Friends of Friendless Churches
Privacy Policy (General Data Protection Regulation (GDPR) compliant)
1. Introduction
The General Data Protection Regulation (GDPR) is a Europe-wide law that replaced the Data Protection Act 1998 in the UK. The GDPR sets out requirements for how organisations handle personal data from 25 May 2018. (Personal data is anything that can identify an individual, such as your name and address or financial information.) Under this legislation, we are responsible for informing you what data we hold, on what lawful basis and how we use it. We are committed to protecting your data in line with the regulations and have published this Privacy Policy to set out how the Friends of Friendless Churches comply with GDPR.
2. Data Controller & Data Processor
The Operations Manager of the Friends of Friendless Churches is both Data Controller (responsible for determining data processing and data protection requirements) and Data Processor (responsible for carrying out the processing of data on behalf of the Data Controller).
3. Your Membership Data
- We collect your data when you join via a paper membership form or via our website membership signup form (or if someone enrols you on your behalf, as in the case of Gift Membership). We ask for your full name, postal and billing addresses, and email. We also collect bank details for Direct Debit on paper mandate forms, and via online and phone collection methods.
- We will only use your data to manage your membership and associated benefits, including sending you news and publications, and organising AGMs and other events. We may send out membership communications by email and by post, including renewal reminders.
- We may also collect and process information about your interactions with us, including details about our contacts with you through email, SMS, post, on the phone or in person. This might include the date, time, and method of contact, details about donations you make to us, events or activities that you register for or attend or any general enquiry.
- We will not use or sell your personal data for any other purposes, such as profiling.
4. Donor and Volunteer Data
- If you provide your personal details along with a monetary donation to the Friends of Friendless Churches, or as part of volunteering your time or services, we will keep a record of your personal details alongside your contribution. We may use this information to claim Gift Aid. If you tell us about potential future donations you intend to make, including legacies, we will keep a record of this information.
5. Website Visitor Data
- The Website of the Friends of Friendless Churches uses cookies, which is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. WordPress.org uses cookies to help Friends of Friendless Churches identify and track visitors and their website access preferences. Website visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using either website. The Wordpress privacy policy is visible here: https://en-gb.wordpress.org/about/privacy/
- Visiting the website of the Friends of Friendless Churches may result in personally identifying information like Internet Protocol (IP) addresses being logged by analytics software to collect statistics about the behaviour of visitors to the websites.
- If you navigate to an external website via a link on our site, it will not be covered by our data policy.
6. Newsletter Subscriber Data
- You can subscribe to our online-only mailing list without becoming a member, to receive news and updates from Friends of Friendless Churches. We use a third party called Mailchimp to collect and store this information. The Mailchimp Privacy Policy can be found here: https://mailchimp.com/legal/privacy/ Your data will not be shared with other third parties. By subscribing to our list, you are given the opportunity to opt in to receive emails from the Friends of Friendless Churches. We may collect and process data on how you interact with our emails.
7. Lawful Basis for Processing
- Membership records: we hold data you have volunteered on or since joining as a member to fulfil our contract with you, whereby you pay a membership subscription and we enrol you as a member of the Friends of Friendless Churches. This is a ‘contractual basis.’
- Hard copy mailing list: we use the lawful basis of ‘legitimate interest’ to send you publications, notify you of events, and include occasional hard copy inserts with our magazine where we feel they are of genuine benefit to members. We may send postal emailings to data subjects who are current or previous volunteers or donors on the basis of ‘legitimate interest’ if we have reason to believe they wish to hear more about our work. We have conducted a Legitimate Interest Assessment prior to adopting this lawful basis for processing.
- Email list: We may use the lawful basis of ‘legitimate interest’ to send members news about our work via email as part of the benefits of membership. Members will have the opportunity to unsubscribe from news at any time. We also use this basis to email donors, volunteers and fundraisers where we have reason to believe they wish to hear more about our work.
- Online subscribers: we may send email content on matters such as fundraising or campaigning to subscribers who have signed up via the newsletter signup form on our website. In this case, data will be processed using the lawful basis of ‘consent’ and such consent will be explicit, opt-in, and freely given.
8. Sharing Your Data
- We will never share your details with any third party for marketing or profiling purposes.
- We only share data when processing by another party is necessary in relation to a contract which you have entered into. We have written agreements with our mailing house, and our IT Consultant, Posix Ltd, to ensure they are compliant with GDPR and our Data Protection Policy, and that your data will not be sold, shared or kept on file indefinitely.
- We use RSM2000 to process Direct Debit payments securely on our behalf. We have a written contract with RSM2000 covering the use of personal data and have performed due diligence in verifying their compliance with GDPR.
- We use Mailchimp to send occasional email communications. Their Privacy Policy is made clear to users signing up via Mailchimp, and is visible here: https://mailchimp.com/legal/privacy/
9. Data Storage & Security
- Your personal data is stored in digital form by our Customer Relationship Management (CRM) system, provided by Beacon, who store all information securely in the cloud. More details and their privacy policy can be viewed here: https://www.beaconcrm.org/privacy.
- Access to our Beacon database is password-protected with dual-authorisation for login and access is restricted to employees who process the data as part of their job description.
- Antivirus software is kept up-to-date and monitored remotely by Posix Ltd.
- Any hard copies of membership data, e.g. membership forms, are stored securely, and disposed of confidentially.
- Any hard copies of payment data, e.g. Direct Debit forms, are stored securely and retained only for the duration required for processing.
10. Data Retention
- We will process your data during your membership period or period of active volunteering or donating, and won’t keep your data for longer than necessary after you stop being a member, donor or volunteer.
- If you cancel your membership, we may need to retain your details for our records for a limited amount of time. HMRC regulations require us to keep data on Gift Aided payments for 6 years from the end of the financial year they relate to. We have therefore set a maximum Data Retention limit on personal data of 7 years, after which your data will be routinely deleted if you are no longer an active member, donor or volunteer.
- We may retain a limited amount of data after this date, such as your name and dates of membership, to help us keep complete historical records of membership to inform our activity. This applies unless you ask to be erased from our records (see 12. Your Rights, below).
- If you ask to be erased from our records, any record of deletion will be kept in such a way that your data is anonymised.
11. Your Communication Preferences
- If you have provided us with your email address, we will use this as your preferred method of communication. To change this, please contact us.
- You can stop receiving our hard copy publications at any time simply by contacting us, without having to stop being a member, donor or volunteer. We may still need to contact you individually by post and by email regarding your membership to fulfil our contract with you.
12. Your Rights
If we are holding your personal data, under GDPR you have the following rights:
• Right of access – to request a copy of your data
• Right of rectification – to correct data that we hold about you that is inaccurate
• Right to be forgotten – to be erased from our records
• Right to restriction of processing – to restrict the processing
• Right of portability – to have the data we hold transferred to another organisation
• Right to object – to object to certain types of processing such as direct marketing
• Right to object to automated processing, including profiling – not to be subject to the legal effects of automated processing or profiling
You can cancel your membership at any time, and request that we no longer contact you. We will no longer send you publications or membership benefits as your contract with us will have ceased. To do this, email the Operations Manager on membership@fofc.org.uk or call the office on 0204 520 4458. In accordance with our Data Retention Policy we may be obliged to keep certain data; for example for Gift Aid purposes. We will always explain why this is.
Under GDPR right of access, you have a right to ask what personal data of yours is held by us, and to receive a copy of it within 28 days of making a Subject Access Request by email to membership@fofc.org.uk. (You will be required to prove your identity with an official document before we release personal data to you.)
If you have a complaint about our handling of your data you can contact the Data Controller / Data Processor on the details above. If you wish to complain to a supervisory authority you can do so by contacting the ICO at:
Information Commissioner's Office (0303 123 1113 (local rate) or 01625 545 745)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Adopted May 2018
Last reviewed December 2023