Privacy Policy – Church in London

A. Introduction
The Church in London is committed to protecting your privacy and handling your information in a way consistent with UK laws. This includes telling you how we receive and use your information. Please read this privacy policy (‘Policy’) carefully.

This Policy applies when you visit churchinlondon.org.uk, children.churchinlondon.org.uk, safeguarding.churchinlondon.org.uk, lifetalks.org.uk and any related sites (‘church websites’), communicate with us, register for any events or apply for any resources.

This Policy informs you:

who we are;
how we receive your information;
the types of information we collect from you;
how we use your information;
our legal bases for processing your information;
how we share, store, and secure your data;
an explanation of your data rights as an individual; and,
how you may contact us.

B. Who are we?
The data controller of your information is the Church in London. We are a registered charity. Our registered office is Bower House, Orange Tree Hill, Romford, Essex, RM4 1PB. Our charity number is 1093426.

The ways to contact us can be found at churchinlondon.org.uk/contact-us. For data protection concerns, our contact details are at the end of the Policy.

C. How do we receive your information?
*Please click on the section below that applies to you to find out about the types of information we collect from you, how we use your information, our legal bases for processing your information, and how we share, store, and secure your information

We may receive your information in a number of ways, including when you:

register for an event, or request hospitality or transport
visit a church website
create a Website user account or comment publicly on the Website
apply to serve as a volunteer with our children and young people
communicate with us or contact us to request something
make a donation or register for Gift Aid
subscribe to receive emails from us
agree to be listed on our church contact list
report an accident or incident to us
send us an invoice
participate in an online conference call

D. When do we share your information?
We may share your personal information with our trusted service providers where this is necessary, in order to provide products or services you have requested from us, or where they are contracted to develop or maintain our systems.

We monitor information security compliance and have written contracts which obligate our partners or suppliers to process your personal information only on our instructions and in accordance with applicable data protection and privacy laws.

Our current service providers are listed below, along with links to their individual privacy policies. This list may change from time to time without prior notice to you.

Type of service provider	Name and Link to Privacy Policy
Payment providers	Stripe – stripe.com/gb/privacy
	PayPal – paypal.com/uk/webapps/mpp/ua/privacy-prev
Web form providers	Google – policies.google.com/privacy
	JotForm – jotform.com/privacy
Web host providers	1&1 IONOS – ionos.co.uk/terms-gtc/terms-privacy/
	Wix – wix.com/about/privacy
Email Provider	Mailchimp – mailchimp.com/legal/privacy
	Google – policies.google.com/privacy
Gift Aid provider	Fund Filer – fundfiler.com/terms.aspx#Privacy_Policy
Web Conferencing	Zoom – zoom.us/privacy
	MS Teams – docs.microsoft.com/en-us/MicrosoftTeams/teams-privacy
	Google Meet – support.google.com/meet/answer/9852160

We may be under duty to disclose your personal information where required, in order to comply with any legal obligation.

E. Where do we store and process your personal information?
We store your information on secure servers at our offices, off-site, and in the Cloud. We may also store certain information on paper at our office.

In certain cases, your information may be transferred, processed and stored by our service providers outside of the UK. Where this occurs, the transfer is made subject to approved safeguards such as the EU Standard Contractual Clauses.

F. How do we secure your personal information?
Where your information is stored electronically, it is in encrypted or secured by two-factor authenticated (2FA) passworded systems with role-based access only.
Where your information is stored on paper records, they are kept in locked cabinets in an office with restricted access.

We ensure that access to personal data is restricted only to those volunteers whose job roles require such access and that suitable training is provided for these volunteers.

G. How long do we keep your personal information for?
Your information will be kept for no longer than is necessary for the purposes of its use and for as long as it is required in accordance with the law. For example, we will retain details of donations for seven years to meet tax and accounting requirements, whereas we are only required to keep accident book records for three years from the date of last entry.

If you have indicated that you no longer wish to hear from us, we will keep the minimum amount of information necessary to ensure that we are able to continue to respect your wishes.

Any data that has passed its retention period will be destroyed securely in line with our data protection procedures.

H. Your rights in relation to your personal information
We respect your rights under the GDPR to access and control your personal data. Your available rights are set out below.

Access Your Information
You have the right to request a copy of the information that we hold about you. If you would like a copy of particular personal information we hold about you then please let us know the details of your request.
Amend Your Information
You have the right to request that we amend or complete inaccurate or incomplete information that we hold about you.
Erase Your Information
You have the right to request the erasure of your information in certain circumstances. If we process your information on the basis of a legal obligation, this right may not be available.
Object to Our Using Your Information
You have an absolute right to stop your information being used for direct marketing. You may also be able to object when we use your information based on our legitimate interests in certain circumstances.
Automated Decision-making including Profiling
We do not make any automated decision-making or carry out profiling activities using your information.

To exercise any of these rights, please contact us using the details provided below. We may require some proof of identification. A request to access, amend, or delete your information may be refused in certain circumstances, where permitted by law.

Right to Lodge a Complaint with a Supervisory Authority
If you have a complaint about the way we handle your information, please contact us at data@churchinlondon.org.uk or, alternatively, you may lodge a complaint with the Information Commissioner’s Office (‘ICO’). Please see ico.org.uk/make-a-complaint or call 0303 123 1113 for more information.

I. How to contact us?
If you have any questions or concerns about this Policy, our privacy practices, your information, or you would like to make a compliant, here are the ways you can contact us:

● Email – data@churchinlondon.org.uk
● Phone – 01708 380 330

This Policy might change from time to time without notice to you. If we change the way we are using your information, we will inform you or seek your consent in accordance with data protection laws.

Last updated: 13 March 2021

1) When you register for an event, or request hospitality or transport

A. What information do we collect?
When you register for an event, request hospitality, or sign up for transportation, we may collect the following types of information:

Your contact details, age range, and choices for keeping in touch with us
Your hospitality needs, such as dietary requirements and accommodation
Your language needs, such as translation
Your availability to participate in service
Your payment information
Your transport needs, such as means of transport to the event, or arrival and departure times
Your nationality and passport details, if there is transportation to an event outside of the UK
Any additional information that you provide to us related to your registration

If you register your children, we may collect the following types of information:

Their age and UK school year
Their parent or legal guardian contact details or emergency contact information
With your explicit consent, any allergies or relevant medical information
Parental consent forms

The information you provide to us, which may include information relating to your health, ethnic origin and religion, is likely to fall within special categories of information (sensitive information) meaning that we have to treat all such information with extra care and only use it for the purpose for which you provided it, and where we have legal grounds to do so. Your payment card information is kept securely by our PCI compliant service providers that handle the card information on our behalf.

B. How do we use your information?
We use your information for the purpose of general event administration, including for arranging hospitality or booking transportation. We may also use your information to meet any legal obligations or insurance requirements.

C. What legal bases do we have for processing your information?
We process your information mainly on the legal ground of your explicit consent. You have the right to withdraw your consent at any time by contacting us using the details provided in our Policy. In certain circumstances, we may also process your information based on a legal obligation to do so.

If your details are provided to us as an emergency contact or next of kin, we process your information based on our legitimate interests of making effective contact with you in the event of an emergency.

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing;
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing;
we process the data in order to carry out our legal obligations;
we process the data for reasons of substantial public interest;
we process the data for the establishment, exercise or defence of legal claims; or,
you have already made the data public.

D. When do we share your information?
To process your registration and any payment, your information may be shared with our service providers. For more details on these providers, please see ‘When do we share your information?’ in the main section of our Policy.

For those attending residential events at Bower House, some of your information may be shared with Amana Trust (a registered charity in England and Wales, charity number 1093401, company number 4366897, registered office: Bower House, Orange Tree Hill, Romford, RM4 1PB, UK), for them to make any accommodation arrangements. Please check the privacy policy of Amana Trust: amanatrust.org.uk/about-us/privacy-policy for further details.

If you indicate that you can serve during an event, some of your information may be shared with service coordinators, who may contact you in person, by phone, or by email.

If you sign up for transportation, some of your information may be shared with the third-party transport provider to comply with their guidelines for running the transportation.

Event registration data may be shared with church registration coordinators to overview event attendance and encourage registration among church members.

If we collect your information for an event administered by a third party, such as a live training or blending conference overseas, your information will be shared with that third party with your explicit consent. Where this involves an international transfer (outside of the EEA), we will inform you of:

the identity of the receiver, or the categories of receiver
the country or countries to which your information is to be transferred
why we need to make the transfer
the type of information
your right to withdraw consent, and
the possible risks involved in making a transfer to a country which does not provide adequate protection for your information without any other appropriate safeguards in place.

Your information will be kept securely and will not be shared with any other third parties unless we have your explicit consent.

2) When you visit a church website

A. What information do we collect?
Cookies
A cookie is a small text file that websites create and store on your computer containing data about websites that you visit. They are widely used to make websites work or work more efficiently, as well as to provide information to the owners of the site. The below table describes the cookies we use and why. The church in London does not disclose to third parties any cookie information created by our Website, except as needed to satisfy any law, regulation, or legal request.

Cookie	Name	Purpose
PHP session cookie	PHPSESSID	This session cookie is set when a visitor first loads a page. The cookie is required by the underlying technology to power the Website. It will last as long as the visitor is on our Website and is removed when the visitor closes their browser. It does not store any user information; it is used to maintain a unique link between the browser and the Website for the purposes of information requests and session data used by the Website to manage user logins. This cookie is set without confirmation as it is crucial to the basic operation of the Website.
WordPress Platform	wp-settings-[UID], wp-settings-time-[UID]	WordPress uses cookies to customize the registered user’s view of admin interface and possibly also the main site interface.

3) When you create a Website user account or comment publicly on the Website

A. What information do we collect?
When you create a Website user account or comment publicly on the Website, we may collect the following types of information:

your username, email and password;
your locality;
description of children’s work in your area;
how you heard about the website;
your submitted comments; and,
your activity on the website.

The information you provide to us, which may include information relating to your health, ethnic origin and religion, is likely to fall within special categories of information (sensitive information) meaning that we have to treat all such information with extra care and only use it for the purpose for which you provided it, and where we have legal grounds to do so, unless you choose to make the data public by submitting it as a comment on the Website publicly.

B. How do we use your information?
We use your information for the purposes of: website administration; providing you with resources for serving with children; and, safeguarding recruitment, training and administration. We may also use your information to meet our legal obligations or insurance requirements.

C. What legal bases do we have for processing your information?
We process your information on the legal ground of your explicit consent. You have the right to withdraw your consent at any time by contacting us using the details provided in our Policy. In certain circumstances, we may also process your information based on a legal obligation to do so.

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
we must process data for the establishment, exercise or defence of legal claims
you have already made the data public.

D. When do we share your information?
Your information may be shared with our webhosting service providers. For more details on these providers, please see our Policy.

If you post comments on our website, the information will be shared publicly.

4) When you apply to serve as a volunteer with our children and young people

A. What information do we collect?
When you apply to serve as a volunteer with our children and young people, we may collect the following types of information:

your personal details
your burden and experience
your referees and their contact details
your church life and service background
your DBS certificate details or registration to the DBS update service, and
your self-declared criminal background details (where the volunteering role is exempt from Rehabilitation of Offenders Act 1974 and DBS filtering rules apply)

Criminal offence information will only be viewed by those designated recruiters for safeguarding who are trained to treat it with utmost confidentiality and in accordance with our policy for handling disclosure information.

B. How do we use your information?
We use your information for the purposes of safeguarding recruitment, training and administration and for dealing with any legal claims made against us. We may also use your information to meet our legal obligations or insurance requirements.

What legal bases do we have for processing your information?
We process your information on the legal ground of legal obligation or legitimate interests.

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
we must process data for the establishment, exercise or defence of legal claims
you have already made the data public.

We collect criminal conviction information only where it is appropriate given the nature of your volunteering role and where the law permits us. This will usually be collected at the recruitment stage, however, it may also be collected during your time of volunteering. We use criminal conviction information to determine your suitability, or your continued suitability for the volunteering role. We rely on the lawful basis of legal obligation or legitimate interest to process this information.

C. When do we share your information?
Your information may be shared with our service providers. For more details on these providers, please see our Policy.

When your volunteering role is eligible for an enhanced DBS check, your details will be shared with Thirtyone:eight (formerly CCPAS), the DBS umbrella organisation that we use to conduct DBS checks. Please see their Fair Processing Statement: thirtyoneeight.org/statement-of-fair-processing/

If we need to discuss any concerns with your provided referees, some of your information may be shared with them.

5) When you communicate with us or contact us to request something

A. What information do we collect?
When you communicate with us or contact us to request something, we may collect the following types of information:

your contact details
the subject and content of your request
any other information you voluntarily supply to us

B. How do we use your information?
We use your information for the purposes of responding to your request.

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
we must process data for the establishment, exercise or defence of legal claims
you have already made the data public.

D. When do we share your information?
Your information may be shared with our service providers. For more details on these providers, please see our Policy.

6) When you make a donation or register for Gift Aid

A. What information do we collect?
When you make a donation or register for Gift Aid, we may collect the following types of information:

your contact details
your bank details
your gift aid declaration and whether you are a UK tax payer
any designation of your gift

B. How do we use your information?
We use your information for the purposes of processing your donations and reclaim tax on Gift Aid donations.

C. What legal basis do we have for processing your information?
We process your information on the legal ground of our legitimate interests and our legal obligation. We process your name, house name or number, post code and donation history for Gift Aid purposes as required by HMRC.

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
we must process data for the establishment, exercise or defence of legal claims
you have already made the data public.

D. When do we share your information?
Your information may be shared with our service providers. For more details on these providers, please see our Policy.

A. What information do we collect?
When you subscribe to receive emails from us, we may collect the following types of information:

your contact details
the type of email correspondence you would like to receive from us
the date you subscribe or unsubscribe
your activity in relation to the emails, for example, if you open the email or click on a link

B. How do we use your information?
We use your information for the purposes of subscribing you to our emails such as announcements or prayer items.

C. What legal bases do we have for processing your information?
We process your information on the legal ground of your explicit consent (to receive emails) and our legitimate interests (to improve our emails based on your activity in relation to them).

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
we must process data for the establishment, exercise or defence of legal claims
you have already made the data public.

D. When do we share your information?
Your information may be shared with our service providers (MailChimp or Gmail). For more details on these providers, please see our Policy.

8) When you agree to be listed in the church contact list

A. What information do we collect?
When you agree to be listed in the church contact list (also known as phone list), we may collect the following types of information:

your contact details (name, telephone number, email, gender, and post code)
statistical details such as your place of work and type of job (optional)
the name and gender of your children

B. How do we use your information?
We use your information for the purposes of making available a church phone directory, and to generate statistics and reports.

C. What legal bases do we have for processing your information?
We process your information on the legal ground of your explicit consent (to have your contact details published for others to see) and our legitimate interests (to have an internal phone directory for the church office and to generate statistics and reports).

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
we must process data for the establishment, exercise or defence of legal claims
you have already made the data public.

When do we share your information?
Your information may be shared with our service providers. For more details on these providers, please see our Policy.

9) When you report an accident or incident to us

A. What information do we collect?
If you have an accident, we collect the information from you directly, or where another person fills out the form, from that person. We may collect the following types of information:

your contact details
the contact details of the person affected or injured
details of the accident or injury

When you report a safeguarding incident to us, we may collect the following types of information:

your contact details
the child’s details, including date of birth, gender, ethnic origin and any disabilities
the parent/carer’s contact details
details of the concern being raised
details of the incident, including the child’s account, witness accounts, contact details of witnesses or persons involved
details of any action taken to date

B. How do we use your information?
We use your information for the purposes health and safety compliance, including reporting accidents, incidents and hazards, and safeguarding.

C. What legal basis do we have for processing your information?
We process your information on the legal ground of our legal obligation under social security and social protection law.

Given that most of your information is likely to be categorised as sensitive information, we process your data only when the following apply:

you have given explicit consent to the processing
you have regular contact with us, a not-for-profit body with a religious aim, in connection with our purposes and we have safeguards for the processing
we must process the data in order to carry out our legal obligations
we must process data for reasons of substantial public interest
we must process data for the establishment, exercise or defence of legal claims
you have already made the data public.

D. When do we share your information?
Your information may be shared with our service providers. For more details on these providers, please see our Policy.

The information will also be shared with Health and Safety coordinators or Safeguarding coordinators that are required to participate in the investigation process and/or remedial work. If required, your information may be shared with enforcing authorities and our Insurer.

10) When you send us an invoice

A. What information do we collect?
When you send us an invoice, we may collect the following types of information:

your contact details
details of payments to be made

B. How do we use your information?
We use your information for our accounting purposes.

C. What legal basis do we have for processing your information?
We process your information on the legal ground of performance of a contract.

D. When do we share your information?
Your information may be shared with our service providers. For more details on these providers, please see our Policy.

11) When you participate in an Online Conference Call

The church in London uses “Zoom” and occasionally “Google Meet” or “Teams” to conduct church meetings as conference calls, online meetings, video conferences and/or webinars. “Zoom” is a service provided by Zoom Video Communications Inc. based in the USA. “Hangouts” and “Meet” are services provided by Google based in the USA. “Teams “ is a service provided by Microsoft Corporation Inc. based in the USA.

A. What information do we collect?
Various types of data are processed when using the service providers. The extent of the data also depends on what data you provide before or during participation in an “online meeting”.

The following personal data could be subject to processing:

Information about the user:
first name, last name, telephone (optional), email address, username, profile picture (optional)
Meeting metadata:
topic, description (optional), participant IP addresses, device/hardware information
For recordings (optional):
MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
When dialing in by telephone:
Information about the incoming and outgoing phone number, country name, start and end time are registered. If necessary, further connection data such as the IP address of the device can be saved.
Text, audio and video data:
You may be able to use the chat, question or survey functions in an “online meeting”. To this extent, the text entries you make are processed in order to display and, if necessary, log them in the “online meeting”. In order to enable the display of video and the playback of audio, the data from the microphone of your device and from any video camera of the device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using applications.

In order to participate in an “online meeting”, you must at least provide information about your name in order to enter the “meeting room”.

B. How do we use your information?
We use the service providers to conduct online meetings. If we want to record online meetings, we will inform you transparently in advance and – if necessary – will ask for your consent. The fact of the recording is also displayed in the app.

If it is necessary for the purposes of recording the results of an online meeting, we will log the chat content. However, this will usually not be the case.

In the case of webinars, we may also process the questions asked by webinar participants for the purpose of recording and follow-up of webinars.

If you are registered as a user at the service providers, reports of online meetings (meeting metadata, data on telephone dial-in, questions and answers in webinars, survey function in webinars) can be stored for up to one month by the service providers.

C. What legal basis do we have for processing your information?

If data should not be necessary for data processing, but are requested in connection by the service providers, UK GDPR Art. 6 Para. 1. e) “necessary for performance of a task carried out in the public interest” is the legal basis for data processing.

D. When do we share your information?
The provider necessarily receives knowledge of the above-mentioned data, as far as this is provided in the context of our order processing contract with the service providers.

Version 1.1 Updated April 9th, 2021

1) When you register for an event, or request hospitality or transport

2) When you visit a church website

3) When you create a Website user account or comment publicly on the Website

4) When you apply to serve as a volunteer with our children and young people

5) When you communicate with us or contact us to request something

6) When you make a donation or register for Gift Aid

7) When you subscribe to receive emails from us

8) When you agree to be listed in the church contact list

9) When you report an accident or incident to us

10) When you send us an invoice

11) When you participate in an Online Conference Call