Please read this Privacy Notice, together with any other privacy notice that we may provide to you, as it contains important information about how we collect, manage, use, disclose and protect your personal data. This Notice relates to your use of this website, any other websites we control (such as those run in partnership with our charges), interactions with us on social media, and opt-in of any ‘marketing’ type communications only. Please refer to any additional notices if you have any other contact with St James-the-Less (eg volunteering, employment, etc).
By accessing the http://stjamesthelesspenicuik.org website (the “site”) or otherwise providing information to us, you agree to our privacy practices as set out in this Privacy Notice. We may change this Privacy Notice from time to time. Please check this page frequently to ensure you are aware of the most recent version and the date that it was last updated. If you have any questions regarding this Notice, our privacy practices, or the information we hold on you personally, please contact us, marking your query for the attention of the Rector.
Last updated: October 2020.
We are committed to protecting and respecting your privacy and strive for privacy by default. This means we will only collect personal information in a way that is fair, lawful and limited to our needs for specific purposes. Those purposes will be shared with you when or before we collect your information and will be clear, limited and relevant to the circumstances. We will collect the minimum amount of information necessary for the task at hand and keep it only for as long as necessary to fulfill that task, then we will destroy it securely.
Our Annual Report and Accounts are published annually and can be made available on request. We also share blog posts and other news and resources on our websites. If you are a member of our congregation or of our linked charge of St Mungo’s Episcopal Church, West Linton, information about you may be contained within these documents and/or published on one of our sites. We may share your personal information within the Scottish Episcopal Church, including with the Diocese of Edinburgh if required to do so.
Sometimes we will share data with other third parties to enable us to carry out our business. They will always have been screened to ensure they comply with the relevant privacy regulations. We will NOT sell, trade, or rent your personal identification information to others.
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information.
You have a number of rights over how we collect, hold, process and delete your data. If you would like to exercise any of these rights please contact us using the details set out in the Contact Us section of this website, or at the bottom of this Notice.
The following topics are covered in this Privacy Notice
- Who we are
- What personal data we collect and why we collect it
- Personal identification information
- Non-personal identification information
- Contact forms
- Embedded content from other websites
- How we use collected information
- Communications with you
- Who we share your data with
- International transfers of personal data
- Third party websites
- For users who register with any of the websites under our control
- What is our legal basis for using your information?
- How long we retain your data
- What rights you have over your data
- Ensuring the accuracy of your data
- How we protect your data
- Contact Us
Who we are
This is the website for St James the Less Episcopal Church, Penicuik. We are a registered Scottish Charity (Number: SC011288), and part of the Scottish Episcopal Church in the Diocese of Edinburgh.
Our Rector and Vestry are the ‘data controller’ of the personal data that you provide to us. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
What personal data we collect and why we collect it
Personal identification information
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you. What information we collect with depend on your interactions with us.
We may collect personal identification information from you in a variety of ways, including, but not limited to, when you visit our site, fill out a form, respond to a survey, or interact with us on social media, and in connection with other activities, services, features or resources we make available on our site. You may be asked for, as appropriate, name, address, email address, phone number, as well as anything else necessary to perform the task at hand (eg data for inclusion in a Congregational initiative or feedback about an event).
You may, however, visit our site anonymously and may never be asked for this information. We will collect personal identification information from you only if you voluntarily submit such information to us. You can always refuse to supply personal identification information, but doing so may prevent you from being able to access certain functions on the site.
Non-personal identification information
We may collect non-personal identification information about you whenever you interact with our site. Non-personal identification information may include the browser name, the type of computer and technical information about how you connect to and interact with our site, such as the operating system, Internet service provider, length of visits to certain pages, and other similar information.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you submit a form or complete a survey, the contents are often transferred to one of the third-parties we use to help us process data, (eg Google, MailChimp, SurveyMonkey). We only ever use suppliers who are also compliant with the required levels of privacy.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist until you log out. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
How we use collected information
We use information held about you in the following ways:
- To run, operate and improve our site, we may need your information to display content on the site correctly. We may use feedback you provide to improve our resources and services, to ensure that content is presented in the most effective manner for you and for your computer. We may use your information for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
- To send periodic emails. We may use your email address to respond to your inquiries, questions, and/or other requests. We may use your email address to notify you about changes to our events, services, or resources.
- To fundraise and promote our interests. If you have opted-in, we may use your email address to provide you with information about our news, events, resources, activities and appeals, including our newsletters.
We may combine this information with other information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above and for the following purposes (depending on the types of information we receive):
- To maintain our own accounts and records (including the processing of gift aid applications and the maintenance of our directory and charges’ details)
- To understand our donor demographic
- To consider your application for employment
- To process and administer your request for any form of grant
- To enable us to provide a voluntary service for the benefit of the public
- To establish, exercise or defend legal claims.
Communications with you
We may, with your consent, text or e-mail you to provide you with promotional information about our activities and appeals or provide you with our e-mail newsletter, which is used to inform you about news, events and activities taking place within St James-the-Less, Penicuik Churches Together, the Diocese of Edinburgh and the wider Scottish Episcopal Church. You can un-subscribe at any time by contacting us in writing.
We may occasionally, with your consent, call you to provide you with information about our activities and appeals or provide you with information about services provided by us. You may unsubscribe to calls by instructing the person calling you or by contacting us at any time.
We may also communicate with you through postal marketing when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing you with information on our appeals, membership, services, fundraising, newsletter requests, feedback, competitions and other activities and those of other carefully selected organisations. You have the right to contact us at any time and opt-out of receiving such communications.
Who we share your data with
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information.
Our Annual Report and Accounts are published annually and are made available to the public on request. We also share blog posts and other news and resources on our websites. If you are a member of one of our congregation, information about you may be contained within these documents and/or published on one of our sites.
We will NOT sell, trade, or rent your personal identification information to others. We may share your personal information within the Scottish Episcopal Church and the Diocese of Edinburgh where appropriate and we have your permission.
We may use third party service providers to help us conduct our business, to operate our websites or administer activities on our behalf. We may share your information with these selected third parties for these limited purposes, including:
- When we use other companies to provide services on our behalf, e.g. processing, mailing or delivering orders, answering customers’ questions about products or services, sending mail and emails, customer analysis, assessment and profiling, detecting spam, when using auditors/advisors or processing credit/debit card payments.
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
- If we run an event in partnership with other named organisations your details may need to be shared. We will be very clear what will happen to your data when you register.
- If we merge with another organisation or form a new entity, your personal data may be transferred to that new entity.
We may disclose your personal information to third parties to:
- Comply with any court order or other legal obligation or when data is requested by government or law enforcement authorities;
- Protect the rights, property, or safety of us, our employees or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We may share generic aggregated non-identifiable information regarding visitors and users with our partners, trusted affiliates and advertisers.
For users who register with any of the websites under our control
For users that register on one of our websites (if any), we also store the personal information you provide in your user profile. All users can see, edit, or delete your personal information at any time (except you cannot change your username). Website administrators can also see and edit that information.
International transfers of personal data
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) for the purposes described in this policy. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.
If we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law, for example we may use the model contracts in a form approved by regulators. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.
Third party websites
You may find advertising or other content on our site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our site, is subject to that website’s own terms and policies.
What is our legal basis for using your information?
There are a number of lawful reasons for us to process your personal data.
One of these is called ‘legitimate interest’ and means that we can process your personal data if (i) we have a genuine and legitimate reason; and (ii) are not harming any of your rights and interests.
We will use your personal data for the purposes of administration, fundraising, processing donations, training staff, clergy and other authorised ministers, our charity work, promoting the church and supporting our clergy and vestry.
Whenever we process your personal data for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection law.
Other legal bases that we may rely on include:
- If you enter into a contract with us, we may process your personal data in order to fulfil our contract with you.
- If we are providing you with promotional e-mail communications, we will only do so with your consent. If you have given us your consent, you can withdraw your consent at any time by clicking on the “unsubscribe” link at the bottom of the emails or using the details in the Contact Us section of this website, or at the bottom of this Notice.
- Where we are required to comply with our legal obligations, to establish and defend our legal rights, or to prevent and detect crimes such as fraud.
Where we use special categories of personal data, for example, information about your health or religious information, we may ask for your consent to such use.
Sometimes your personal data may be used for statistical purposes but only in a form that no longer identifies you.
How long we retain your data
We will hold your personal data on our systems for as long as is necessary to fulfil the purposes that we collected it for, including for the purposes of satisfying any legal, accounting or other reporting requirements.
By law, we are required to retain certain information for a prescribed period of time. For example, we will keep a record of donations subject to gift aid for at least seven years to comply with HMRC rules. In circumstances where there are no such legal requirements, to determine the appropriate retention period, we will consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we are processing your personal data and whether we can achieve those purposes through other means.
Therefore, some information may be kept for more or less time depending on how long we reasonably feel it is required for. If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
We review our retention periods for personal data on a regular basis.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
If you ask us to delete your information in accordance with your rights set out below, we will retain basic information on a suppression list to record your request and to avoid sending you unwanted materials in the future.
What rights you have over your data
You have a number of rights. If you would like to exercise any of these rights, please contact us using the details set out in the Contact Us section of our website, or at the bottom of this Notice. If you exercise any of these rights we may ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal information. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge except in exceptional circumstances.
If you wish to raise a complaint in relation to our processing of your personal data, you can contact us at email@example.com or by writing to the St James the Less, 23 Broomhill Road, Penicuik, Midlothian, EH26 9EE and marking your query for the attention of the Rector. If you are not satisfied with our response or believe that we are not processing your personal data in accordance with the law you also have the right to lodge a complaint with the data protection regulator, the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at: https://ico.org.uk/global/contact-us/.
Your rights include:
- transparency over how we use your data and to make a subject access request (right of access);
- a right to have your personal data updated and corrected (right of correction/rectifcation) ;
- a right to ask us to delete your information (right to be forgotten);
- a right to ask us to stop processing your information (right to restriction);
- a right to object to (i) processing based on our legitimate interests; (ii) processing of your information for direct marketing purposes; and (iii) automated decision making and profiling (right to object);
- a right to receive a copy of your information, or have this sent to a third party (right to data portability); and
- a right to claim compensation for material or non-material damage caused if we breach the data protection rules (right to compensation).
If you would like to find out more about your rights, you can visit the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr).
Ensuring the accuracy of your data
We strive to maintain accurate, complete, and relevant personal information for the purposes identified in this privacy statement. If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it. It is important that the personal information we hold about you is accurate and current.
How we protect your data
We have implemented reasonable measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration and disclosure. Details of these measures can be obtained on request.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Our security measures are reviewed regularly.
If you have any questions regarding this Notice or about our privacy practices, wish to exercise any of your rights, or to make a complaint, please contact us at:
- Post: St James the Less Episcopal Church, 23 Broomhill Road, Penicuik, Midlothian, EH26 9EE
- Telephone: 01968 678254
- E-mail: firstname.lastname@example.org