcare;
3.1.4 to process donations that you may make to us or other payments where, for example, youhire facilities belonging to the Diocese;
3.1.5 to administer, support, improve and develop the administration of the Diocese's work andoperations and to keep the Diocese's or any parish's accounts and records up-to-date;
3.1.6 to process applications from you, including grant applications and applications for a rolewithin the Diocese;
3.1.7 to identify potential additional sources of fundraising;
3.1.8 for audit and statistical purposes (e.g. for the annual audit undertaken by the Bishops’Conference of England and Wales);
3.1.9 to ensure we comply with our legal obligations (e.g. by providing information to the CharityCommission or HMRC or carrying out safeguarding activities);
3.1.10 in the case of CCTV recordings, to prevent or detect crime, and to help create a saferenvironment for our staff, parishioners and visitors; and
3.1.11 to deliver training and education
3.1.12 to ensure other volunteers in your group/rota can contact you
3.2 Any information gathered through cookies and similar technologies via the Diocesan website or thewebsite of any parish, is used to measure and analyse information on visits to the website, to tailorthe website to make it better for visitors and to improve technical performance. We will not use thedata to identify you personally or to make any decisions about you.
4 ON WHAT GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
4.1 We must have a lawful basis for Processing your information; this will vary according to thecircumstances of how and why we have your information but typical examples include:
4.1.1 the activities are within our legitimate interests in advancing and maintaining the RomanCatholic religion, in providing information about the activities of the Diocese or anydiocesan parish, and to raise charitable funds (e.g. where we use baptism data to follow upwith families for first communion);
4.1.2 you have given consent (which can be withdrawn at any time by contacting us using thedetails below) for us to process your information (e.g. to send you marketing or fundraisingcommunications by email or SMS);
4.1.3 we are carrying out necessary steps in relation to a contract to which you are party or priorto you entering into a contract (e.g. where you enter into a hire agreement for one of ourfacilities);
4.1.4 the Processing is necessary for compliance with a legal obligation (e.g. where we pass oninformation to a local authority for safeguarding or other reasons);
4.1.5 the Processing is necessary for carrying out a task in the public interest (e.g. updating
andmaintaining the register of marriages); or
4.1.6 to protect your vital interests (e.g. if you were unfortunate enough to fall ill or suffer aninjury on our premises, then we may pass on information to the NHS for treatmentpurposes and to family members).
4.2 If we Process any Special Categories of Personal Data we must have a further lawful basis for theprocessing. This may include:
4.2.1 where you have given us your explicit consent to do so (e.g. to cater for your medical ordietary needs at an event);
4.2.2 where the Processing is necessary to protect your vital interests or someone else's vitalinterests (e.g. passing on information to the NHS);
4.2.3 where the Processing is carried out in the course of our legitimate interests as a RomanCatholic diocese working with and supporting our current and former parishioners and theinformation is not shared outside the Diocese other than with your consent (e.g. carryingout parish censuses);
4.2.4 you have made the information public;
4.2.5 where the Processing is necessary for the establishment, exercise or defence of legalclaims;
4.2.6 where the Processing is necessary for carrying out the Diocese's employment and socialsecurity obligations; or
4.2.7 the processing being necessary for reasons of substantial public interest (e.g. where stepsare taken to prevent fraud or other dishonest activity);
provided that the legal basis is proportionate to the aim pursued and provides for suitable and specificmeasures to safeguard your rights, or as part of our legitimate interests as a Roman Catholic dioceseand charitable institution.
5 WHO WILL WE SHARE YOUR INFORMATION WITH?
5.1 We will only use your Personal Data within the Diocese for the purposes for which it was obtained,unless you have explicitly agreed that we may share your Personal Data with another organisation orunless we are otherwise permitted or required to under the Data Protection Rules or order of a Courtor other competent regulatory body or as set out in this Statement.
5.2 We may share your information with government bodies for tax purposes or law enforcementagencies for the prevention and detection of crime.
5.3 Sometimes the Diocese contracts with third parties whom we ask to Process Personal Data on ourbehalf (e.g. IT consultants, distributors of parish newsletters and directories). We require these thirdparties to comply strictly with our instructions and with the GDPR.
5.4 We also may be required to share your Personal Data so that the Diocese can benefit from Gift Aidnominations you have made e.g. with HMRC.
5.5 We have in place administrative, technical and physical measures designed to guard against andminimise the risk of loss, misuse or unauthorised processing or disclosure of the Personal Data thatwe hold.
5.6 In the course of Processing your Personal Data, or disclosing it to the recipients referred to above, wemay transfer it to countries which are outside the European Economic Area (EEA) (e.g. to the Vatican),some of which may not have laws which provide the same level of protection to your Personal Dataas laws inside the EEA. In such cases we will take steps to ensure that the transfers comply with theGDPR and that your Personal Data is appropriately protected.
6 HOW LONG WILL WE KEEP YOUR INFORMATION FOR?
6.1 Your information will be kept in accordance with our Retention & Disposal of Records Policy and/oras required by law. In any event, we will endeavour to only keep Personal Data for as long as isnecessary and to delete it when it is no longer so.
7 YOUR RIGHTS
7.1 You have rights in respect of the Personal Data you provide to us. In particular:
7.1.1 the right to request a copy of some or all of the Personal Data that we hold about you(including, in some cases, in a commonly used, machine readable, format so that it can betransferred to other Data Controllers). This is called a subject access request (SAR). We donot make a charge for this service;
7.1.2 if we Process your Personal Data on the basis that we have your consent, the right towithdraw that consent;
7.1.3 the right to ask that any inaccuracies in your Personal Data are corrected;
7.1.4 the right to have us restrict the Processing of all or part of your Personal Data;
7.1.5 the right to ask that we delete your Personal Data where there is no compelling reason forus to continue to Process it;
7.1.6 the right to object to us Processing your Personal Data for direct marketing purposes e.g.in relation to fundraising carried out by the Diocese; and
7.1.7 the right not to be subject to legal or other significant decisions being taken about you onthe basis of an automated process (i.e. without human intervention).
7.2 Please note that the above rights may be limited in some situations – for example, where we candemonstrate that we have a legal requirement to Process your Personal Data. Also, we may need youto provide us with proof of identity for verification and data security purposes before you can exerciseyour rights.
7.3 Please note that you may only request to see information held about yourself. You cannot request tosee information about third parties without their express consent and this includes children over theage of 12.
8 CHANGES TO THIS STATEMENT
8.1 We may make changes to this Statement from time to time as our organisational practices and/orapplicable laws change. We will not make any use of your personal information that is inconsistentwith the original purpose(s) for which it was collected or obtained (if we intend to do so, we will notifyyou in advance wherever possible) or otherwise than is permitted by the Data Protection Rules.
9 CONTACT DETAILS
9.1 If you have any questions, require further information about how we protect your Personal Data, ifyou wish to exercise any of the above rights or if you would like to provide feedback or make acomplaint about the use of your information, please contact the Diocesan Data Protection Officer(DPO): dpo@finance-rcdsouthwark.org.
9.2 Any complaints will be dealt with in accordance with the Diocesan Complaints Policy.
9.3 We hope that we can satisfy any queries you may have about the way in which we Process yourPersonal Data. However, if you have unresolved concerns you also have the right to complain to theInformation Commissioner (‘ICO’) (www.ico.org.uk).
10 COOKIES
10.1 Cookies, also known as browsers or tracking cookies, are small text files that are added to yourcomputer when you visit a website. They help websites to perform certain functions e.g. to know whoyou are if you log into a restricted part of a website, for shopping carts, and for tracking purposes.
10.2 Each parish and agency that has a website has created and maintains that website themselves. If anywebsite that you visit within the Diocese uses cookies you will be advised of this when you access thewebsite. You can then choose to opt in or opt out of the cookies.
11 GLOSSARY
"Data Controller" means a person, organisation or body that determines the purposes for which, and themanner in which, any Personal Data is processed. A Data Controller is responsible for complying with the DataProtection Rules and establishing practices and policies in line with them.
"Data Processor" means any person, organisation or body that Processes personal data on behalf of and on theinstruction of the Diocese. Data Processors have a duty to protect the information they process by following theData Protection Rules.
"Data Subject" means a living individual about whom the Diocese processes Personal Data and who can beidentified from the Personal Data. A Data Subject need not be a UK national or resident. All Data Subjects havelegal rights in relation to their Personal Data and the information that the Diocese holds about them.
"Personal Data" means any information relating to a living individual who can be identified from thatinformation or in conjunction with other information which is in, or is likely to come into, the Diocese’spossession. Personal Data can be factual (such as a name, address or date of birth) or it can be an opinion (e.g.a performance appraisal). It can even include a simple email address. A mere mention of someone's name in adocument does not necessarily constitute Personal Data, but personal details such as someone's contact detailsor salary (if it enabled an individual to be identified) would fall within the definition.
"Processing" means any activity that involves use of Personal Data. It includes obtaining, recording or holdingthe information or carrying out any operation or set of operations on it, including organising, amending,retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring or disclosing PersonalData to third parties.
"Special Categories of Personal Data" (previously called sensitive personal data) means information about aperson’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physicalor mental health or condition or sexuality. It also includes genetic and biometric data. Special Categories ofPersonal Data can only be processed under strict conditions and such processing will usually, although notalways, require the explicit consent of the Data Subject.
