Data Protection policy (PDF)

Nomade (Jaume Plensa 2007)This policy is updated from time to time. We also have an explanatory leaflet about the General Data Protection Regulation (“GDPR”), and if you would like the entire text then that’s available too. We hold personal data for a variety of purposes. If you have registered as a member of the community and have access to the members’ information pages then we make some of your data available to you automatically so that you don’t have to ask for it.

The lawful basis for processing any special category data, as specified in Article 9(2) of GDPR, is that processing is carried out in the course of our legitimate activities with appropriate safeguards. We are a not-for-profit body with a religious aim. The processing relates to the members or to former members of the Ordinariate community in Eastbourne or to persons who have regular contact with us in connection with our purposes, or to others who have given their permission (for example in relation to pastoral concerns). Personal data will not be disclosed to organisations outside the Eastbourne Ordinariate Mission without consent.

For the purposes of GDPR, the data controller of any data you provide for contact purposes, financial purposes or pastoral purposes is the pastor of the Eastbourne Ordinariate Mission, Fr Neil Chatfield. The data controller of Gift Aid data is the Ordinary of the Personal Ordinariate of Our Lady of Walsingham. The Eastbourne Mission doesn’t have a Data Protection Officer, but the person with day-to-day responsibility for your data is Andrew Leach. You can ask for information about your data by using the website contact form or by writing to us (using a stamp) at Eastbourne Ordinariate Mission, PO Box 3223, Eastbourne BN21 9RS. You have the right to make representations to the Information Commissioner, however it will be easier to answer queries and rectify any issues by raising them with us first.

You may request a copy of the data we hold, preferably in writing (which may be by email); please use the above address for postal queries. If you have consented to our holding contact data electronically, then you may access your data by logging into our website and going to the members’ information pages.

We retain your contact data while you maintain contact with the Ordinariate in Eastbourne, and for a period of two years after any contact is lost or for a longer period — either if you request it (for example, in order to maintain your access to community information on the website) or because you have posted or commented on this site. If you do not consent to our holding data electronically it will remove your access to the members’ information on the website and preclude contact by email. Gift Aid and other financial data is subject to statutory controls. Pastoral data is held for as long as pastorally necessary.

GDPR allows children under 16 to consent to their data being held provided their parents agree. Our contact details form allows adults to specify that this parental consent is not necessary. Children may tell us when they reach 16 in order that we know parental consent is no longer required.

Your data is held within the United Kingdom. Paper copies are retained securely. Where you have consented to holding contact data electronically, electronic copies are held in a system managed by Catalyst2, who have achieved ISO 27001 certification in data security. Gift Aid data is held by the Ordinariate centrally. Pastoral data is held securely by Fr Neil. Where it is necessary and you have consented to disclosing your personal data, we will use our best endeavours to ensure that the recipient treats it carefully. In the UK and the EU, GDPR applies.

A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Immediately we become aware of a breach of security, we will assess its severity. A severe data breach (which will generally mean that something has happened to all the data we hold for a particular purpose, in one form or another) will be reported to the Information Commissioner within 72 hours. If your data is affected, you will also be informed.

You have the right to be “forgotten”, which means that we will stop processing your personal data if you ask us to. This may curtail access to services we provide. You can ask us to delete your personal data which we use for any or all of our specified purposes [contact, financial or pastoral]. Note that we may be required to keep some data in order to comply with other legislation, and certain matters of fact such as baptisms, weddings and central records of enrolling as a member of the Ordinariate cannot be redacted. If you wish to exercise your right to be forgotten, please put this request in writing to Eastbourne Ordinariate Mission, PO Box 3223, Eastbourne BN21 9RS. You are also advised to read the sections “Website authors”, “Comments” and “Reinstatement” below.

Contact data

Data you provide for contact purposes is processed to enable us to provide you with services including access to community pages on our website and information about us and activities which we host or which are hosted by partner organisations and consistent with our aims. We will not supply your personal data to partner organisations.

The lawful basis of holding contact data is consent, or (in the case of members of the Ordinariate within the community) that it is a legitimate activity. We hold the personal data which members of the community choose to supply to us in our Contact details form. We may also hold other data supplied to us, including whether someone is formally a member or an associate member of the Ordinariate of Our Lady of Walsingham. This is important as members of the Ordinariate have a role in the running of the organisation which Associate Members and others do not. Where permission has been given to hold contact data electronically, all the data we hold for contact purposes is made available to the individual member through the members’ pages of the website. Each member of the community can only access their own data and the form they signed. If you did not consent to electronic processing for contact purposes (and cannot access members’ pages on the website as a result), you can request a copy of your form either by using our Contact form or by writing to the address above.

Where you have access to the members’ pages of the website, you should also take care to safeguard access to your data, by not sharing, divulging or losing your password. Your data is available to you on the website, and if someone else has your password, your data is available to them as well. If you believe someone else knows your password, you can change it on the website. You can also ask for our assistance. If we believe someone else has access to your password (which we may deduce from website activity), we will change it and notify you.

Gift Aid and donations

The lawful basis for processing financial data is either consent or under a legal obligation to maintain lawful accounts.

Data you supply for Gift Aid purposes is processed under Gift Aid legislation for the purposes of reclaiming tax. This processing is done by the Ordinariate centrally. It is possible that your bank may supply our bank with your name as a payment reference, and this will appear on our bank statements. Bank statements are kept securely by the Treasurer, and retained for the life of the Mission bank account plus seven years.

Data about other donations (eg Mass stipends) is retained for as long as it is necessary to do so to satisfy accounting and tax legislation. If you make an automated donation (eg via PayPal or standing order or one-off Electronic Funds Transfer) then our bank may be supplied with your name as a payment reference, and this will appear on our bank statements. Bank statements are kept securely by the Treasurer, and retained for the life of the Mission bank account plus seven years.

You can request details of exactly what we hold as your personal data by using the Contact form or by writing to the address above. We don’t transfer bank data into the contact system and it’s not available on the website.

Pastoral concerns

The lawful basis for processing pastoral data is explicit consent or that it is in the course of legitimate activities.

Data you supply for pastoral purposes is processed for that purpose only and is kept only for as long as necessary, in accordance with GDPR and good practice. This may include a period to allow for follow-up pastoral care after a baptism, wedding or funeral or other pastoral contact.

If you did not supply data direct to Fr Neil then the person to whom you did supply it will pass it to him. If you supply the personal data of others then we receive it in good faith and assume that you have permission to pass it to us. You must ensure that any necessary conditions are communicated at the same time: for example, you can certify to us that a living beneficiary of a Mass is content that their name be published in connection with that Mass; this certification will be retained as evidence of that consent. If a living beneficiary of the Mass does not want their details published, the Mass will be published as a “Private intention”. You can also specify whether your own name should appear in any notice. Mass will be offered for your intention whether or not that intention or your own name is explicitly published.

Weddings, baptisms and other rites are public events.

You can request details of exactly what we hold as your personal data by using the Contact form or by writing to the address above. We don’t transfer pastoral data into the contact system and it’s not available on the website.

Website users

It is not necessary to log in to the website to view public pages. This is a WordPress website, and cookies may be set in order to help the site work correctly for you. We don’t track cookies, and while anonymous data is collected, it’s not possible to associate this with any one person. We record the internet address of visitors to the website and activity undertaken during a session.

For logged-in users, additional cookies may be set to make your session work. We don’t track these cookies either. Our website logs allow us to identify the activity of logged-in users, and we use this information to assess whether a security breach has occurred and a password may have been compromised.

Website authors

WordPress requires posts to be associated with an author, and authors must have accounts on the site in order to post. If you have written an article for the website, your name will be associated with that article. If you subsequently ask us to stop processing your data, we will remove your account and associate a fictitious name with your post in order that the post can be published correctly.

As stated in the footer of every page, copyright in all posts is assigned to the Eastbourne Ordinariate Mission. While posts will not normally be removed we are very happy to accede to authors’ assertion of their right to be identified as the author of a post. There is a potential conflict between the right to be identified and the right to be “forgotten” and where this conflict arises authors will need to take advice about what they ask us to do.

Comments

We need to process your personal data in order to process comments on posts on this site. Where we permit comments on posts on this site, you need to give us some personal data in order to comment. If you have logged into the website, the comment will be associated with your website account and can be removed if you request it. If you have been able to comment without logging in, we will need to verify that any request for removal comes from the right person.

Posts on the website are also posted to our Facebook page, and we may import comments made on the Facebook post and display them here. If you make a comment on Facebook, that comment will appear here along with personal information you have given Facebook. Even if you have an account on this site, there will be no connection between your comment and your website account (except that the name may appear to be the same). We have no information that “Jack Jones” who comments on Facebook is the same “Jack Jones” who has an account here.

Reinstatement

If you exercise your right to be forgotten (whether you have posted or commented on the site, or not) then your personal data will be removed. If you subsequently wish a website account to be re-created for you, you will get a new account and it will not be possible to create any association between the new account and posts, comments or any other data which might once have been associated with you.

Data Protection policy (PDF)

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and other information
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation
The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Processing is necessary for compliance with a legal obligation to which the controller is subject
Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
The data subject has given consent to the processing of his or her personal data for one or more specific purposes
Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
The data subject has given consent to the processing of his or her personal data for one or more specific purposes
Processing is necessary for compliance with a legal obligation to which the controller is subject
The data subject has given explicit consent to the processing of those personal data for one or more specified purposes
Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
Processing relates to personal data which are manifestly made public by the data subject
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
The data subject has given consent to the processing of his or her personal data for one or more specific purposes