About us

What we believe


Other activities

To find us



Sermons Online

Christianity Explored

Church Video


Welwyn Evangelical Church - Data Protection Policy

The Data Protection Legislation ("the Legislation" see definition at end of this policy) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected. During the course of the activities of Welwyn Evangelical Church ("the Church"), the Church will collect, store and process personal data about our employee (the Pastor), members, people who attend our activities (and, where appropriate their parents and guardians), suppliers and other third parties.

People whose data is held by the Church are referred to as "Data Subjects". The Church Trustees (we) recognise that the correct and lawful treatment of this data will maintain confidence in the Church. This policy sets out the basis on which the Church will process any personal data the Church collects from Data Subjects, or that is provided to us by Data Subjects or other sources. The people who will process personal data on behalf of the Church will include employees, church officers, members, service providers and other third parties.

The Data Protection Compliance Manager is responsible for ensuring compliance with the Legislation and with this policy. The post is held by Anthony Hendley, Tel 01438 716183. E-mail tonyh0053@gmail.com. Post c/o Welwyn Evangelical Church, Fulling Mill Lane, Welwyn, Herts AL6 9NH.

Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager.

Processing Personal Data

All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy may result in disciplinary action.

Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data.

Personal data is data relating to a living individual. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Examples of personal data are employee details, including employment records, names and addresses and other information relating to individuals, including supplier details, any third party data and any recorded information including paper and electronic documents and emails.

The people who will process personal data on behalf of the Church will only do so:

  • If they have consent to do so; or
  • If it is necessary to fulfil a contractual obligation or as part of the employer/employee relationship; for example, processing the payroll
  • If the processing is necessary for legitimate interests pursued by the Church, unless these are overridden by the interests, rights and freedoms of the Data Subject.

If none of these conditions are satisfied, individuals should contact the Data Protection Compliance Manager before processing personal data.

Compliance with the Legislation

Anyone who has responsibility for processing personal data on behalf of the Church must ensure that they comply with the data protection principles in the Legislation (see definition at end of policy). These state that personal data must:

  • be obtained and used fairly and lawfully and transparently
  • be obtained for specified lawful purposes and used only for those purposes
  • be adequate, relevant and not excessive for those purposes
  • be accurate and kept up to date
  • not be kept for any longer than required for those purposes (see Retention Policy)
  • be used in a way which complies with the individual's (Data Subject's) rights (this includes rights to prevent the use of personal data which will cause them damage or distress, to prevent use of personal data for direct marketing, and to have inaccurate information deleted or corrected)
  • be processed in a manner that ensures its security (see Information Security Policy).
Anyone who has responsibility for processing personal data on behalf of the Church should follow the Data Breach Procedure if they think they have accidentally breached any provision of this Data Protection Policy.

Sensitive Data

The Church will ensure that sensitive data is accurately identified on collection so that proper safeguards can be put in place. Sensitive data is a subset of Personal data and may include information relating to an individual's

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Physical or mental health
  • Sexual life
  • Criminal offences.

Sensitive data may be processed in the course of our legitimate activities, but may not be passed to any third party without the express consent of the Data Subject.

Monitoring the use of Personal Data

We are committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end the following steps will be taken:

  • anyone who will process personal data will be made aware of data protection issues and best practice;
  • anyone who will process personal data on a regular basis or who will process sensitive or other confidential personal data will be more closely monitored;
  • anyone who is processing personal data on behalf of the Church will receive training and documentary guidance to ensure that the processing complies with this policy. The Church will ensure that any inaccurate, excessive or out of date data is disposed of in accordance with this policy;
  • Spot checks may be carried out;
  • An annual report will be produced by the Data Protection Compliance Manager. The report will indicate the level of compliance with or variance from good data protection practices. Data breaches will be recorded and lessons learned.
  • Data breaches will be recorded and investigated to see what improvements can be made to prevent recurrences

Handling Personal Data and Data Security

This will be managed in accordance with our Information Security Policy.

The Rights of Individuals (Data Subjects)

The Legislation gives individuals (Data Subjects) certain rights to know what data is held about them and what it is used for. If personal data is collected directly from an Individual (Data Subject) we will inform them in writing of their rights by providing them with a "Privacy Notice" at the time the personal data is collected or as soon as possible afterwards.

In principle everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in the data held about them corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.

Any request for access to data under the Legislation should be made to the Data Protection Compliance Manager. In accordance with the Legislation the Church will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request (where permitted under the Legislation, we may take a further 30 days to respond but we will inform the individual of why this is necessary).

  When a written data subject access request is received the Data Subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may be disclosed, d) be provided with a copy of the information.

Definition of Data Protection Legislation

In this policy "Data Protection Legislation" or "Legislation" means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), the General Data Protection Regulation (GDPR), any laws in the UK enacting the GDPR or preserving its effect in whole or in part following the departure of the UK from the European Union and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, together with, where applicable, the guidance and codes of practice issued by the Information Commissioner's Office.

Changes to this policy

The Church reserves the right to change this policy at any time. Where appropriate Data Subjects will be notified of those changes by mail or email.

download PDF