Our Privacy Statement.
Here are some quick links in case you want to jump to a particular section: -
Let’s start with introductions.
A culture of privacy and data security.
Personal data provided by you and others.
You can voluntarily provide us with your personal data.
You may choose to give us personal data belonging to others.
Accuracy and completeness of personal data.
Categories of personal data we may collect.
How we may collect personal data.
Specific purposes and legal basis for processing your information.
Recipients of your personal data.
The security of your personal data.
We only keep data for as long as necessary.
You have rights when it comes to your personal data.
You can request access to your personal data.
What to do when things don’t go as planned.
Let’s start with introductions.
Your personal information is collected and processed by City Church Preston. The protection and integrity of your personal data is very important to us.
Registration Details
City Church Preston is a UK based charitable church organisation. We are a charity registered in England and Wales (number 1153061). Our company number is 8522873 and our registered office is at: -
City Church Preston
St Thomas's Centre
Lancaster Road North
Preston
Lancashire
PR1 2SQ
City Church Preston (CCP) is a UK based charitable church organisation which operates in the North West of England.
CCP values everyone who engages with us by whatever means, and we do all we can to protect your privacy and to make sure the personal data you provide us is kept safe.
ICO Registration Details
Registration number: ZB052495
We’re protecting your data.
For the purposes of this Policy, ‘us’, ‘we’ and ‘our’ refer to CCP. This Policy has been adopted by City Church Preston (“CCP”).
We are committed to safeguarding your personal data. This Policy describes how we collect, use, disclose and process your personal data, and applies to personal data we collect about you. We treat all our participants and volunteers in line with our values and we welcome any feedback on any of our actions.
This Policy supplements but does not supersede or replace any other consents you may have provided to us, or any other agreements or arrangements that you may have with us, in respect of your personal data.
A culture of privacy and data security.
Data protection and privacy is ever-changing and enhancing the rights of our participants, employees and partners. As such, we review our uses of personal data and may amend this Policy from time to time to reflect changes in applicable laws, improvements in data security or the way we handle personal data. Any updated Policy will supersede earlier versions and will apply to personal data provided to us previously.
You are encouraged to re-visit our Policy from time to time so that you are aware of our culture of privacy and relevant updates we have made to our Policy.
Personal data provided by you and others.
What is personal data?
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as: “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
You can voluntarily provide us with your personal data.
We collect personal data that you voluntarily provide to us. When you visit us, sign up as a volunteer, or register for services either directly or through our website, CCP will collect general information about you, such as your name, address, date of birth, contact details so that we can contact you.
We may also collect this and other types of personal information during the course of dealing with you, for example, when you participate in CCP’s activities or complete other forms.
You always have the choice not to provide us with personal data. If you have provided your consent for us to process your personal data, you also have the right to withdraw your consent by contacting our Data Protection Office.
However, if you do so, it may not be possible for us to fulfil the specific purposes for which we were given consent, including taking part in or receiving services offered by CCP.
You may choose to give us personal data belonging to others.
If you provide the personal data of anyone other than yourself (e.g. your family, friends, colleagues, associates, agents, partners), you are responsible for informing him/her of the specific purposes for which we are collecting his/her personal data and to ensure that he/she has provided valid consent, where appropriate, for your provision of his/her personal data to us. There may be instances where providing these personal data present a legitimate interest, in which case, consent may not be necessary.
Accuracy and completeness of personal data.
It is important that the personal data we hold about you is accurate and up to date. We would ask you to inform us if there are any inaccuracies with the personal data that we have recorded about you and we will act to update your personal data as required.
In some situations, you will have the ability to update your own information (e.g. when using a customer account on our website. We see it as your responsibility to ensure that all personal data that you provide is accurate and complete, and to inform us of relevant changes to your personal data.
Categories of personal data we may collect.
We may collect, use, store and transfer different kinds of personal data about you which we have categorised as follows:
Identity Data.
Data specifically related to identity may include, first name, maiden name, last name, marital status, title, date of birth, national insurance details and other recognised official identity documents.
Contact Data.
The contact information of you and others could include, email addresses and telephone numbers, postal address details and social media handles.
Financial Data.
Whether you are a participant, service user, supplier or an employee, we may process financial data including bank account information and payment details.
Technical Data.
In this technical age there’s quite a bit of technical data around, including internet protocol (IP) addresses, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Usage Data.
Our website may give us information about how you use our website.
Marketing and Communications Data.
We make it our business to develop lasting relationships and to help with this we will not sell or distribute your personal information to any Third Party for marketing purposes without your prior consent or an appropriate legal basis.
We’re not interested in bombarding you with marketing content, just timely and relevant information about the services we care about and that are relevant to you.
Special Categories of Personal Data.
In the field of employment and for the purposes of assessing the working capabilities of our employees or partners, we will process special category personal data.
Where you provide the information, we may also collect further special category personal data, including, but not limited to, your religious beliefs, your sexual orientation and your physical or mental health.
We may also hold data provided by statutory organisations that is relevant to your use of CCP services, for example, probation service, Social Services, NHS, Mental Health teams etc. There may be instances where other special categories of personal data are disclosed to us, but this is incidental and not part of an organised processing activity.
Data requiring special protection.
There may be instances where we process special category data for the specific purpose of safeguarding and our legal obligations to undertake criminal record checks through the Disclosure & Barring Service where we are working to safeguard children and / or vulnerable adults.
How we may collect personal data.
Personal data you voluntarily provide to us.
CCP will use the personal information we collect for the purpose disclosed at the time of collection, or otherwise as set out in this Privacy Policy. We will not use your personal information for any other purpose without first seeking your consent, unless authorised or required by law.
We will only use your personal information as follows:
-
to establish and maintain your involvement with CCP, including providing you with regular correspondence;
-
to provide the products or services you have requested from CCP;
-
to answer your inquiry by post, telephone, mobile phone, fax as well as email;
-
to register you for events;
-
to provide a personalised service, such as personalised emails;
-
to keep records of your relationship with us e.g. questions you have asked or complaints you have made;
-
to ask for financial and non-financial support, such as volunteering;
-
to assist us to make the website and services more valuable to our community;
-
to assess and evaluate the impact of our services;
-
when you submit your personal data to us for any other reason.
Your personal information will be kept strictly confidential. It will not be sold, given away, or shared with anyone unless we have received your prior permission, or we are required to by law.
Personal data that has been provided by others.
Depending on your relationship with us, we may also collect your personal data from third party sources, for example:
-
information that you make available on, for example, Twitter, Facebook, Linkedin or similar organisations;
-
from your referees, educational organisations or previous employers (if you have applied to us for a job);
-
from your family members, friends or colleagues who provide your personal data to us on your behalf;
-
We may collect information from that published in articles, newspapers or blogs
-
from public agencies or other public sources.
Personal data that can be collected automatically.
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. We’ve structured our website in a way that asks for your consent for certain cookies, we value your privacy and data rights. For more information about our use of cookies, please see our Cookie Policy.
External links on our website.
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Specific purposes and legal basis for processing your information.
Legal basis.
We will always have a legal basis for processing personal data and we have methodically assessed our purposes and legal bases.
Processing type:
Individual or small-group communication via email, post or telephone calls & SMS messages
Data category:
Contact data
Our legal basis:
Consent
Specific purpose, safeguarding and the respect of individual's data rights:
As part of our community we conduct events, services, and otherwise communicate with those that consider themselves a volunteer, a visitor, a participant or a member of the congregation/community. We have taken the view that consent is the most appropriate basis with which to communicate with our community.
Processing type:
Training and other corporate events
Data category:
Identity, Contact, Special category health data
Our legal basis:
Contractual Obligation / Consent
Specific purpose, safeguarding and the respect of individual's data rights:
The information you provide will be used to communicate with you about your attendance to an event and to follow-up on your experience post-event. The personal information we may process could include your name, address and phone number, email address, dietary requirements, access requirements. We will ask for your consent to process health-related data.
Processing type:
Postal marketing
Data category:
Identity & Contact data
Our legal basis:
Legitimate Interest
Specific purpose, safeguarding and the respect of individual's data rights:
We may from time to time distribute printed material that is relevant to the activities of our community and similar in nature to the reasonable expectations you would have of our community. We're not fans of spam, so we won't be spamming anyone with lots of unnecessary material. You're able to ‘opt-out’ of receiving postal material via contact details provided. In any case, we will make it our business to check the Mail Preference Services before distributing any postal marketing materials.
Processing type:
Promotional Images and film footage
Data category:
Identity
Our legal basis:
Consent
Specific purpose, safeguarding and the respect of individual's data rights:
Participants are actively engaged in activities connected with our work. We will always notify participants when a photographer or filmmaker is present at a session or event. Written consent will always be obtained for young people under 18-years and we will respect the wishes of anyone who signals their desire not to have their image taken and will always ask for consent where photos are to be published alongside a name or other personal identifier. Our stance on taking photographs and video footage is also supported by our Safeguarding Policy which restricts such activities.
Processing type:
Sharing information with the Charity Commission, Accountants, legal advisors, HMRC and Statutory authorities
Data category:
Identity, Contact, Financial & Special category data
Our legal basis:
Legitimate Interest / Legal Obligation
Specific purpose, safeguarding and the respect of individual's data rights:
As a registered UK charity, we are subject to charity law and therefore have specific legal obligations. We process our accounts in accordance with UK law and therefore use external accountants, which is our legitimate interest, to submit our statutory accounting records. We provide services and open our community to both children of all ages and adults at risk, as such, we are governed by our Safeguarding Policy and therefore are legally obligated to submit case details to the statutory authorities.
Processing type:
Sharing information with Assemblies of God and other faith-based groups
Data category:
Identity data
Our legal basis:
Legitimate Interest
Specific purpose, safeguarding and the respect of individual's data rights:
As a member of Assemblies of God Great Britain, we may report or share statistical information about our community groups, services and participants. We will only take great care to minimise the amount of personal information we share, and in
most circumstances, we may not need to share any personal information.
Processing type:
Hope for Life Food parcels
Data category:
Identity, Contact data & data deserving special protection data
Our legal basis:
Public Interest
Specific purpose, safeguarding and the respect of individual's data rights:
Our Hope for Life food parcel service is conducted in cooperation with public authorities and other relevant third parties that direct referrals to us. We consider it to be in the public interest to ensure that families within our community are able to eat and not go without regular meals.
Processing type:
Undertaking DBS checks
Data category:
Identity, Contact data & data deserving special protection data
Our legal basis:
Legal Obligation
Specific purpose, safeguarding and the respect of individual's data rights:
Where a member of our community applies to work with either children or adults at risk, we will undertake checks with the Disclosure Barring Service as is our legal obligation.
Processing type:
Administrative purposes
Data category:
Identity, Contact & Financial data
Our legal basis:
Legitimate Interest
Specific purpose, safeguarding and the respect of individual's data rights:
Within the aims and objective of our charity and in a way that respects the rights and freedoms of others, we will undertake administrative activities including finance, IT and HR purposes, quality assurance and staff training.
Use permitted under applicable laws.
We may also collect, use, disclose and process your personal data, without your knowledge or consent, where this is required or permitted by law.
When we might have to disclose your personal data to third parties.
During the course of providing the services that you request from us, we may share your information with our processing partners, known as recipients, data processors and sub-processors.
When disclosing personal data to third parties, we will (where appropriate and permissible) enter into contracts with these third parties to protect your personal data in a manner that is consistent with all applicable laws and/or ensure that they only process your personal data in accordance with our instructions.
We commonly conduct due diligence with third party recipients around the areas of their data security protocols and data protection policies.
Recipients of your personal data.
We may disclose your personal data for the purposes described in this Policy or as required or permitted by law, for example, to:
-
our third-party vendors and service providers, who are engaged to provide business, support, operational and/or administrative functions such as HR support, auditing, legal, marketing, website maintenance, payment, fulfilment and delivery of orders.
-
regulatory authorities, statutory bodies or public agencies, including to support their investigations.
credit reference agencies, debt collection and tracing agencies, financial organisations. Data being transferred outside of the EEA
In the provision of our services to you, we use data processors that are outside of the European Economic Area (EEA). Specifically, we use data processors based in the USA.
The General Data Protection Regulation has strict rules about data transfers to international organisations and we use approved data transfer mechanisms, including the EU–US Privacy Shield and employ data sharing agreements that utilise model clauses.
We take extra steps to ensure comprehensive due diligence of organisations that may receive your personal data.
If you would like any more information, please get in touch by contacting our Data Protection Office, details can be found at the start of this Privacy Notice.
The security of your personal data.
Unauthorised access.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Specific access.
We limit access to your personal data to those employees, volunteers, participants, contractors and other third parties who have been authorised to access your personal data
While precautions will be taken to ensure that the personal data you provide is protected against unauthorised or unintended access, we cannot be held responsible for unauthorised or unintended access that is beyond our control.
Vulnerabilities.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the supervisory authority of a breach where we are legally required to do so.
However, we cannot guarantee that our systems or applications are invulnerable to security breaches, nor do we make any warranty, guarantee, or representation that your use of our systems or applications is safe and protected from viruses, worms, Trojan horses, and other vulnerabilities.
We also cannot guarantee the security of data that you choose to send us electronically. Sending such data is entirely at your own risk.
Credit / debit card security
If you use your debit or credit to donate to us, or purchase something, whether online, over the phone or by mail, we will process your information securely in accordance with the Payment Card Industry Data Standard.
We do not store your debit or credit card details once your transaction has completed. All card details are securely destroyed once your donation or payment has completed.
We hold bank account details for the purpose of collecting direct debits in accordance with direct debit mandate rules.
We only keep data for as long as necessary.
Our retention schedules.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We consider our retention schedules to be appropriate and fair, for example, we may keep hold of your CV for 3 months if we weren’t able to find you a role within our team, but after that time your circumstances may have changed, and it wouldn’t be appropriate for us to keep it. We are legally obliged to keep certain elements of personal data relating to transactions, donations and gift aid records, these are for tax and accounting purposes, so we’d keep hold of that data for 7 years.
Any safeguarding data will be securely held for 25 years. We retain general emails and other correspondence for 2 years.
Details of retention periods for different aspects of your personal data are available and you can request more details of that by contacting our Data Protection Office.
By law, we may have to keep certain information about our customers and this data will be held solely and securely for those legal purposes.
You have rights when it comes to your personal data.
As an employee, participant, visitor or member of our community, you may at any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
-
Right of access – you have the right to request a copy of the information that we hold about you.
-
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
-
Right to be forgotten – in certain circumstances, you can ask for the data we hold about you to be erased from our records.
-
Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
-
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
-
Right to object – you have the right to object to certain types of processing such as direct marketing.
-
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
-
Right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain and we have provided a specific section on this below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
You can request access to your personal data.
At your request, we can confirm what information we hold about you and how it is processed. If we hold personal data about you, you can request the following information:
-
Identity and the contact details of the person or organisation that has determined how and why to process your data.
-
Contact details of the data protection officer, where applicable.
-
The purpose of the processing as well as the legal basis for processing.
-
If the processing is based on the legitimate interests of our business or a third party, information about those interests.
-
The categories of personal data collected, stored and processed.
-
Recipient(s) or categories of recipients that the data is/will be disclosed to.
-
If we intend to transfer personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
-
How long the data will be stored.
-
Details of your rights to correct, erase, restrict or object to such processing.
-
Information about your right to withdraw consent at any time.
-
How to lodge a complaint with the supervisory authority.
-
Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
-
The source of personal data if it wasn’t collected directly from you.
-
Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
What forms of ID will I need to provide to access my data?
As far as it is possible, we will try to verify that a request for personal information is coming from the person whose data it is. We'll try not to ask for more personal information so that we can give you access to the data we already have. But in circumstances where we need to be sure that we're not giving your personal information to an unauthorised person, we may ask for some identification. We accept the following forms of ID when details of your personal data are requested: Passport, driving licence, birth certificate, utility bill from last 3 months.
What to do when things don’t go as planned.
In the event that you wish to make a complaint about how your personal data is being processed by us or third parties, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and our Data Protection Office.
Our Data Protection Office.
City Church Preston
St Thomas's Centre
Lancaster Road North
Preston
Lancashire
PR1 2SQ
Email: dataprotection@citychurchpreston.com
UK’s Supervisory Authority.
The UK’s supervisory authority is the Information Commissioners Office.
Postal Address:
Information Commissioner Information Commissioners Office Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Web: https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
Do get in touch if you’d like more information about this privacy policy.
If you have any queries about this Policy, please feel free to get in touch with our Data Protection Office and we will do our best to answer your questions.
This Privacy Policy is effective as of November 2019
.