The Diocese of Galloway – Privacy Notice

Introduction

The Diocese of Galloway (the ‘diocese’) is a charity registered with the Office of the Scottish Charity Regulator. Our charity number is SC010576 and our registered address is Candida Casa, 8 Corsehill Road, Ayr, KA7 2ST. In this notice, references to ‘we’ and ‘us’ refer to the diocese. Our parishes form part of the diocese and are not separate legal entities.

When you provide us with personal data (see glossary) we keep a record of it in order to

– comply with our statutory obligations – achieve our charitable objectives of advancing and maintaining the Roman Catholic religion.

Under the General Data Protection Regulation (GDPR), the diocese, through its trustees is a data controller (see glossary) in respect of your personal data.

Everyone has rights about how their personal data is managed, and the diocese is committed to ensuring that this is properly and securely managed in accordance with the relevant data protection laws and recognizes this plays an important part in establishing and maintaining trust and confidence between the diocese and those with whom it interacts. This notice explains how we use and protect personal data, and what your rights are in relation to this. (It only applies to information about living persons.)

What personal information do we hold about you?

We may hold the following types of personal data and also special categories of personal data – (see glossary)

– name and contact details – gender, date of birth/age, marital status, nationality – information about your education, professional qualifications and work history – information about your family and any descendants – information about your involvement in diocesan activities and events – information obtained as a result of any background checks on volunteers – financial information (eg bank details) and details of giving/donations – photographs and film/video – any other information you choose to provide to us, or is provided to us by others

(eg your family members, other parishioners, other dioceses, medical/caring professionals, the police and other law enforcement bodies).

How and why do we process your personal data?

Your personal data may be processed in a number of ways, for example

– to communicate with you about news, activities, and events – in carrying out our activities (including baptisms, weddings, funerals, general

pastoral and spiritual care) – in processing donations or other payments you make to us – to administer, support, improve and develop our activities and record keeping – in considering applications from you (eg for grants, roles/employment) – for auditing and statistical purposes (eg the Bishops’ Conference of Scotland annual

audit) – to ensure we comply with our legal obligations (eg in regard to providing

information to OSCR, HMRC, or safeguarding).

Any information gathered through cookies and similar technologies via the diocesan (or any parish) website is used only to analyse information about website visits to enable us to improve website functionality.

On what grounds do we process your personal data?

We must always have a lawful basis for processing your information. This varies according to circumstances but typical examples include

– the processing is within our legitimate interests eg advancing and maintaining the Roman Catholic religion, providing information about the diocese and its parishes, raising charitable funds – you have given consent (which can be withdrawn at any time by contacting us) – necessary processing for contractual matters, the public interest, or for compliance

with a legal obligation – to protect your needs and interests.

In addition processing special categories of personal data requires a further lawful basis, which may include

– as a Roman Catholic diocese working with and supporting our current and former

parishioners (provided the information is not shared outside the diocese other than with your consent) – where you have given us your explicit consent (eg to meet medical or dietary needs) – where it is necessary to protect the vital interests (of yourself or others) eg passing

information to the police, taking steps to prevent fraud or other dishonest activity – you have made the information public – its necessity for the establishment, exercise or defense of legal claims; or the

diocese’s employment or social security obligations.

If we process any personal data comprising criminal convictions or offenses, we must also have a further lawful basis for processing, which may include

– as part of the diocese’s legitimate activities as a charitable body with religious aims

(eg carrying out pastoral activities) – exercising obligations or rights imposed or conferred on the diocese by law – when it is necessary for the prevention or detection of an unlawful act, or to

protect the vital interests of an individual – where it is carried out in the course of safeguarding children or other individuals at

risk – where an individual has given their consent to the processing – where the diocese is establishing, exercising or defending legal claims.

With whom may we share your information?

We will only share your personal data with another organization with your explicit agreement, (unless we are otherwise permitted or required to do so under data protection rules, or order of a court or other competent regulatory body).

We may share your information with any ecclesiastical body enjoying canonical jurisdiction or powers of governance.

We may share your information with government bodies for tax purposes (including gift aid) or law enforcement agencies for the prevention and detection of crime.

Sometimes the diocese works with third parties, whom we ask to process personal data on our behalf (eg IT consultants, distributors of publications). We require these third parties to comply with our instructions and with the GDPR.

We have established robust administrative, technical and physical measures to guard against and minimise the risk of loss, misuse, unauthorized processing, or disclosure of the personal data that we hold.

In the course of processing or disclosing your personal data, it may be transferred to countries outside the European Economic Area (EEA), some of which may not have laws providing the same level of data protection. In such cases, we will take steps to ensure that your personal data is appropriately protected (including using the most secure method for the transmission of information, and where appropriate password-protection).

How long will we keep your information?

Your information will be kept in accordance with our retention policy, copies of which are available from the diocesan office. We aim to keep personal data only as long as is necessary, and then to delete it.

Your rights

You have rights in respect of personal data provided to us, and these include the right to

– request a copy of some or all of the personal data that we hold about you, and this

is free of charge – withdraw any consent you have given to the processing of your data – request that any inaccuracies in your personal data are corrected – have us restrict the processing of all or part of your personal data – request that we delete your personal data – object to us processing your personal data for marketing or fundraising purposes – not be subject to decisions taken about you on the basis of an automated process.

For any of the above, please send your request to the diocesan office (address under ‘contact details’ below).

In some circumstances, the above rights may be limited eg when we have a legal requirement to process your personal data.

Rights about your personal data can only be exercised by you or with your express permission. You may need to provide us with proof of identity. Children from 12 years upwards are entitled to make their own requests if the diocese considers they have an appropriate understanding of the request they are making.

Changes to this notice

We may make changes to this notice from time to time as our organisational practices and/or applicable laws change. We will not make any use of your personal information that is inconsistent with the original purpose(s) for which it was collected or obtained (or as is permitted by data protection laws) without notifying you in advance if possible.

Contact details

If you have any questions, require any further information, or wish to exercise any of the above rights; or if you would like to provide feedback or make a complaint please contact;

Data Protection Officer Diocese of Galloway, Candida Casa, 8 Corsehill Road, Ayr, KA7 2ST e: dpo@gallowaydiocese.org.uk.

We hope that our response will be satisfactory to you – however if you have unresolved concerns you also have the right to complain to the Information Commissioner at www.ico.org.uk.

Glossary

Data controller means a person, organisation or body that determines the purposes for which, and the manner in which, any personal data is processed. They are responsible for complying with data protection laws including the GDPR and establishing practices and policies in line with them.

A data processor is responsible for processing personal data on behalf of a controller.

Personal data means any information relating to a living individual who can be directly or indirectly identified from that information or in conjunction with other information. It can be factual (eg name, date of birth) or an opinion (eg a performance appraisal).

A data subject is a living individual who can be identified through their personal data.

Processing is any activity that involves obtaining, recording or using personal data.

Special categories of personal data (previously known as sensitive personal data) include information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, or sexuality. It includes genetic and biometric data.

August 2018