Friends of Friendless Churches
2. Data Controller & Data Processor
The Assistant Director of the Friends of Friendless Churches is both Data Controller (responsible for determining data processing and data protection requirements) and Data Processor (responsible for carrying out the processing of data on behalf of the Data Controller).
3. Your Membership Data
- We collect your data when you join via a paper membership form or via our website membership signup form (or if someone enrols you on your behalf, as in the case of Gift Membership). We ask for your full name, postal and billing addresses, and email. We also collect bank details for Direct Debit on paper mandate forms, and via online and phone collection methods.
- We will only use your data to manage your membership and associated benefits, including sending you news and publications, and organising AGMs and other events. We may send out membership communications by email and by post, including renewal reminders.
- We will not use or sell your personal data for any other purposes, such as profiling.
4. Donor and Volunteer Data
- If you provide your personal details along with a monetary donation to the Friends of Friendless Churches, or as part of volunteering your time or services, we will keep a record of your personal details alongside your contribution. We may use this information to claim Gift Aid. If you tell us about potential future donations you intend to make, including legacies, we will keep a record of this information.
5. Website Visitor Data
- If you navigate to an external website via a link on our site, it will not be covered by our data policy.
6. Newsletter Subscriber Data
7. Lawful Basis for Processing
- Membership records: we hold data you have volunteered on or since joining as a member to fulfil our contract with you, whereby you pay a membership subscription and we enrol you as a member of the Friends of Friendless Churches. This is a ‘contractual basis.’
- Hard copy mailing list: we use the lawful basis of ‘legitimate interest’ to send you publications, notify you of events, and include occasional hard copy inserts with our newsletter where we feel they are of genuine benefit to members. We may send postal emailings to data subjects who are current or previous volunteers or donors on the basis of ‘legitimate interest’ if we have reason to believe they wish to hear more about our work. We have conducted a Legitimate Interest Assessment prior to adopting this lawful basis for processing.
- Email list: We may use the lawful basis of ‘legitimate interest’ to send members news about our work via email as part of the benefits of membership. Members will have the opportunity to unsubscribe from news at any time. We also use this basis to email donors, volunteers and fundraisers where we have reason to believe they wish to hear more about our work.
- : we may send email content on matters such as fundraising or campaigning to subscribers who have signed up via the newsletter signup form on our website. In this case, data will be processed using the lawful basis of ‘consent’ and such consent will be explicit, opt-in, and freely given.
8. Sharing Your Data
- We will never share your details with any third party for marketing or profiling purposes.
- We only share data when processing by another party is necessary in relation to a contract which you have entered into. We have written agreements with our mailing house, and our IT Consultant, Posix Ltd, to ensure they are compliant with GDPR and our Data Protection Policy, and that your data will not be sold, shared or kept on file indefinitely.
- We use RSM2000 to process Direct Debit payments securely on our behalf. We have a written contract with RSM2000 covering the use of personal data and have performed due diligence in verifying their compliance with GDPR.
9. Data Storage & Security
- Access to our Beacon database is password-protected with dual-authorisation for login and access is restricted to employees who process the data as part of their job description.
- Antivirus software is kept up-to-date and monitored remotely by Posix Ltd.
- Any hard copies of membership data, e.g. membership forms, are stored securely, and disposed of confidentially.
- Any hard copies of payment data, e.g. Direct Debit forms, are stored securely and retained only for the duration required for processing.
10. Data Retention
- We will process your data during your membership period or period of active volunteering or donating, and won’t keep your data for longer than necessary after you stop being a member, donor or volunteer.
- If you cancel your membership, we may need to retain your details for our records for a limited amount of time. HMRC regulations require us to keep data on Gift Aided payments for 6 years from the end of the financial year they relate to. We have therefore set a maximum Data Retention limit on personal data of 7 years, after which your data will be routinely deleted if you are no longer an active member, donor or volunteer.
- We may retain a limited amount of data after this date, such as your name and dates of membership, to help us keep complete historical records of membership to inform our activity. This applies unless you ask to be erased from our records (see 12. Your Rights, below).
- If you ask to be erased from our records, any record of deletion will be kept in such a way that your data is anonymised.
11. Your Communication Preferences
- If you have provided us with your email address, we will use this as your preferred method of communication. To change this, please contact us.
- You can stop receiving our hard copy publications at any time simply by contacting us, without having to stop being a member, donor or volunteer. We may still need to contact you individually by post and by email regarding your membership to fulfil our contract with you.
12. Your Rights
If we are holding your personal data, under GDPR you have the following rights:
• Right of access –to request a copy of your data
• Right of rectification –to correct data that we hold about you that is inaccurate
• Right to be forgotten – to be erased from our records
• Right to restriction of processing – to restrict the processing
• Right of portability – to have the data we hold transferred to another organisation
• Right to object – to object to certain types of processing such as direct marketing.
• Right to object to automated processing, including profiling – not to be subject to the legal effects of automated processing or profiling.
You can cancel your membership at any time, and request that we no longer contact you. We will no longer send you publications or membership benefits as your contract with us will have ceased. To do this, email the Assistant Director on email@example.com or call the office on 020 7236 3934. In accordance with our Data Retention Policy we may be obliged to keep certain data; for example for Gift Aid purposes. We will always explain why this is.
Under GDPRright of access, you have a right to ask what personal data of yours is held by us, and to receive a copy of it within 28 days of making a Subject Access Request by email to firstname.lastname@example.org. (You will be required to prove your identity with an official document before we release personal data to you.)
If you have a complaint about our handling of your data you can contact the Data Controller / Data Processor on the details above. If you wish to complain to a supervisory authority you can do so by contacting the ICO at:
Information Commissioner's Office (0303 123 1113 (local rate) or 01625 545 745)
Adopted May 2018
Last reviewed September 2021