Data Privacy Notice
Here at Nazareth Mar Thoma Church Dublin – Ireland, we take your privacy seriously and is committed to protecting your privacy. This Data Privacy Notice explains our data processing practices and your options regarding the ways in which your personal data is used. This Data Privacy Notice along with Data Protection Policy is reflective of our compliance with Data Protection legislation in Ireland, to include the European GDPR and the Data Protection Acts 1988-2018.
Every parishioner have data protection rights. These rights include: to be informed how your data is being used; to have access to the information that we hold about you; to have inaccuracies corrected; to have your information erased; to object to or restrict the ways we process your information where legislation permits.
2. Who are we?
The Nazareth Mar Thoma Church Dublin, Ireland is a registered company limited by guarantee (CLG), a fully registered charitable organization registered with the Company Registrar and the Charity Commissioners (CRO No: 662557 , CHY No: 18375). We are the Parish of the Mar Thoma Church of Malabar and is also a member of the newly instituted Zone of the Mar Thoma Church in the UK and Europe. The Nazareth Mar Thoma Church would be the principal data controller, it means it decides how your personal data is processed and for what purposes.
The Privacy Notice is provided by The Nazareth Mar Thoma Church, Dublin and it works together with the following entities and other agencies who handle personal data:
- The incumbent of parishes (Vicars) and Assistant Ministers/Vicars
- Parish/Congregation Executive Committee
- Executive Committee of the Mar Thoma Zone in the UK and Europe
- Board of Trustees of the Council of the Mar Thoma Parishes in Europe (COMPE)
As the Nazareth Mar Thoma Church is engaged with all these entities working together, we may need to share personal data that we hold in the parish with the data processor (The other entities of the Church as per above are the data processor), so that they can carry out their responsibilities to the Church and our community. The organisations or their appointed representatives referred to above are joint data controllers. Therefore, we are all responsible to on how we process your data. Each of the data handlers have their own tasks within the parishes and congregations and a description of what data is processed and the purpose is set out in this Privacy Notice and Data Protection/Security Policy Document. In the rest of this document, the word ‘we’ to refer to data controller, as appropriate.
3. Data Protection Principles
We would like to assure every parishioner that every effort would be made to adhere the following data protection principles:
- Processing is lawful, fair, and transparent. Our Processing activities have lawful grounds. We always consider your rights as a Data Subject before processing any Personal Data. We will provide you information regarding Processing upon request.
- Processing is limited to the purpose for which it was gathered.
- Processing is limited for the consent that was granted.
- Processing is carried out using the minimum amount of Personal Data required for any purpose.
- We will not store your personal data for longer than needed.
- We will do our best to ensure the accuracy of data.
- We will do our best to ensure the integrity and confidentiality of data.
- We will use all reasonable means to avoid Breaches of Data. Where a Data Breach occurs, we will notify the relevant authority and follow their instructed next steps.
4. What information do we collect about you?
We receives personal data about you in various ways including
- Directly from the individual
- through connect cards, forms, consent forms, forms on our websites, through our App, at events we run, corresponding with us by phone, email or letter, it includes information you provide when you register to join groups or ministry teams.
- Information we receive from other sources
- We may also receive information about you from other parishes/Diocese/affiliated churches, or previous churches you attended with your prior permission.
For example, some information is collected for certain Sacraments, such as the Sacraments of Baptism, Confirmation and/or Marriage. In addition, if you make a donation to a parish. This enables the parishes to meet its requirements under the Charities Act. It also enables parish to claim tax back on donations where appropriate.
5. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the Data Protection Act 2018 and General Data Protection Regulation (the “GDPR”).
We may record and process some or all of the following personal information about you:
- contact details (address, phone numbers, email address)
- gender (genetic and biometric data, data concerning sexual orientation)
- date of birth
- family status
- date of marriage
- photographs/video recordings
- financial giving to the church
- financial information (such as bank details)
- religious beliefs
- health and medication
- CCTV recordings and photographs.
- Special category data such as that which reveals your religious beliefs may also be collected and processed.
This list is not exhaustive.
6. How do we process your personal data?
Our Parish complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We (data handlers) use your personal data for the following purposes: –
- To enable us to meet all legal and statutory obligations (which include maintaining and publishing our annual parish membership list according to the parish register in accordance with the constitution of the Church);
- To carry out comprehensive safeguarding procedures (including due diligence and complaint handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments This includes Garda Vetting checks for those involved with children and vulnerable adults;
- To minister to you and provide you with pastoral and spiritual care (such as visiting you when you are ill or bereaved) and to organise ecclesiastical services for you and your family such as baptism, confirmation, birthday thanksgiving prayers, praying for the sick, wedding and funerals;
- To deliver church’s mission to the community, and to carry out any other voluntary and charitable activities for the benefit of the public as provided for in the constitution and the statutory framework of each data handler;
- To administer the parish or congregation, COMPE, Zone membership records;
- To fund raise and promote the interests of the church and its charitable work;
- To maintain the accounts and records of parishes, congregations, Zone and COMPE
- To process a donation that you have made for charitable work (Gift Aid information);
- To seek your view or comments on the work of the parish, congregation, COMPE and the Zone;
- To notify of changes to our services, programmes, events and office bearers;
- To send you communications which you have requested and that may be of interest to you. These may include information about conferences, campaigns, appeals, ecumenical and interfaith events;
- To process a grant or application for an office or a role
- To enable us to provide a voluntary service for the benefit of the public in a particular geographical area (e.g. prison and hospital visit);
- Technical details in connection with visits to this website may be logged on the server for accounting and auditing purposes (e.g. Computer IP number)
In the case of CCTV recordings, to prevent or detect a crime and to help create a safer environment for our members of the faithful, clergy, volunteers and visitors
- For auditing and statistical purposes.
The Nazareth Mar Thoma Church, Dublin, Ireland does not use automatic decision making software and does not engage in profiling.
Information will only be made available to third parties who assist us with our work. We may share information with service providers but only when an appropriate Service Provider (Data Processor) Agreement/contract is in place outlining exactly what they are permitted to do. Any data processed in the course of such services is processed in compliance with the GDPR.
It is the policy of the Diocese not to disclose technical details in connection with visits to this website in respect of individual website visitors to any third party unless obliged to disclose such information by a rule of law. The technical information will be used only for statistical purposes.
7. Where do we store your personal data?
We are committed to holding your personal information securely. Only Church staff and volunteers that need to see the data can access it. By submitting your personal data, you agree to this transfer, storing or processing.
- We may store your information in hard copy or in electronic format, in storage facilities we own and operate ourselves, or that are owned and operated by our service providers.
- All computers that store any personal data are password protected or encrypted. Laptop computers and similar devices that contain confidential information are encrypted or password protected.
- We may transfer your personal data outside of Ireland and the European Economic Area, only where it is permitted by one of the conditions for non-EU transfers set out in the GDPR.
- If we plan to pass the your personal data onto someone else outside of our Parish apart from Zone of the Mar Thoma Church in the UK and Europe and The Mar Thoma Church of Malabar office, we will give the data subject this information and we will only do this with your explicit consent.
- Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information.
8. What is the legal basis for processing your personal data?
Our legal basis for processing your data are ‘legitimate interests’ (for activities related to the everyday functioning of the church) [GDPR Article 6.1(f)] and ‘consent’ (for everything else) [Article 6.1(a)]. In a small number of instances, we rely on ‘contract’ (for example, if we are your employer) and ‘legal obligation’ (for example, in relation to safeguarding issues). When using ‘legitimate interests’ as the legal basis for using the information you have given us we will ensure it is for a genuine purpose, necessary for the smooth running of the church family, and not invasive to your privacy. For all other purposes, we will ask for your positive consent before processing your details.
- We are able to process ‘special categories of personal data’ (such as your health or religious beliefs) in the course of our legitimate activities because we are a not–for–profit body with a religious aim relating to you as a member, former member, or person with whom we have regular contact [Article 9.2(d)].
- Processing is necessary for the purposes of legitimate interests pursued by us or a third party except where such interests are overridden by the interests, rights or freedoms of the data subject. This is where we need to use your data to engage in our normal day to day activities e.g. keeping a record of your name and address on our membership list.
- Processing is carried out by us in our capacity as a not-for-profit body with a political, philosophical, religious aim: – o The processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and o There is no disclosure to a third party without consent other than consent. An example of this may be where a record of sensitive data may need to be kept by us so that effective pastoral care may be provided to members;
- Explicit consent of the data subject. An example of this would be your consent to joining a mailing list so that we can keep you informed about news, events, activities and services and process your donations from revenue and keep you informed about Parish events;
- Processing is necessary for us to comply with the law. Examples of this could be our legal obligations to maintain certain records so that we may carry out our obligations under employment, social security or social protection law or a collective agreement; and
- Processing is necessary for us to protect the vital interests of a data subject that cannot physically or legally give consent. An example of this may be for us to run special needs activities.
9. How long do we retain your information?
We retain your personal information for as long as necessary with regard to the purposes for which it was collected or lawfully further processed, or for so long as may be necessary in light of our legal obligations. Data that is held by us on consent is only kept for as long as we have your consent to process that data.
All information held is in accordance with the Data retention policy which is currently being amended to ensure its compliance with GDPR.
We retain members’ data while it is still current;
Parish authorizations, gift aid declarations, and associated paperwork for up to 6 years after the calendar year to which they relate.
Garda vetting authorization form and vetting outcome are retained up to three years or otherwise, the subject leaves the position/until the legal validity or whichever happens sooner to engage in relevant services to Children and Young in the Parish.
Parish register, electoral list, Minutes book of Managing Committee, subcommittee, baptisms, marriages, funerals and annual report, reference letters, a copy of parish publication are retained permanently.
Where consent has been obtained, to attend a one-off activity, conferences, additional parish publications, promotional printouts, spiritual organizations activity related, competitions, details of volunteers, visa-related documents for guest we will normally retain this for one year and destroyed securely. One-off consent forms (such as for annual group membership or booking for trips etc) will be destroyed/erased one year after their use.
10. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –
- The right to request a copy of your personal data which our parish holds about you.
- You have the right to be informed about any personal data that we hold which relates to you, including how we acquired this data and the purpose for which it is used. The right requires that you will be given a copy of all personal data we hold on you when requested. This is known as a Subject Access Request.
- To make a Subject Access Request you must complete a Subject Access Request form. No fee is required. The request will be processed as soon as the Subject Access Request form is returned and we will respond to you within one calendar month.
Please refer the Parish Subject Access Request Policy (SAR) for more information.
- The right to request that the parish corrects any personal data if it is found to be inaccurate or out of date.
- The right to request your personal data is erased where it is no longer necessary for the Parish to retain such data.
- When we receive your request we will confirm whether the data has been deleted of the reason why it cannot be deleted (for example because we need it for legitimate interest for regulatory purpose(s).
- The right to withdraw your consent to the processing at any time
- Upon receiving the request we will contact you and let you know if we are able to comply or we have legitimate grounds to continue to process your data. Even after you exercise your right object, we may continue to hold your data to comply with your other rights or bring or defend legal claims.
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable)
- [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means]
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing
- The right to object to the processing of personal data, (where applicable)
- [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
- The right to lodge a complaint with the Data Protection Commissioner (Ireland)
Where permitted by law and where appropriate, in order to comply with our legal obligations, we reserve the right to release personal data without your consent and/or without consulting you.
11. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice. The new notice will explain the new use of your personal data prior to commencing the processing. It will set out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Last update published March 2021.
13. IT, Website and General Media
Our Parish maintaining the following websites, email ids, and updates the following Social Media groups.
14. Other GDPR Related Documents
- Data Protection Policy
- Subject Access Request Policy
- Data Retention Policy
- Data Processor Agreement
15. Contact Details
Our Data Protection Lead is responsible for advising Our Parish and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy.
Any questions about this policy or any concerns that the policy is not being or has not been followed should be referred to our DPL at email@example.com
Our procedures will be in line with the requirements of the Data Protection Policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection Lead.
Further information on your data privacy rights is available on the website of the Data Protection Commissioner www.dataprotection.ie or by post Data Protection Commissioner’s office, 21, Fitzwilliam Square South, Dublin – 2, D02 RD28, Ireland.