top of page

Privacy Notice

Personal information – what is it?

Personal data, or personal information, is anything that can be used to identify a living person. It does not include data where the identity has been removed (anonymous data).

 
Shirley Baptist Church respects your privacy, and we highly value the personal information you share with us. We are committed to protecting your personal information and acting in accordance with the UK Data Protection Acts and Regulations (GDPR). 


This Privacy Notice explains who we are, the kind of personal information we collect, how we get this, why we have it and under what lawful bases we process it, how we store it, who we might share it with, and your rights under GDPR. It was last updated on 26th April 2024.

 

Who we are?

We are Shirley Baptist Church, Solihull (SBC), registered with the Charity Commission as a Charitable Incorporated Organisation (Charity no. 1197996). This means that, in GDPR terms, the Data Controller (the legal entity which holds the personal information and decides how personal data is processed and for what purposes) is Shirley Baptist Church as a whole.


In practice, this means that where individuals are processing personal information for church purposes as part of their paid or unpaid (volunteer) roles within the church, the processing will be deemed to be by the data controller.

 

What personal information do we collect?

The personal information we collect can include items such as names and contact details, education or employment details, interests and group memberships, dates and details of when you used our rooms or attended events, donations made to Shirley Baptist Church, pastoral support information, technical data via cookies (such as your computers IP address) and visual images of people.


We may also need to collect data about children and young people. Where this is applicable, we will only collect this information when provided by parents or guardians.

How do we get your personal information?

Most of the personal information we process is provided to us directly by you, for example, when you complete a form or contact us. 


We  may also receive information about you from other sources including, for example, previous employers or from cookies on our website.

Why do we have your personal information?

We use the information to help us:

  • Maintain our list of church members and regular attenders (including those under 18).

  • Provide services and pastoral support for members and others connected with our church.

  • Provide services to the community, e.g. toddler groups, adult social meetings, youth clubs and foreign language classes.

  • Safeguard children, young people and adults at risk.

  • Recruit, support and manage staff and volunteers.

  • Maintain our accounts and records (including the processing of gift aid applications).

  • Promote our services, e.g. by sending out emails informing those that have subscribed about news and events at Shirley Baptist Church.

  • Maintain the security of property and premises.

  • Respond effectively to enquirers and handle any complaints.

 

What is the legal basis for processing your personal information?

Under GDPR, the lawful bases we rely on for processing this information are: 

  • Legitimate Interest - Most of the personal information we process is in accordance with our legitimate interests or the legitimate interests of a third party (such as the Shirley Family Support Centre or Kairos Coffee). For example, we use your name and contact details to enable us to administer church groups and rotas and run SBC on a day-to-day basis.

  • Legal Obligation - Some of our processing is necessary for compliance with a legal obligation. For example, we have a legislative requirement to process gift aid applications.

  • Contract - We may also process information if it is necessary for the performance of a contract with you or to take steps to enter into a contract. Examples of this include information we need to carry out the contracts of employment with our staff and venue hire contracts with those hiring our premises. The legal basis for holding this information is that processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement. 

  • Consent - Where your information is used other than in accordance with one of these legal bases, we will first obtain your consent to that use. Examples would be including your details within a Church Directory, posting your image in a picture on the SBC Facebook page or sending you emails to keep you up-to-date with news and events.

 

Please note:

  1. You have the right to withdraw your consent for a specific use of your personal information at any time without detriment to yourself. You may do this via MyChurchSuite or by contacting us using the contact details below.

  2. Any personal information we collect and use as part of live streaming and recording our services (e.g. your image captured as part of the filming) is by your consent. You may withhold your consent by sitting in an 'out-of-shot' zone of the church and should notify someone from the ‘Welcome Team’ when visiting. Please note that once live streaming has started consent cannot be withdrawn and your data will be on the internet.

  3. Consent to use the image of an under-18 is captured as part of the parental consent form. We will always handle these in accordance with our Child Protection Guidelines, and we will not publish any names or personal information. However, if a child is not in an 'out-of-shot' zone, they may appear on the live stream. It is possible to edit out parts of the service that feature the child, but only after the service has concluded. For such an edit, please contact the SBC Office with the details of the parts of the service you would like removed from the video.

 

How do we store your personal information?


We use a combination of paper-based, standalone and cloud-based IT systems to process and store your personal information. 


We take appropriate security measures to protect your personal information from unauthorised or unlawful processing and accidental loss, destruction or damage. These security measures may include technical systems security (e.g. virus checkers, firewalls), measures to restrict or minimise access, data backups, the physical security of our premises, policies, procedures, training and audits. 


Where we utilise an external system to store personal information (e.g. MS365, ChurchSuite, ExpensePlus, MailChimp) we review the security of such systems to ensure compliance with relevant data protection laws, ensuring the data is secure and that the rights of data subjects are upheld.


We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements.


Details of the retention periods for different types of personal information are available in our retention policy. This policy also details how we will dispose of the information once the retention period expires. You can request a copy of this policy using the contact details below.

Who do we share your personal information with?


Your personal information will be treated as strictly confidential and will only be shared with others in the church for purposes connected with the church. In general, we do not share your information with other third parties. However, we may share this information with: 

  • Our external system providers such as ChurchSuite (i.e. as a consequence of it being stored in their IT systems). 

  • The Family Support Centre, Shirley or Kairos Coffee.

  • Other third parties if required by law or by a regulatory body. For example, a Gift Aid audit by the HMRC or if asked for details by a law enforcement agency.

 

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our external service providers to use your personal information for their purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

What are your data protection rights?

Unless subject to an exemption under GDPR, you have the following rights with respect to your personal information: 

  • Your right of access - You can ask us for copies of your personal information. 

  • Your right to rectification - You can ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. 

  • Your right to erasure - You can ask us to erase your personal information in certain circumstances. 

  • Your right to restriction of processing - You can ask us to restrict the processing of your personal information in certain circumstances. 

  • Your right to object to processing - You can object to the processing of your personal information in certain circumstances.

  • Your right to data portability - In certain circumstances, you can ask that we transfer the personal information you gave us to you or another organisation.


Please note:

  1. Fees - Typically, you are not required to pay any charge for exercising your rights. However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. 

  2. Additional Data - If you make a request, then we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you for further details concerning your request to speed up our response.

  3. Time Limits - We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have several requests. In this case, we will notify you and keep you updated.

Contact Us

Shirley Baptist Church has a designated Data Protection Officer (DPO), so please, in the first instance, contact them:

  • If you have any questions about our use of your personal information. 

  • In order to exercise all relevant data protection rights.

  • If you wish to raise a complaint as to how we are processing your personal information.

 

They can be contacted as follows:
Email:  dpo@shirleybaptist.org.uk
Postal address: Data Protection Officer, Shirley Baptist Church, Stratford Road, Shirley, Solihull, West Midlands, B90 3BD,

 

You can also contact the Information Commissioners Office via the following routes:
Phone: 0303 123 1113
Email: https://ico.org.uk/global/contact-us/email/
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF

 

bottom of page