C3 Privacy Policy
At The C3 Church (C3), we are committed to protecting and respecting your data privacy. This policy outlines the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following to understand our processes regarding your personal data and how we will treat it.
Our principles
We will only process your data for purposes that are legal and fair. All processing undertaken will be necessary to achieve the purpose for which it was collected. We will make you fully aware of the extent of C3's processing of personal data at the point of collection in a transparent and easy to understand way. We will also inform you of the possible trusted third-party recipients of your data and will provide you with the safeguards and controls applied to the processing and retention of your data.
Your data will only be processed for the specific and legitimate process for which it was collected. If C3 propose to use your data for a different purpose, we will seek to obtain your consent.
We will endeavour to use anonymised data where possible. If your data is found to be inaccurate, it will be corrected as soon as reasonably possible.
We will not store your data longer than is needed for the legitimate activity for which it is held. Data retention periods for each type of data are held centrally by C3 and are in line with legal requirements.
C3 will ensure your data is protected against unauthorised use and accidental loss, destruction or damage. We also keep your data confidential. It will not be disclosed to unauthorised third parties without a clear reason and in accordance with the consent you give.
When we process your data
We ensure data is only processed when it satisfies one of a number of legal conditions.
We will only process your data when you have freely given specific, informed and clear agreement. You are able to withdraw this consent at any time. Whenever you give consent, we will keep a record of when and how this was given.
If you are a guardian of a minor, we will only process the data of the minor when you have freely given specific, informed and clear agreement. You are able to withdraw this consent at any time. Where possible, we will also ensure that consent documentation is appropriate for the minor, so that they can also understand our requirements for consent. Whenever you give consent, we will keep a record of when and how this was given.
We will never process your data if there is any reason to believe that doing so would prejudice you.
Day to day activities at C3 may require the processing of sensitive data. All sensitive data will be handled in accordance with legal requirements, best practice and the appropriate safeguards.
Your data rights
You have the right to request information about whether your personal data is processed by, or on behalf of C3. This includes the right to be provided with a copy and a description of the data in a clearly understandable format.
You have the right to require C3 to correct any inaccurate information held about you. If you request a change to your data, it will be actioned as soon as is reasonably possible once your identity has been verified.
You can request all personal data relating to you is deleted where it is no longer needed by C3 for the purposes for which it was collected.
You can request that C3 stop processing personal data where your interests override that of C3. This does not apply if C3 are required by law to process your data.
At any time, you can object to the use of your data for the purposes of marketing events, opportunities and activities by C3 or its partners. A record of your objection will be held in C3 systems in order to exclude your data from further communications.
How we process your data
We email you to keep you up to date with events and activities at C3. This data is held in our main church database and in specialised communication platforms.
We keep a record of events, courses and groups you have registered with and the dates you attended. We may contact you about upcoming activities which may be of interest to you.
We hold historical financial data, in accordance with law, if you regularly give, have donated or purchased anything through our shop or trusted partners.
If you are on a team or volunteer in any of our outreach initiatives, we keep rota information and other data to help us to manage your time, involvement and progression.
If you receive any of our specialist services, such as pastoral or ministry support, we may keep confidential data on this in compliance with government regulations.
If provided with consent, we hold sensitive data regarding allergies or special medical requirements.
Youth and Kids data (aged 13 or under) is held with guardian consent for all of the above activities and is also used to connect with Youth over social media and messaging software.
Recording visitor details: how we use your information
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers, volunteers and visitors who come onto our premises for the purpose of contact tracing.
By maintaining records of staff, customers, volunteers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer/visitor of The C3 Church you will be asked to provide some basic information and contact details. The following information will be collected:
- the names of all customers, volunteers or visitors, or if it is a group of people, the name of one member of the group
- a contact phone number for each customer, volunteer or visitor, or for the lead member of a group of people
- date of visit and arrival time and departure time
The C3 Church as the data controllers for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time we hold the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from The C3 Church, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer, volunteer or visitor at The C3 Centre reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer, visitor or volunteer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
We will either require you to pre-book appointments for visit, complete a form on arrival or ask you to check-in using the NHS Test & Trace QR code.
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) – a legal obligation to which we as a The C3 Church are subject to. The legal obligation to which we’re subject, means that we’re mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of corona virus.
By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you.
You have the right to request that we erase personal data about you that we hold (although this is not an absolute right).
You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances.
You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute).
If you are unhappy or wish to complain about how your information is used, you should contact a member of staff in the first instance to resolve your issue.
If you are still not satisfied, you can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk.
How to contact us
If you have any questions regarding this policy or the processing of your data, please contact:
The Data Protection Officer
The C3 Church
Brooks Road
Cambridge
CB1 3HR
gdpr@thec3.uk
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on thec3.uk/privacy . This privacy notice was last updated on 28th September 2020.