Privacy policy

How we collect, use and protect your personal information

Ensuring compliance with data privacy laws

An image representing security of data

Last reviewed: 2nd July 2023 by the clergy and churchwardens of the OVMC.

Definitions used in this notice:

  • Personal data is information about a living individual, including their image, vocal or musical recording, which can identify that individual.
  • Processing is anything done with or to personal data, including storing it. The processing of personal data is governed by the General Data Protection Regulation (the GDPR).
  • The data subject is the person about whom personal data is processed.
  • The data controller is the person or organisation (in our case our PCCs) who determine the how and what of data processing.

To operate efficiently, the churches of the OVMC collect, use, store and manage personal data of those individuals who are regularly involved in the church’s services, events and activities.

The GDPR requires that we tell individuals what we are doing with their information. The GDPR sets out the information that we should supply to individuals and when.

What we must tell people depends on whether we obtained the personal data direct from them or got it from somewhere or someone else.

Under the GDPR, the information we supply about the processing of personal data must be:

  • Concise, transparent, intelligible and easily accessible;
  • Written in clear and plain language, particularly if addressed to a child; and
  • Free of charge.

This Privacy Notice is provided to you by the Parochial Church Councils (PCCs) of the Otter Vale Mission Community (OVMC) which are the data controllers for your data.

The Church of England is made up of a number of different organisations and office-holders who work together to deliver the Church’s mission in each community. The OVMC PCCs work together with:

  • the OVMC ministry team;
  • the Bishop of Exeter; and
  • the Exeter Diocesan Board of Finance

As the Church is made up of all of these persons and organisations working together, we may need to share personal data we hold with them so that they can carry out their responsibilities to the Church and our community. The organisations referred to above are joint data controllers. This means we are all responsible to you for how we process your data.

What data do the data controllers process?

  • Names, titles, and aliases, photographs;
  • Contact details such as telephone and mobile phone numbers, addresses, and email addresses;
  • Where they are relevant to our mission, or where you provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants;
  • Where you make donations or pay for activities such as use of a church hall, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers.

The data we process is likely to constitute sensitive personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs.

How do we use your data?

  • To enable us to meet all legal and statutory obligations, which include
    • maintaining and publishing our electoral roll in accordance with the Church Representation Rules
    • holding and making available data concerning baptisms, marriages, deaths, and interments
  • To carry out comprehensive safeguarding procedures with the aim of ensuring that all children and adults-at-risk are provided with safe environments;
  • To minister to you and provide you with pastoral and spiritual care (such as visiting you when you are gravely ill or bereaved) and to organise and perform ecclesiastical services for you, such as baptisms, confirmations, weddings and funerals;
  • To deliver the Churches’ mission, and to carry out any other voluntary or charitable activities for the benefit of the public;
  • To administer the parish membership records, and contribute to the deanery, archdeaconry and diocesan membership records;
  • To fundraise and promote the interests of our Churches, including via the use of third-party donation web sites;
  • To process bookings for the hire of church buildings;
  • To maintain accounts and records; including the giving and donations of members, bequestors, visitors etc; and the payment of suppliers, volunteers’ expenses etc
  • To process a donation that you have made (including Gift Aid information and the provision of donors’ personal information to HMRC in order to receive Gift Aid payments as a registered charity)
  • To seek your views or comments;
  • To notify you of changes to our services and events;
  • To administer sub-groups within our churches; as well as rotas of volunteers at events, services, attendees at meetings, church sub-groups.
  • To operate the OVMC web site and PCCs’ individual social media pages;
  • To send you communications which you have requested and that may be of interest to you. These may include information about meetings, events, campaigns, appeals, other fundraising activities;
  • To process a grant or application for a role;
  • To record or live-stream services from our churches to reach out to those who are unable to attend in person, or who wish to participate in our services remotely;
  • At Ottery St Mary church: the use of CCTV systems for the prevention and prosecution of crime.

What is the legal basis for processing your personal data?

The Data Protection Act says that at least one of 6 conditions must be met for personal data to be processed fairly. The 3 most relevant to the processing of personal data by churches are:

  • The explicit consent of the data subject so that we can keep you informed about news, events, activities and services and process your gift aid donations;
  • Processing is necessary for carrying out legal or statutory obligations, particularly for our employees;
  • Processing is carried out by a not-for-profit body which exists for a religious purpose provided:
    • the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
    • there is no disclosure to a third party without consent.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

  • The right to request a copy of your personal data which an OVMC PCC holds about you;
  • The right to request that the said PCC corrects any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for the PCC to retain such data;
  • The right to withdraw your consent to the processing at any time;
  • The right to request that the data controller provide you with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the you and in either case the data controller processes the data by automated means].
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics];
  • The right to lodge a complaint with the Information Commissioners Office.

How long do we keep your personal data?

We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 7 years to support HMRC audits. In general, we will endeavour to keep data only for as long as we need it. This means that we may delete it when it is no longer needed. We also align with the Church of England guidelines on document and data retention as published by Exeter Diocese (http://www.exeter.anglican.org/wp-content/uploads/2014/11/What-to-do-with-parish-records-keep-or-bin.pdf) “Keep or Bin…? The Care of Your Parish Records”.

Further information

To exercise all relevant rights, queries of complaints, in the first instance, please contact the relevant PCC Secretary by visiting the appropriate church page on this website.

You can also contact the Information Commissioners Office.